BLAKE2 support for hashing.

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
mooduck
OpenVpn Newbie
Posts: 9
Joined: Sat Feb 06, 2021 7:17 am

BLAKE2 support for hashing.

Post by mooduck » Sat Feb 06, 2021 8:20 am

Hey there guys!

i've been trying to make some wireguard out of openvpn and since release 2.5.0 it can be possible. im already setup ec in easy-rsa instead of rsa and the chacha20Poly1305 chipher and wintun adapter and it works very fast, but it not enough and we have to go deeper.

So there is an option called auth

like it says in man

Code: Select all

130 root@ovpnsrc ~ # openvpn --show-digests
The following message digests are available for use with
OpenVPN.  A message digest is used in conjunction with
the HMAC function, to authenticate received packets.
You can specify a message digest as parameter to
the --auth option.

MD5 128 bit digest size
RSA-MD5 128 bit digest size
SHA1 160 bit digest size
RSA-SHA1 160 bit digest size
MDC2 128 bit digest size
RSA-MDC2 128 bit digest size
MD5-SHA1 288 bit digest size
RSA-SHA1-2 160 bit digest size
RIPEMD160 160 bit digest size
RSA-RIPEMD160 160 bit digest size
MD4 128 bit digest size
RSA-MD4 128 bit digest size
RSA-SHA256 256 bit digest size
RSA-SHA384 384 bit digest size
RSA-SHA512 512 bit digest size
RSA-SHA224 224 bit digest size
SHA256 256 bit digest size
SHA384 384 bit digest size
SHA512 512 bit digest size
SHA224 224 bit digest size
whirlpool 512 bit digest size
BLAKE2b512 512 bit digest size
BLAKE2s256 256 bit digest size
SHA512-224 224 bit digest size
SHA512-256 256 bit digest size
SHA3-224 224 bit digest size
SHA3-256 256 bit digest size
SHA3-384 384 bit digest size
SHA3-512 512 bit digest size
SHAKE128 128 bit digest size
SHAKE256 256 bit digest size
id-rsassa-pkcs1-v1_5-with-sha3-224 224 bit digest size
id-rsassa-pkcs1-v1_5-with-sha3-256 256 bit digest size
id-rsassa-pkcs1-v1_5-with-sha3-384 384 bit digest size
id-rsassa-pkcs1-v1_5-with-sha3-512 512 bit digest size
SM3 256 bit digest size
RSA-SM3 256 bit digest size
RSA-SHA512/224 224 bit digest size
RSA-SHA512/256 256 bit digest size
BLAKE2 is in the list, but when i added it to the server.conf nothing seems to be happening - ovpn just dont care - it still shows me

Code: Select all

Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
mine server.conf is
Server config

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh none
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.8.0.0 255.255.255.0"
keepalive 10 120

tls-crypt ta.key
data-ciphers CHACHA20-POLY1305
cipher CHACHA20-POLY1305
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
auth BLAKE2b512

user nobody
group nogroup.
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1


"why do he need blake2 support anyway?" you probably wonder - it simple just look here
https://www.blake2.net/
its significantly faster than sha ones
Last edited by Pippin on Sat Feb 06, 2021 1:47 pm, edited 1 time in total.
Reason: Formatting

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: BLAKE2 support for hashing.

Post by TinCanTech » Sat Feb 06, 2021 1:45 pm

HASH is not encryption .. what about the rest of your log at --verb 4

mooduck
OpenVpn Newbie
Posts: 9
Joined: Sat Feb 06, 2021 7:17 am

Re: BLAKE2 support for hashing.

Post by mooduck » Sat Feb 06, 2021 2:41 pm

my bad, guess im confusing things, im just taked another look into the man and did some search in the forum - now im guessing that the real question should be like - can i use --auth alg with --tls-crypt instead of tls-auth? and do i need that anyway?(since the tls-crypt crypts everything from the start of the handshake)

viewtopic.php?t=23869
--auth alg

Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm and a key to produce a digital signature.

