Hi,
I am looking to upgrade to v2.4 of the client as soon as possible so I can change the cipher on the server to mitigate the SWEET32 issue. I have updated the Windoze clients so they should now (if I understand correctly) be able to negotiate an cipher with my server (which is on 2.3.13 until EPEL update so I am planning to fix my server cipher manually when my clients can negotiate the cipher). I don't think the Andorid client (or iOS) has yet been upgraded to allow this and I am not looking forward to updating all my Android clients manually. Do you know if an upgrade to OpenVPN Connect is in the pipeline to support this functionality?
TIA,
Nick
P.S. In the meanwhile I have set reneg-bytes 64000 on the server to mitigate the vulnerability
Re: OpenVPN Connect and OpenVPN Server v2.4
Posted: Thu May 11, 2017 3:06 am
by ADFHAU
+1 ... are there plans to update the Android client to support stronger algorithms and other features supported by OpenVPN 2.4 server?
How does "OpenVPN core" version relate to "OpenVPN server" version? Is there some specific featureset correlation?
I have the latest version installed from Google Play installed on my handset, and it reports that its core libraries were built a year ago in 2016.
Re: OpenVPN Connect and OpenVPN Server v2.4
Posted: Thu May 11, 2017 12:59 pm
by nickh
Having updated my openvpn server to 2.4 and tried connecting from Android and iOS, both versions of OpenVPN Connect seem to support cipher negotiation and negotiate the AES-256-GCM cipher.
Re: OpenVPN Connect and OpenVPN Server v2.4
Posted: Wed May 17, 2017 9:40 am
by ADFHAU
I find it's still barfing on the auth cipher when I dropped it from 512 to 256.
client.ovpn
client
dev tun
proto udp
remote MYIP MYPORT
float
ncp-ciphers AES-256-GCM:AES-256-CBC
auth RSA-SHA256
compress lz4
keepalive 15 60
auth-user-pass
ns-cert-type server
config.ovpn
daemon
topology subnet
server 192.168.2.0 255.255.255.0
proto udp
port MYPORT
dev tun21
ncp-ciphers AES-256-GCM:AES-256-CBC
auth RSA-SHA256
compress lz4
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
client-to-client
duplicate-cn
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
tls-crypt static.key
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status 10
tls-version-min 1.2
cipher AES-256-GCM
Re: OpenVPN Connect and OpenVPN Server v2.4
Posted: Wed May 17, 2017 9:58 am
by nickh
I didn't do anything to client.ovpn file, so no scp-ciphers line there. That way it is controlled from the server. My config.ovpn equivalent is also much simpler (no cipher, auth or tls-version lines and probably no tls-crypt line and I don't have a few other lines which aren't relevant to encryption).
Re: OpenVPN Connect and OpenVPN Server v2.4
Posted: Sun May 21, 2017 4:42 am
by ADFHAU
Most of mine are generated by my router's firmware (Merlin AsusWRT) based upon preferences. I'm trying to figure out the highest encryption options possible with the Android client whilst avoiding things that have already been broken.
From what I can tell, the OpenVPN Connect Android client uses an "OpenVPN 2.x" compatible C++ API called "OpenVPN". https://staging.openvpn.net/openvpn3/
... confusing much? The client code suffixes "Core" to the library name in the "about" dialogs perhaps to retroactively deobfusfucate. Therefore, the sourcecode (including Android client) available from the website is for OpenVPN Core v3.0 from 2014. The Android Play released version is from May 2016, OpenVPN Core v3.0.12. Meanwhile, OpenVPN (not OpenVPN Core) version 2.4 was released in December 2016. Therefore, the released OpenVPN Core source code lags by a good year and a half, and the released client is behind OpenVPN 2.4.0 by 7 months.