Compatible with OpenVPN 2.4 ?

Official client software for OpenVPN Access Server and OpenVPN Cloud.
peter_sm
OpenVpn Newbie
Posts: 17
Joined: Wed Apr 18, 2012 7:43 am

Compatible with OpenVPN 2.4 ?

Post by peter_sm » Thu Dec 29, 2016 10:37 am

Hi, When will OpenVPN connect (iOS) be compatible with openVPN 2.4 ?
Cant use tls-crypt or AES-256-GCM on client when connection to a 2.4 version server with these features enabled.

BR
Peter

DigitalDJ
OpenVpn Newbie
Posts: 1
Joined: Sun Jan 01, 2017 5:53 pm

Re: Compatible with OpenVPN 2.4 ?

Post by DigitalDJ » Sun Jan 01, 2017 5:55 pm

Same boat, but please also add support for:

ecdh-curve, relevant EC tls-chiper (e.g. TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384), ncp-disable (and other ncp- options) and lz4 compression.

zadigre
OpenVpn Newbie
Posts: 1
Joined: Tue Jan 10, 2017 2:08 pm

Re: Compatible with OpenVPN 2.4 ?

Post by zadigre » Tue Jan 10, 2017 2:10 pm

I would like to have the app updated too...
I can still connect fine to my network... but I would gladly use the newer options offered in 2.4.x if the iOS was able to use them.

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by dariusz » Sun Jan 15, 2017 12:20 pm

hopefully soon it will be updated. Managed to setup all my desktops with elliptic crypto and only because iOS devices have to keep sort of legacy setup on one ovpn's instance.

peter_sm
OpenVpn Newbie
Posts: 17
Joined: Wed Apr 18, 2012 7:43 am

Re: Compatible with OpenVPN 2.4 ?

Post by peter_sm » Sun Jan 15, 2017 5:22 pm

dariusz wrote:hopefully soon it will be updated. Managed to setup all my desktops with elliptic crypto and only because iOS devices have to keep sort of legacy setup on one ovpn's instance.
Do you have any good guide to share how to set up your Server/Client using elliptic crypto ?

Thanks

BR
Peter

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by dariusz » Sun Jan 15, 2017 5:31 pm

nope - i have not found anything good on internet. I might create post in this forum next week. I have this running for couple of days now and so far so good. when i am sure that all stable will post more details

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by dariusz » Sun Jan 15, 2017 5:35 pm

It definitely works with both sides using the latest release 2.4. I run server on raspberry pi and clinet on mac OS.

Sun Jan 15 16:48:51 2017 us=6658 MULTI: multi_create_instance called
Sun Jan 15 16:48:51 2017 us=7112 81.109.233.126:56296 Re-using SSL/TLS context
Sun Jan 15 16:48:51 2017 us=7227 81.109.233.126:56296 LZ4 compression initializing
Sun Jan 15 16:48:51 2017 us=8148 81.109.233.126:56296 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Sun Jan 15 16:48:51 2017 us=8263 81.109.233.126:56296 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sun Jan 15 16:48:51 2017 us=8459 81.109.233.126:56296 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Sun Jan 15 16:48:51 2017 us=8532 81.109.233.126:56296 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Sun Jan 15 16:48:51 2017 us=8749 81.109.233.126:56296 TLS: Initial packet from [AF_INET]81.109.233.126:56296, sid=d27a8897 0d6387be
Sun Jan 15 16:48:51 2017 us=468990 81.109.233.126:56296 VERIFY OK: depth=1, C=US, ST=California, L=San Francisco, O=Copyleft Certificate Co, OU=My Organizational Unit, CN=EasyRSA-DB, emailAddress=me@example.net
Sun Jan 15 16:48:51 2017 us=469681 81.109.233.126:56296 Validating certificate extended key usage
Sun Jan 15 16:48:51 2017 us=469742 81.109.233.126:56296 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Sun Jan 15 16:48:51 2017 us=469786 81.109.233.126:56296 VERIFY EKU OK
Sun Jan 15 16:48:51 2017 us=469830 81.109.233.126:56296 VERIFY OK: depth=0, C=US, ST=California, L=San Francisco, O=Copyleft Certificate Co, OU=My Organizational Unit, CN=clientname1, emailAddress=me@example.net
Sun Jan 15 16:48:51 2017 us=675132 81.109.233.126:56296 peer info: IV_VER=2.4.0
Sun Jan 15 16:48:51 2017 us=675253 81.109.233.126:56296 peer info: IV_PLAT=mac
Sun Jan 15 16:48:51 2017 us=675306 81.109.233.126:56296 peer info: IV_PROTO=2
Sun Jan 15 16:48:51 2017 us=675354 81.109.233.126:56296 peer info: IV_NCP=2
Sun Jan 15 16:48:51 2017 us=675400 81.109.233.126:56296 peer info: IV_LZ4=1
Sun Jan 15 16:48:51 2017 us=675447 81.109.233.126:56296 peer info: IV_LZ4v2=1
Sun Jan 15 16:48:51 2017 us=675494 81.109.233.126:56296 peer info: IV_LZO=1
Sun Jan 15 16:48:51 2017 us=675540 81.109.233.126:56296 peer info: IV_COMP_STUB=1
Sun Jan 15 16:48:51 2017 us=675588 81.109.233.126:56296 peer info: IV_COMP_STUBv2=1
Sun Jan 15 16:48:51 2017 us=675634 81.109.233.126:56296 peer info: IV_TCPNL=1
Sun Jan 15 16:48:51 2017 us=683883 81.109.233.126:56296 Control Channel: TLSv1.2, cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, 521 bit key
Sun Jan 15 16:48:51 2017 us=684043 81.109.233.126:56296 [clientname1] Peer Connection Initiated with [AF_INET]81.109.233.126:56296
Sun Jan 15 16:48:51 2017 us=684179 clientname1/81.109.233.126:56296 MULTI_sva: pool returned IPv4=10.88.90.6, IPv6=(Not enabled)
Sun Jan 15 16:48:51 2017 us=684414 clientname1/81.109.233.126:56296 MULTI: Learn: 10.88.90.6 -> clientname1/81.109.233.126:56296
Sun Jan 15 16:48:51 2017 us=684477 clientname1/81.109.233.126:56296 MULTI: primary virtual IP for clientname1/81.109.233.126:56296: 10.88.90.6
Sun Jan 15 16:48:52 2017 us=780141 clientname1/81.109.233.126:56296 PUSH: Received control message: 'PUSH_REQUEST'
Sun Jan 15 16:48:52 2017 us=780528 clientname1/81.109.233.126:56296 SENT CONTROL [clientname1]: 'PUSH_REPLY,route 10.88.90.1 255.255.255.255,route 10.88.90.0 255.255.255.0,dhcp-option DNS 84.200.69.80,dhcp-option DNS 84.200.70.40,redirect-gateway def1 bypass-dhcp,block-ipv6,route 10.88.90.1,topology net30,ping 10,ping-restart 120,ifconfig 10.88.90.6 10.88.90.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Jan 15 16:48:52 2017 us=780615 clientname1/81.109.233.126:56296 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Sun Jan 15 16:48:52 2017 us=781283 clientname1/81.109.233.126:56296 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan 15 16:48:52 2017 us=781345 clientname1/81.109.233.126:56296 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by dariusz » Sun Jan 15, 2017 5:40 pm