The OpenVPN data channel protocol uses encrypt-then-mac (i.e. first encrypt a packet then HMAC the resulting ciphertext), which prevents padding oracle attacks.

If an AEAD cipher mode (e.g. GCM) is chosen then the specified --auth algorithm is ignored for the data channel and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.

In static-key encryption mode, the HMAC key is included in the key file generated by --genkey. In TLS mode, the HMAC key is dynamically generated and shared between peers via the TLS control channel. If OpenVPN receives a packet with a bad HMAC it will drop the packet. HMAC usually adds 16 or 20 bytes per packet. Set alg=none to disable authentication.
Last edited by mooduck on Sat Feb 06, 2021 2:49 pm, edited 1 time in total.

mooduck
OpenVpn Newbie
Posts: 9
Joined: Sat Feb 06, 2021 7:17 am

Re: BLAKE2 support for hashing.

Post by mooduck » Sat Feb 06, 2021 2:47 pm

here goes log with verb 4

Code: Select all

2021-02-06 17:41:24 us=389311 Current Parameter Settings:
2021-02-06 17:41:24 us=389311   config = 'client1.ovpn'
2021-02-06 17:41:24 us=389311   mode = 0
2021-02-06 17:41:24 us=389311   show_ciphers = DISABLED
2021-02-06 17:41:24 us=389311   show_digests = DISABLED
2021-02-06 17:41:24 us=389311   show_engines = DISABLED
2021-02-06 17:41:24 us=389311   genkey = DISABLED
2021-02-06 17:41:24 us=389311   genkey_filename = '[UNDEF]'
2021-02-06 17:41:24 us=389311   key_pass_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311   show_tls_ciphers = DISABLED
2021-02-06 17:41:24 us=389311   connect_retry_max = 0
2021-02-06 17:41:24 us=389311 Connection profiles [0]:
2021-02-06 17:41:24 us=389311   proto = udp
2021-02-06 17:41:24 us=389311   local = '[UNDEF]'
2021-02-06 17:41:24 us=389311   local_port = '[UNDEF]'
2021-02-06 17:41:24 us=389311   remote = '45.156.22.236'
2021-02-06 17:41:24 us=389311   remote_port = '1194'
2021-02-06 17:41:24 us=389311   remote_float = DISABLED
2021-02-06 17:41:24 us=389311   bind_defined = DISABLED
2021-02-06 17:41:24 us=389311   bind_local = DISABLED
2021-02-06 17:41:24 us=389311   bind_ipv6_only = DISABLED
2021-02-06 17:41:24 us=389311   connect_retry_seconds = 5
2021-02-06 17:41:24 us=389311   connect_timeout = 120
2021-02-06 17:41:24 us=389311   socks_proxy_server = '[UNDEF]'
2021-02-06 17:41:24 us=389311   socks_proxy_port = '[UNDEF]'
2021-02-06 17:41:24 us=389311   tun_mtu = 1500
2021-02-06 17:41:24 us=389311   tun_mtu_defined = ENABLED
2021-02-06 17:41:24 us=389311   link_mtu = 1500
2021-02-06 17:41:24 us=389311   link_mtu_defined = DISABLED
2021-02-06 17:41:24 us=389311   tun_mtu_extra = 0
2021-02-06 17:41:24 us=389311   tun_mtu_extra_defined = DISABLED
2021-02-06 17:41:24 us=389311   mtu_discover_type = -1
2021-02-06 17:41:24 us=389311   fragment = 0
2021-02-06 17:41:24 us=389311   mssfix = 1450
2021-02-06 17:41:24 us=389311   explicit_exit_notification = 0
2021-02-06 17:41:24 us=389311   tls_auth_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311   key_direction = 1
2021-02-06 17:41:24 us=389311   tls_crypt_file = '[INLINE]'
2021-02-06 17:41:24 us=389311   tls_crypt_v2_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311 Connection profiles END
2021-02-06 17:41:24 us=389311   remote_random = DISABLED
