Hi all, a little update and some more experience. I was able to fully migrate all crypto options from the global section to the advanced crypto section. '--auth' and '--tls-auth' with their defaults. This might in my opinion be may a possible goal according to the RW ?! I have also extended the control channel protection with the new features which are '--tls-crypt' and the '--tls-crypt-v2' https://github.com/OpenVPN/openvpn/blob/master/doc/tls-crypt-v2.txt which might be also interesting for bigger business environments. Haven´t tested every little thing but so far it works good.
Experience: To fully use the negotiation with the clients, it is needed that the client do also have --data-ciphers entries --> https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negot... and runs therefor also >= OpenVPN-2.5.0 . The negotiation delivers three possiblities:
- Full negotiation: Both server and client support NCP - Partial negotiation: Only the client supports NCP (Known as "Poor man's NCP") - No negotiation: The client does not support NCP (The server NCP has no effect).
If the client is <= 2.5.0, '--data-ciphers' and '--data-ciphers- fallback' is not known as directive and the client refuses to start.
There arises a bigger question for me... When should we change the client.ovpn from '--cipher' to '--data-ciphers' and or '--data-ciphers- fallback' ...
This is again a not so nice one :-| .
Screenshots of the currrent state here are attached.
Best,
Erik
Am Montag, den 23.11.2020, 10:14 +0100 schrieb ummeegge: Some additions and WUI restructure ideas after some more testings.
'--cipher' is no longer needed if '--data-cipher-fallback' is in usage, there is also no need for '--data-ciphers' for the first if '--data- cipher-fallback' is active. The client can still uses the '--cipher alg' directive and the 2.5.0 server responds with '--data-ciphers- fallback alg' .
The idea: Remove the cipher section from the global area from the WUI, rename simply '--cipher' to '--data-ciphers-fallback' in server.conf and keep the index, include the 'DCIPHER' (also 'DAUTH' and 'TLSAUTH') variable(s) to the advanced encryption section with the related indexes to keep the old configuration but set also new defaults for new configurations.
If '--data-ciphers' is active, all old clients have the chance with e.g. an old CBC cipher to migrate also to newer clients step-by-step so we can get rid of the old broken algorithms like CAST, DES and BF since they won´t appear in the new advanced encryption section...
As an idea !?
Best,
Erik
