Support for the Edwards curves - ed25519

This is where we can discuss what we would like to see added or changed in OpenVPN.
Post Reply
banjo
OpenVpn Newbie
Posts: 14
Joined: Wed May 31, 2017 12:58 am

Support for the Edwards curves - ed25519

Post by banjo » Fri Feb 28, 2020 6:52 am

Recently, TinCanTech replied to a topic of mine saying that OpenVPN does not, at the moment, support the Edwards curves. So:
  1. There appears to be some suspicion regarding NIST-supplied curves
  2. The Edwards curves are apparently more secure and more difficult to crack
  3. OpenSSL has supported them for more than a year
  4. OpenVPN does not support them
When will OpenVPN support the Edwards curve, ed25519?

Given that I use OpenSSL with OpenVPN, a possibly self-serving observation is that I am OK with initially only providing support via OpenSSL.

narun4sk
OpenVpn Newbie
Posts: 1
Joined: Tue Dec 29, 2020 7:44 pm

Re: Support for the Edwards curves - ed25519

Post by narun4sk » Tue Dec 29, 2020 7:54 pm

Hey ho,

I've got to this page by researching the ed25519 support in OpenVPN and I second the OP. IMHO all 4 points are very valid and there were no updates from the OpenVPN devs for nearly a year :(

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8871
Joined: Fri Jun 03, 2016 1:17 pm

Re: Support for the Edwards curves - ed25519

Post by TinCanTech » Tue Dec 29, 2020 8:53 pm


mooduck
OpenVpn Newbie
Posts: 9
Joined: Sat Feb 06, 2021 7:17 am

Re: Support for the Edwards curves - ed25519

Post by mooduck » Sat Feb 06, 2021 8:06 am

Hey there guys!

im trying to make some wireguard out of openvpn and since release 2.5.0 it can be possible. im already setup ec in easy-rsa instead of rsa and the chacha20Poly1305 chipher and wintun adapter and it works very fast, but it not enough and we have to go deeper. So the next thing in the line is ed25519 curve. As it states in easy-rsa release notes that ed curves been added support in release 3.0.7, openssl 1.1.1i supports it's too - keys are generates, connection is established and everything seems ok, but there is the line in log file that keeps me guessing:

when am using ec in the set_var EASYRSA_ALGO in vars file, the connection log shows me

Code: Select all

Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 384 bit EC, curve: secp384r1
but when am switches to ed in set_var EASYRSA_ALGO the log has:

Code: Select all

Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256
and thats it - no curve info, no nothing so i dont know thats ovpn using it or not, well im guessing thats it works 'cause if it doesnt - connection to the server wasnt been established, am i right or right?

additional info that i been googled:

Code: Select all

openssl ecparm -list_curves
doesnt show the 25519 curve in the list 'cause its not a "standart" curve https://github.com/openssl/openssl/issu ... -489459074 and this one https://bugs.debian.org/cgi-bin/bugrepo ... bug=839777, but when you do somethign like this

Code: Select all

openssl list -public-key-algorithms
it shows

Code: Select all

Name: OpenSSL ED25519 algorithm
        Type: Builtin Algorithm
        OID: ED25519
        PEM string: ED25519
Name: OpenSSL ED448 algorithm
        Type: Builtin Algorithm
        OID: ED448
        PEM string: ED448
so my guess thats is openvpn doesnt show curve info in the connection log because it doesnt appear to be in the list in openssl but it supported though
and #2 you cant use ed with curves that in the list 'cause of it https://github.com/OpenVPN/easy-rsa/blo ... syrsa#L447

So the question is - ovpn works with ed25519 or not? 'cause i dont get it.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8871
Joined: Fri Jun 03, 2016 1:17 pm

Re: Support for the Edwards curves - ed25519

Post by TinCanTech » Sat Feb 06, 2021 1:48 pm

Openvpn may not have support for the curve you want ..

mooduck
OpenVpn Newbie
Posts: 9
Joined: Sat Feb 06, 2021 7:17 am

Re: Support for the Edwards curves - ed25519

Post by mooduck » Sat Feb 06, 2021 2:44 pm

thanks for the answer man, guess we'll have to wait till then, by the way - why the h easy-rsa give's you that options if ovpn doesnt yet support this thing anyway
https://github.com/OpenVPN/easy-rsa/blo ... ample#L115

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8871
Joined: Fri Jun 03, 2016 1:17 pm

Re: Support for the Edwards curves - ed25519

Post by TinCanTech » Sun Feb 07, 2021 12:16 am

FTR: Easy-RSA3 does not choose to follow OpenVPN as a specific goal.

Therefore .. they are not an exact match ............

mooduck
OpenVpn Newbie
Posts: 9
Joined: Sat Feb 06, 2021 7:17 am

Re: Support for the Edwards curves - ed25519

Post by mooduck » Sun Mar 28, 2021 3:07 pm

there we go guys:

https://github.com/OpenVPN/openvpn/comm ... 1b81db5c34

waiting for the release

upd.

can't wait for the release - so im build server side from src git repo, can confrim that it worked now(still needed update for the client side to show the same line in the connection log)

Code: Select all

openvpn[7602]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 253 bit ED25519, signature: ED25519

Post Reply