2021-02-06 17:41:24 us=389311   ipchange = '[UNDEF]'
2021-02-06 17:41:24 us=389311   dev = 'tun'
2021-02-06 17:41:24 us=389311   dev_type = '[UNDEF]'
2021-02-06 17:41:24 us=389311   dev_node = '[UNDEF]'
2021-02-06 17:41:24 us=389311   lladdr = '[UNDEF]'
2021-02-06 17:41:24 us=389311   topology = 1
2021-02-06 17:41:24 us=389311   ifconfig_local = '[UNDEF]'
2021-02-06 17:41:24 us=389311   ifconfig_remote_netmask = '[UNDEF]'
2021-02-06 17:41:24 us=389311   ifconfig_noexec = DISABLED
2021-02-06 17:41:24 us=389311   ifconfig_nowarn = DISABLED
2021-02-06 17:41:24 us=389311   ifconfig_ipv6_local = '[UNDEF]'
2021-02-06 17:41:24 us=389311   ifconfig_ipv6_netbits = 0
2021-02-06 17:41:24 us=389311   ifconfig_ipv6_remote = '[UNDEF]'
2021-02-06 17:41:24 us=389311   shaper = 0
2021-02-06 17:41:24 us=389311   mtu_test = 0
2021-02-06 17:41:24 us=389311   mlock = DISABLED
2021-02-06 17:41:24 us=389311   keepalive_ping = 0
2021-02-06 17:41:24 us=389311   keepalive_timeout = 0
2021-02-06 17:41:24 us=389311   inactivity_timeout = 0
2021-02-06 17:41:24 us=389311   ping_send_timeout = 0
2021-02-06 17:41:24 us=389311   ping_rec_timeout = 0
2021-02-06 17:41:24 us=389311   ping_rec_timeout_action = 0
2021-02-06 17:41:24 us=389311   ping_timer_remote = DISABLED
2021-02-06 17:41:24 us=389311   remap_sigusr1 = 0
2021-02-06 17:41:24 us=389311   persist_tun = ENABLED
2021-02-06 17:41:24 us=389311   persist_local_ip = DISABLED
2021-02-06 17:41:24 us=389311   persist_remote_ip = DISABLED
2021-02-06 17:41:24 us=389311   persist_key = ENABLED
2021-02-06 17:41:24 us=389311   passtos = DISABLED
2021-02-06 17:41:24 us=389311   resolve_retry_seconds = 1000000000
2021-02-06 17:41:24 us=389311   resolve_in_advance = DISABLED
2021-02-06 17:41:24 us=389311   username = '[UNDEF]'
2021-02-06 17:41:24 us=389311   groupname = '[UNDEF]'
2021-02-06 17:41:24 us=389311   chroot_dir = '[UNDEF]'
2021-02-06 17:41:24 us=389311   cd_dir = '[UNDEF]'
2021-02-06 17:41:24 us=389311   writepid = '[UNDEF]'
2021-02-06 17:41:24 us=389311   up_script = '[UNDEF]'
2021-02-06 17:41:24 us=389311   down_script = '[UNDEF]'
2021-02-06 17:41:24 us=389311   down_pre = DISABLED
2021-02-06 17:41:24 us=389311   up_restart = DISABLED
2021-02-06 17:41:24 us=389311   up_delay = DISABLED
2021-02-06 17:41:24 us=389311   daemon = DISABLED
2021-02-06 17:41:24 us=389311   inetd = 0
2021-02-06 17:41:24 us=389311   log = ENABLED
2021-02-06 17:41:24 us=389311   suppress_timestamps = DISABLED
2021-02-06 17:41:24 us=389311   machine_readable_output = DISABLED
2021-02-06 17:41:24 us=389311   nice = 0
2021-02-06 17:41:24 us=389311   verbosity = 4
2021-02-06 17:41:24 us=389311   mute = 0
2021-02-06 17:41:24 us=389311   gremlin = 0
2021-02-06 17:41:24 us=389311   status_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311   status_file_version = 1
2021-02-06 17:41:24 us=389311   status_file_update_freq = 60
2021-02-06 17:41:24 us=389311   occ = ENABLED
2021-02-06 17:41:24 us=389311   rcvbuf = 0
2021-02-06 17:41:24 us=389311   sndbuf = 0
2021-02-06 17:41:24 us=389311   sockflags = 0
2021-02-06 17:41:24 us=389311   fast_io = DISABLED
2021-02-06 17:41:24 us=389311   comp.alg = 0
2021-02-06 17:41:24 us=389311   comp.flags = 0
2021-02-06 17:41:24 us=389311   route_script = '[UNDEF]'