As you can see above in my server log it connects with no errors and warnings.
I have tried multiple options with iOS and I am almost sure now that it does not support it yet. Hopefully it will be upgraded soon. It seems that iOS openvpn client does not understand how to use new EC keys. I have experimented with both in-line and p12 files installed in certificate store. nothing worked.

Dariusz

peter_sm
OpenVpn Newbie
Posts: 17
Joined: Wed Apr 18, 2012 7:43 am

Re: Compatible with OpenVPN 2.4 ?

Post by peter_sm » Sun Jan 15, 2017 6:01 pm

Looks good!!, please let me know when and where you add your guide ;-)

peter_sm
OpenVpn Newbie
Posts: 17
Joined: Wed Apr 18, 2012 7:43 am

Re: Compatible with OpenVPN 2.4 ?

Post by peter_sm » Sun Jan 15, 2017 6:03 pm

I have only tested and change one line in easyrsa (RSA to EC) , but I don't think that is not enough to switch completed to EC for server/client

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by dariusz » Sun Jan 15, 2017 6:07 pm

Nope. Few more changes... stay with me. I will write everything down next week. 2.4 introduced some changes - it took me many frustrated tries and man pages reading to get it working. What is missing now, at least for me is 2.4 iOS client. Hopefully it is already in making.

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by dariusz » Mon Jan 16, 2017 11:19 am

I have posted some details here:

viewtopic.php?f=4&t=23227

if you have any questions let's continue there.

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by dariusz » Tue Jan 31, 2017 10:24 am

Is there any place I can see the latest status of dev for iOS client? Maybe some beta to help testing with etc...

enri
OpenVpn Newbie
Posts: 5
Joined: Fri Feb 03, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by enri » Sun Feb 05, 2017 11:05 am

Also found that the tls-crypt work on my Mac Tunnelblick, but not iOS OpenVPN Connect

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by dariusz » Sun Feb 05, 2017 12:26 pm

tls-crypt has been only introduced in OpenVPN 2.4 and iOS client is not compatible with it yet. Still the lowest common denominator is to use RSA crypto with OpenVPN 2.3 compatible options.

I hope that iOS client will be updated soon.

enri
OpenVpn Newbie
Posts: 5
Joined: Fri Feb 03, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by enri » Mon Feb 06, 2017 2:55 am

I tried "auth SHA256" and the iOS client can connect, but full tunnel traffic is not usable

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by dariusz » Mon Feb 06, 2017 10:15 am

what you mean client can connect? Would you mind to share you server and client config?

enri
OpenVpn Newbie
Posts: 5
Joined: Fri Feb 03, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by enri » Mon Feb 06, 2017 11:48 pm

I am not talking about tls-crypt. i just means when I use auth SHA256 (instead of my previous config that use auth SHA1), on my iPhone the traffic is extremely slow
on my mac it is working great

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by dariusz » Wed Feb 08, 2017 11:27 am

FYi - I use SHA512 and with relatively old iphone 5s it works flawlessly with full speed

enri
OpenVpn Newbie
Posts: 5
Joined: Fri Feb 03, 2017 1:42 pm

Re: Compatible with OpenVPN 2.4 ?

Post by enri » Sun Feb 12, 2017 6:26 pm

I see. Thanks for letting me know.

I have no idea why. the same settings (same ovpn file) for SHA256 as auth does not have problem with my Mac

Post Reply