-
-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenVPN 2.4 support #96
Conversation
- Add support for AES-GCM ciphers for the data channel - Add support for tls-crypt - Add support for ECDSA certificates - Add support for ECDHE - Add choice for HMAC auth algorithm - Add choice for certificate hash algorithm - Add choice for the control channel's cipher All these options have an OpenVPN 2.3-compatible choice (example : RSA cert and DH key)
Update openvpn-install.sh
@angristan Please take a look |
Should be fixed now |
My ISP resets connection, I am in restricted network. 2.4 branch is working for me - https://github.com/Angristan/OpenVPN-install/blob/openvpn-2.4/openvpn-install.sh but actual PR is not. There are 2 logs in attachment. pc1 - current 2.4 branch client1 - this PR. If you need configs, I can attach them also. |
Please update your OpenVPN client. Also, can you try with a RSA cert, DH key and tls-auth ? |
@angristan
|
Why ? |
@angristan I am not good at this. I understand there are to types of OpenVPN now:
Am I right? |
Well you can add it yourself in the script or directly in your config files |
@angristan |
I'll try to make some tests on a W10 VM, it's strange indeed |
@angristan Thanks for your help. I will be glad to help you in tests. |
From the OpenVPN wiki: >Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. >If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth. Tl;DR: if we're using an AEAD cipher (AES GCM), `auth alg` won't have inpact on the impact channel, but only on the control channel if tls-auth/tls-crypt is enabled.
This seems like a little change but it was not easy to find. I want this script to support only OpenVPN 2.4 servers, but also 2.4 and 2.3 clients. The thing is, the OpenVPN 2.3 client doesn't care at all what cipher the server wants to use. The cipher parameter in the client config is the king here. But with OpenVPN 2.4, you can specify whatever cipher you want, the clients and the server will negotiate the best cipher possible, which is AES-256-GCM right now. The use of --ncp-ciphers cipher_list is useless because a 2.3 client will still use its cipher and a 2.4 client will still use AES-256-GCM. I won't detail all my experiments here, but in the end, ncp-disable disable the cipher negotiation for 2.4 clients. But it will only work if the cipher in the server config and the client config are the same, and as they are in the script, it's ok. This is not the best solution because that means if you want to support a 2.3 client, you'll be forced to use one and only one AES-CBC cipher, even with your 2.4 clients, even though you could use a different cipher for each client. But as we're still using AES and OpenVPN 2.4 getting more and more deployed, this is not a too big issue in the end. Also adding menus to to choose what kind of client you want etc would make the script pretty complicated, so this is a good compromise here. TL;DR: ncp-disable enforces a OpenVPN 2.4 client to use the specified cipher in the server and the client config. See here for me details regarding the data channel cipher negotiation in OpenVPN 2.4 : https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAJ
I appreciate your help, but can you please use words, too? |
Fixed wrong home directory on newclient()
I have some question about how the script is managing iptables and firewalld specially on fedora:
fixed this problem and even some error messages when uninstalling. |
Thus we have the latest version.
@emilio1625 would adding |
@cezar97 $CC_ENC is Control Channel Encryption. (!= data channel).
Why is it an issue? |
Ok 👍 |
@cezar97 I already researched the subject and in the end NIST curves were still the best regarding security, speed and support. I agree they aren't the best, but what about client support? |
Hi, sorry for the late response, i added that line, and that fixed some error messages when installing and uninstalling, but the problem with the iptables not working was not fixed, again, i had to add the ip rules manually, i'll try to fix the issue this week |
Is it possible to add a menu to update an old installation, enable new features, and then re-generate client files based on those preferences? For example, let's suppose that I upgrade to 2.4 and I want to enable tls-crypt and change cyphers. Or is the suggested upgrade path just to uninstall and then re-install if changes are desired? |
@angristan |
Following #96 (comment): VORACLE is now a thing. So we will disable compression by default. https://www.bleepingcomputer.com/news/security/voracle-attack-can-recover-http-data-from-vpn-connections/ |
Hello everyone, Sorry this has taken so long. In the past week, I've worked dozens of hours on the project and rewrote a big part. A lot of features have been added, and a lot of stuff have been improved and fixed. The master branch is so different than one year ago so this PR is pointless. I added the features one by one on master, and make sure it worked. The original PR was about one and half year ago... But I finally made it. Also I've improved my skills quite a lot since then so it's not implemented the exact same way. Anyway, here are the changes:
Thanks for waiting 🙏 |
Updated the README: ba1fc42 |
This is WIP for adding OpenVPN 2.4 new features into the script
All these options have an OpenVPN 2.3-compatible choice (example : RSA cert and DH key)
In my previous PR, I removed the encryptions choices to only choose the best ones. Here I've added the choice for every encryption parameter, as it seems that users prefer to use the script this way.
It seems to be working, I'll have to dome some more testing, rewrite some menus and then rewrite the readme with to add the new features.