2021-02-06 17:41:24 us=389311   route_default_gateway = '[UNDEF]'
2021-02-06 17:41:24 us=389311   route_default_metric = 0
2021-02-06 17:41:24 us=389311   route_noexec = DISABLED
2021-02-06 17:41:24 us=389311   route_delay = 0
2021-02-06 17:41:24 us=389311   route_delay_window = 30
2021-02-06 17:41:24 us=389311   route_delay_defined = DISABLED
2021-02-06 17:41:24 us=389311   route_nopull = DISABLED
2021-02-06 17:41:24 us=389311   route_gateway_via_dhcp = DISABLED
2021-02-06 17:41:24 us=389311   allow_pull_fqdn = DISABLED
2021-02-06 17:41:24 us=389311   Pull filters:
2021-02-06 17:41:24 us=389311     ignore "route-method"
2021-02-06 17:41:24 us=389311   management_addr = '127.0.0.1'
2021-02-06 17:41:24 us=389311   management_port = '25340'
2021-02-06 17:41:24 us=389311   management_user_pass = 'stdin'
2021-02-06 17:41:24 us=389311   management_log_history_cache = 250
2021-02-06 17:41:24 us=389311   management_echo_buffer_size = 100
2021-02-06 17:41:24 us=389311   management_write_peer_info_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311   management_client_user = '[UNDEF]'
2021-02-06 17:41:24 us=389311   management_client_group = '[UNDEF]'
2021-02-06 17:41:24 us=389311   management_flags = 6
2021-02-06 17:41:24 us=389311   shared_secret_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311   key_direction = 1
2021-02-06 17:41:24 us=389311   ciphername = 'CHACHA20-POLY1305'
2021-02-06 17:41:24 us=389311   ncp_enabled = ENABLED
2021-02-06 17:41:24 us=389311   ncp_ciphers = 'CHACHA20-POLY1305'
2021-02-06 17:41:24 us=389311   authname = 'BLAKE2b512'
2021-02-06 17:41:24 us=389311   prng_hash = 'SHA1'
2021-02-06 17:41:24 us=389311   prng_nonce_secret_len = 16
2021-02-06 17:41:24 us=389311   keysize = 0
2021-02-06 17:41:24 us=389311   engine = DISABLED
2021-02-06 17:41:24 us=389311   replay = ENABLED
2021-02-06 17:41:24 us=389311   mute_replay_warnings = DISABLED
2021-02-06 17:41:24 us=389311   replay_window = 64
2021-02-06 17:41:24 us=389311   replay_time = 15
2021-02-06 17:41:24 us=389311   packet_id_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311   test_crypto = DISABLED
2021-02-06 17:41:24 us=389311   tls_server = DISABLED
2021-02-06 17:41:24 us=389311   tls_client = ENABLED
2021-02-06 17:41:24 us=389311   ca_file = '[INLINE]'
2021-02-06 17:41:24 us=389311   ca_path = '[UNDEF]'
2021-02-06 17:41:24 us=389311   dh_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311   cert_file = '[INLINE]'
2021-02-06 17:41:24 us=389311   extra_certs_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311   priv_key_file = '[INLINE]'
2021-02-06 17:41:24 us=389311   pkcs12_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311   cryptoapi_cert = '[UNDEF]'
2021-02-06 17:41:24 us=389311   cipher_list = '[UNDEF]'
2021-02-06 17:41:24 us=389311   cipher_list_tls13 = '[UNDEF]'
2021-02-06 17:41:24 us=389311   tls_cert_profile = '[UNDEF]'
2021-02-06 17:41:24 us=389311   tls_verify = '[UNDEF]'
2021-02-06 17:41:24 us=389311   tls_export_cert = '[UNDEF]'
2021-02-06 17:41:24 us=389311   verify_x509_type = 0
2021-02-06 17:41:24 us=389311   verify_x509_name = '[UNDEF]'
2021-02-06 17:41:24 us=389311   crl_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311   ns_cert_type = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 65535
