tls-crypt, GCM ciphers, auth [alg] directive

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
cr9c1
OpenVPN User
Posts: 35
Joined: Mon Mar 31, 2014 5:49 pm

tls-crypt, GCM ciphers, auth [alg] directive

Post by cr9c1 » Mon Apr 10, 2017 3:05 pm

I just had a couple questions.

I noticed a new feature in 2.4, tls-crypt. I was previously using tls-auth, with key direction specified in server and client configurations. I checked out the notes for tls-crypt and it seemed like an improvement, so I switched over to it, and have had no issues. Previously, I had updated my ciphers from CBC to GCM ciphers. I also restrict TLS to 1.2, and only using the TLS cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

Before switching to the GCM ciphers, I was using auth SHA512 and auth SHA256 in some cases, mostly experimenting. It appears as if either using tls-crypt, or switching to the GCM ciphers has caused the auth SHA256/512 to become not-needed, is this the case? It appears I have missed something, but removing the auth statement in both client and server results in no change on the server end and client end logfile, indicating encryption of the data and control channel are the same, with the same cipher and key length regardless of the auth statement.

Would this be correct? I figure it has to be either tls-crypt or the use of the GCM ciphers that have made the auth directive do nothing, but I only understand a little about this so your help is greatly appreciated. Thank you!

cr9c1
OpenVPN User
Posts: 35
Joined: Mon Mar 31, 2014 5:49 pm

Re: tls-crypt, GCM ciphers, auth [alg] directive

Post by cr9c1 » Mon Apr 10, 2017 3:08 pm

Okay, so I finally found what I was looking for in the man page.. using GCM ciphers ignores the auth directive for data channel. However because I am using tls-crypt vs tls-auth, I'm assuming the auth directive is also useless for the control channel as well, since that is predefined as using AES-256-CTR cipherwith a 256 bit key?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt, GCM ciphers, auth [alg] directive

Post by TinCanTech » Mon Apr 10, 2017 4:18 pm

Without seeing your configs and logs it is all a mystery ..

However,
--tls-crypt disables --tsl-auth, you can stop using --tls-crypt by commenting it out of your config,
you can also disable --ncp-ciphers with --ncp-disable

Post Reply