From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Status update on openvpn work Date: Mon, 09 Oct 2023 14:05:23 +0200 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0635308869079925095==" List-Id: --===============0635308869079925095== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi All, Over the last week I have been working on the openvpn update using Erik's pre= vious patches as my starting point. My first attempt to try and be able to understand the changes from each patch= to figure out what I needed to do proved difficult for me to work with. What I then did was take the current ovpnmain.cgi and apply all of Erik's pat= ches to it. Then I have gone through that new version of ovpnmain.cgi and made the change= s based on previous discussions with Michael. So I have removed the b2sum options that were present for the Data and Channe= l Authentication. I also moved all the cryptographic options from an additional advanced crypto= graphic options button into the Advanced Server options button. I was successful in doing all the above and then tested the ovpnmain.cgi out = with a vm using the existing openvpn-2.5.9 version for openvpn. My old profile for my laptop which had a ciphers entry worked without any pro= blem. My laptop was working withy openvpn-2.6.6 I then created a new profile using the new ovpnmain.cgi using the negotiation= option which ended up with a data-ciphers line. That also worked in making a= successful openvpn tunnel with my laptop without any issues. I then downgraded my laptop to openvpn-2.4.8 and had to install openvpn-1.1.1= to make that work. With that client version on my laptop both the old and new profiles connected= with a tunnel with no problems. I then tried downgrading my laptop to openvpn-2.3.14 but to make this work I = would have had to downgrade the laptop to openssl-1.0.0 which I was not willi= ng to do as that is very old and very insecure. The oldest openvpn version working with openssl-1.1.1 is 2.4.0 which is nearl= y 7 years old. That version also worked with both the old and new laptop profiles. I then tested out the openvpn server on my IPFire vm with a 2.6.0 and 2.6.6 v= ersion of openvpn. Both these openvpn versions worked with both the old and new laptop connectio= n profiles with my laptop on version 2.4.0 and on 2.6.6 All the above was using network manager with its openvpn plugin option on the= laptop for making the openvpn tunnel connections. As far as I can tell everything is working fine when negotiation is specified= on the server. Old profiles that just use the cipher option also work fine. = Therefore my plan is to only use the negotiation option and not make it selec= table for older clients. The data-ciphers-fallback option in the server seems= to be doing its job. The negotiation option on the server was able to connect to a 2.4.0 client on= my laptop. According to the OpenVPN wiki on cipher negotiation the data-ciphers-fallback= option will work with 2.4.x and 2.3.x clients. As the 2.3.x clients need to = be using openssl-1.0.0 then I think if those clients work then fine but nothi= ng further back. Overall, I am very happy with what I have succeeded in doing so far. I achiev= ed things much quicker than I had expected. I will now try and see about creating a profile on a CU 179 based system that= uses one of the old insecure ciphers such as Blow Fish and restore that into= my evaluation vm and see how that works with my laptop when I have it downgr= aded to openvpn-2.4.0 I already know that if the laptop is at openvpn-2.6.6 then it will not accept= a blowfish cipher (or another weak cipher such as DES) as that is something = I tested in the past. If that also works then my plan will be to take the updated ovpnmain.cgi and = split the changes into a new range of patches and then submit them for consid= eration. That will probably end up later in November as I will be busy with personal t= hings at the end of October / beginning of November. Regards, Adolf. --===============0635308869079925095==--