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_ku[i] = 0
2021-02-06 17:41:24 us=389311   remote_cert_eku = 'TLS Web Server Authentication'
2021-02-06 17:41:24 us=389311   ssl_flags = 0
2021-02-06 17:41:24 us=389311   tls_timeout = 2
2021-02-06 17:41:24 us=389311   renegotiate_bytes = -1
2021-02-06 17:41:24 us=389311   renegotiate_packets = 0
2021-02-06 17:41:24 us=389311   renegotiate_seconds = 3600
2021-02-06 17:41:24 us=389311   handshake_window = 60
2021-02-06 17:41:24 us=389311   transition_window = 3600
2021-02-06 17:41:24 us=389311   single_session = DISABLED
2021-02-06 17:41:24 us=389311   push_peer_info = DISABLED
2021-02-06 17:41:24 us=389311   tls_exit = DISABLED
2021-02-06 17:41:24 us=389311   tls_crypt_v2_metadata = '[UNDEF]'
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_protected_authentication = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_private_mode = 00000000
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_cert_private = DISABLED
2021-02-06 17:41:24 us=389311   pkcs11_pin_cache_period = -1
2021-02-06 17:41:24 us=389311   pkcs11_id = '[UNDEF]'
2021-02-06 17:41:24 us=389311   pkcs11_id_management = DISABLED
2021-02-06 17:41:24 us=389311   server_network = 0.0.0.0
2021-02-06 17:41:24 us=389311   server_netmask = 0.0.0.0
2021-02-06 17:41:24 us=389311   server_network_ipv6 = ::
2021-02-06 17:41:24 us=389311   server_netbits_ipv6 = 0
2021-02-06 17:41:24 us=389311   server_bridge_ip = 0.0.0.0
2021-02-06 17:41:24 us=389311   server_bridge_netmask = 0.0.0.0
2021-02-06 17:41:24 us=389311   server_bridge_pool_start = 0.0.0.0
2021-02-06 17:41:24 us=389311   server_bridge_pool_end = 0.0.0.0
2021-02-06 17:41:24 us=389311   ifconfig_pool_defined = DISABLED
2021-02-06 17:41:24 us=389311   ifconfig_pool_start = 0.0.0.0
2021-02-06 17:41:24 us=389311   ifconfig_pool_end = 0.0.0.0
2021-02-06 17:41:24 us=389311   ifconfig_pool_netmask = 0.0.0.0
2021-02-06 17:41:24 us=389311   ifconfig_pool_persist_filename = '[UNDEF]'
2021-02-06 17:41:24 us=389311   ifconfig_pool_persist_refresh_freq = 600
2021-02-06 17:41:24 us=389311   ifconfig_ipv6_pool_defined = DISABLED
2021-02-06 17:41:24 us=389311   ifconfig_ipv6_pool_base = ::
2021-02-06 17:41:24 us=389311   ifconfig_ipv6_pool_netbits = 0
2021-02-06 17:41:24 us=389311   n_bcast_buf = 256
2021-02-06 17:41:24 us=389311   tcp_queue_limit = 64
2021-02-06 17:41:24 us=389311   real_hash_size = 256
2021-02-06 17:41:24 us=389311   virtual_hash_size = 256
2021-02-06 17:41:24 us=389311   client_connect_script = '[UNDEF]'
2021-02-06 17:41:24 us=389311   learn_address_script = '[UNDEF]'
2021-02-06 17:41:24 us=389311   client_disconnect_script = '[UNDEF]'
2021-02-06 17:41:24 us=389311   client_config_dir = '[UNDEF]'
2021-02-06 17:41:24 us=389311   ccd_exclusive = DISABLED
2021-02-06 17:41:24 us=389311   tmp_dir = 'C:\Users\user\AppData\Local\Temp\'
2021-02-06 17:41:24 us=389311   push_ifconfig_defined = DISABLED
2021-02-06 17:41:24 us=389311   push_ifconfig_local = 0.0.0.0
2021-02-06 17:41:24 us=389311   push_ifconfig_remote_netmask = 0.0.0.0
2021-02-06 17:41:24 us=389311   push_ifconfig_ipv6_defined = DISABLED
2021-02-06 17:41:24 us=389311   push_ifconfig_ipv6_local = ::/0
2021-02-06 17:41:24 us=389311   push_ifconfig_ipv6_remote = ::
2021-02-06 17:41:24 us=389311   enable_c2c = DISABLED
2021-02-06 17:41:24 us=389311   duplicate_cn = DISABLED
2021-02-06 17:41:24 us=389311   cf_max = 0
2021-02-06 17:41:24 us=389311   cf_per = 0
2021-02-06 17:41:24 us=389311   max_clients = 1024
2021-02-06 17:41:24 us=389311   max_routes_per_client = 256
2021-02-06 17:41:24 us=389311   auth_user_pass_verify_script = '[UNDEF]'
2021-02-06 17:41:24 us=389311   auth_user_pass_verify_script_via_file = DISABLED
2021-02-06 17:41:24 us=389311   auth_token_generate = DISABLED
2021-02-06 17:41:24 us=389311   auth_token_lifetime = 0
2021-02-06 17:41:24 us=389311   auth_token_secret_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311   vlan_tagging = DISABLED
2021-02-06 17:41:24 us=389311   vlan_accept = all
2021-02-06 17:41:24 us=389311   vlan_pvid = 1
2021-02-06 17:41:24 us=389311   client = ENABLED
2021-02-06 17:41:24 us=389311   pull = ENABLED
2021-02-06 17:41:24 us=389311   auth_user_pass_file = '[UNDEF]'
2021-02-06 17:41:24 us=389311   show_net_up = DISABLED
2021-02-06 17:41:24 us=389311   route_method = 3
2021-02-06 17:41:24 us=389311   block_outside_dns = DISABLED
2021-02-06 17:41:24 us=389311   ip_win32_defined = DISABLED
2021-02-06 17:41:24 us=389311   ip_win32_type = 1
2021-02-06 17:41:24 us=389311   dhcp_masq_offset = 0
2021-02-06 17:41:24 us=389311   dhcp_lease_time = 31536000
2021-02-06 17:41:24 us=389311   tap_sleep = 0
2021-02-06 17:41:24 us=389311   dhcp_options = DISABLED
2021-02-06 17:41:24 us=389311   dhcp_renew = DISABLED
2021-02-06 17:41:24 us=389311   dhcp_pre_release = DISABLED
2021-02-06 17:41:24 us=389311   domain = '[UNDEF]'
2021-02-06 17:41:24 us=389311   netbios_scope = '[UNDEF]'
2021-02-06 17:41:24 us=389311   netbios_node_type = 0
2021-02-06 17:41:24 us=389311   disable_nbt = DISABLED
2021-02-06 17:41:24 us=389311 OpenVPN 2.5.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2020
2021-02-06 17:41:24 us=389311 Windows version 10.0 (Windows 10 or greater) 64bit
2021-02-06 17:41:24 us=389311 library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Enter Management Password:
2021-02-06 17:41:24 us=389311 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2021-02-06 17:41:24 us=389311 Need hold release from management interface, waiting...
2021-02-06 17:41:24 us=869590 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2021-02-06 17:41:24 us=989278 MANAGEMENT: CMD 'state on'
2021-02-06 17:41:24 us=989278 MANAGEMENT: CMD 'log all on'
2021-02-06 17:41:25 us=159517 MANAGEMENT: CMD 'echo all on'
2021-02-06 17:41:25 us=159517 MANAGEMENT: CMD 'bytecount 5'
2021-02-06 17:41:25 us=169295 MANAGEMENT: CMD 'hold off'
2021-02-06 17:41:25 us=169295 MANAGEMENT: CMD 'hold release'
2021-02-06 17:41:25 us=999305 MANAGEMENT: CMD 'password [...]'
2021-02-06 17:41:26 us=7246 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-02-06 17:41:26 us=7246 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-02-06 17:41:26 us=7246 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-02-06 17:41:26 us=7246 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-02-06 17:41:26 us=7246 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2021-02-06 17:41:26 us=7246 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2021-02-06 17:41:26 us=7246 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1534,tun-mtu 1500,proto UDPv4,keydir 1,cipher CHACHA20-POLY1305,auth [null-digest],keysize 256,key-method 2,tls-client'
2021-02-06 17:41:26 us=7246 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1534,tun-mtu 1500,proto UDPv4,keydir 0,cipher CHACHA20-POLY1305,auth [null-digest],keysize 256,key-method 2,tls-server'
2021-02-06 17:41:26 us=7246 TCP/UDP: Preserving recently used remote address: [AF_INET]45.156.22.236:1194
2021-02-06 17:41:26 us=7246 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-02-06 17:41:26 us=7246 UDP link local: (not bound)
2021-02-06 17:41:26 us=7246 UDP link remote: [AF_INET]45.156.22.236:1194
2021-02-06 17:41:26 us=7246 MANAGEMENT: >STATE:1612622486,WAIT,,,,,,
2021-02-06 17:41:26 us=29504 MANAGEMENT: >STATE:1612622486,AUTH,,,,,,
2021-02-06 17:41:26 us=29504 TLS: Initial packet from [AF_INET]45.156.22.236:1194, sid=daa5fbeb 68ae9e22
2021-02-06 17:41:26 us=49353 VERIFY KU OK
2021-02-06 17:41:26 us=49353 Validating certificate extended key usage
2021-02-06 17:41:26 us=49353 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-02-06 17:41:26 us=49353 VERIFY EKU OK
2021-02-06 17:41:26 us=49353 VERIFY OK: depth=0, CN=server
2021-02-06 17:41:26 us=69240 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256
2021-02-06 17:41:26 us=69240 [server] Peer Connection Initiated with [AF_INET]45.156.22.236:1194
2021-02-06 17:41:26 us=89578 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher CHACHA20-POLY1305'
2021-02-06 17:41:26 us=89578 OPTIONS IMPORT: timers and/or timeouts modified
2021-02-06 17:41:26 us=89578 OPTIONS IMPORT: --ifconfig/up options modified
2021-02-06 17:41:26 us=89578 OPTIONS IMPORT: route options modified
2021-02-06 17:41:26 us=89578 OPTIONS IMPORT: peer-id set
2021-02-06 17:41:26 us=89578 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-02-06 17:41:26 us=89578 OPTIONS IMPORT: data channel crypto options modified
2021-02-06 17:41:26 us=89578 Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
2021-02-06 17:41:26 us=89578 Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
2021-02-06 17:41:26 us=89578 interactive service msg_channel=592
2021-02-06 17:41:26 us=89578 ROUTE_GATEWAY 192.168.88.1/255.255.255.0 I=12 HWADDR=d4:3d:7e:b1:3a:5e
2021-02-06 17:41:26 us=89578 open_tun
2021-02-06 17:41:26 us=99525 Ring buffers registered via service
2021-02-06 17:41:26 us=99525 wintun device [OpenVPN Wintun] opened
2021-02-06 17:41:26 us=99525 do_ifconfig, ipv4=1, ipv6=0
2021-02-06 17:41:26 us=99525 MANAGEMENT: >STATE:1612622486,ASSIGN_IP,,10.8.0.6,,,,
2021-02-06 17:41:26 us=99525 INET address service: add 10.8.0.6/30
2021-02-06 17:41:26 us=99525 IPv4 MTU set to 1500 on interface 11 using service
2021-02-06 17:41:26 us=99525 MANAGEMENT: >STATE:1612622486,ADD_ROUTES,,,,,,
2021-02-06 17:41:26 us=99525 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
2021-02-06 17:41:26 us=99525 Route addition via service succeeded
2021-02-06 17:41:26 us=99525 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
2021-02-06 17:41:26 us=109205 Route addition via service succeeded
2021-02-06 17:41:26 us=109205 Initialization Sequence Completed
2021-02-06 17:41:26 us=109205 MANAGEMENT: >STATE:1612622486,CONNECTED,SUCCESS,10.8.0.6,45.156.22.236,1194,,

mooduck
OpenVpn Newbie
Posts: 9
Joined: Sat Feb 06, 2021 7:17 am

Re: BLAKE2 support for hashing.

Post by mooduck » Sat Feb 06, 2021 2:57 pm

im confused with the

Code: Select all

auth [null-digest]
in that log, my guess is that because i use tls-crypt not tls-auth

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: BLAKE2 support for hashing.

Post by TinCanTech » Sat Feb 06, 2021 3:26 pm

mooduck wrote:
Sat Feb 06, 2021 2:57 pm
im confused with the

Code: Select all

auth [null-digest]
in that log, my guess is that because i use tls-crypt not tls-auth
It's complicated..

Computer security is complicated and because of that, people who understand how these things fit together make a lot of decisions for you, in order that things work correctly. It is easy to misconfigure openvpn and end up with insecure settings.

Something which may help you see the bigger picture:
  • --auth is applied to data channel packets
    The data channel cipher may over-write your configured HASH algorithm
  • --tls-auth is applied to control channel packets
    The control channel cipher will almost certainly over-write your configured HASH algorithm
Reason: Some of those advanced ciphers have hashing built-in, which is faster and more reliable.

mooduck
OpenVpn Newbie
Posts: 9
Joined: Sat Feb 06, 2021 7:17 am

Re: BLAKE2 support for hashing.

Post by mooduck » Sat Feb 06, 2021 3:38 pm

TinCanTech wrote:
Sat Feb 06, 2021 3:26 pm
It is easy to misconfigure openvpn and end up with insecure settings.
exactly! insecure settings that's what im affraid of mostly(dont know why - nsa can crack anything though).
Everything in it's place now - in the cipher chacha20poly1305 - poly1305 is auth alg for mac thats overwrite my auth setting(again just guessing).
Thanks for the answer man! im guess that only one thing i can do about it - drink for that people which provide to us that "computer security things"(that i dont know sh about).

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: BLAKE2 support for hashing.

Post by TinCanTech » Sat Feb 06, 2021 4:05 pm

mooduck wrote:
Sat Feb 06, 2021 3:38 pm
nsa can crack anything though
They wish :D

They have been caught trying to poison code but they cannot crack anything yet. Unless they arrest you..

mooduck
OpenVpn Newbie
Posts: 9
Joined: Sat Feb 06, 2021 7:17 am

Re: BLAKE2 support for hashing.

Post by mooduck » Wed Feb 10, 2021 5:23 am

well i can confrim that the BLAKE2 is working so you can close this thread.
like i was guessing(and you were right) - when i use tls-auth everything is fine and nothing seems to overwrite mine auth settings

Code: Select all

Outgoing Control Channel Authentication: Using 512 bit message hash 'BLAKE2b512' for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash 'BLAKE2b512' for HMAC authentication
but when im switches to tls-crypt - then auth option became useless 'cause it's doesn't set the hash algo you want, something is overwrite this option

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: BLAKE2 support for hashing.

Post by TinCanTech » Wed Feb 10, 2021 4:34 pm

--tls-crypt does not use a hash it uses crypto .. so no hash.

Post Reply