Scripts to manage certificates or generate config files
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
Anton
- OpenVpn Newbie
- Posts: 4
- Joined: Wed Mar 06, 2013 5:29 am
Post
by Anton » Wed Mar 06, 2013 4:55 pm
Hi,
I'm newbie with openvpn.
I miss some ciphers inside openvpn despite openssl shows them. Why openvpn don't recognize the rest of ciphers?
How can I add Camellia to openvpn?. Is there some tutorial or help?.
this is what OpenSSL v0.9.8e and OpenVPN v2.0 show me:
Code: Select all
#openssl -h
openssl:Error: 'c-h' is an invalid command.
...
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx idea
idea-cbc idea-cfb idea-ecb idea-ofb
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40
Code: Select all
#openvpn --show-ciphers
The following ciphers and cipher modes are available
for use with OpenVPN. Each cipher shown below may be
used as a parameter to the --cipher option. The default
key size is shown as well as whether or not it can be
changed with the --keysize directive. Using a CBC mode
is recommended.
DES-CBC 64 bit default key (fixed)
RC2-CBC 128 bit default key (variable)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-192-CBC 192 bit default key (fixed)
AES-256-CBC 256 bit default key (fixed)
any help would be appreciated.
thanks so much,
-
IncreasedSecurity
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Feb 25, 2013 1:04 am
Post
by IncreasedSecurity » Thu Mar 07, 2013 4:20 am
I'd suggest upgrading to a newer version of OpenVPN - 2.0.0 is very old. We've got various 2.1.x's, 2.2.x's, and 2.3.0 all available now. Even Debian 6 (Squeeze) stable is on OpenVPN 2.2.1!
On Windows, at least, Openvpn installs its own local OpenSSL copy, which is often a different version than the one in the system path - I'm now sure how it works on Linux.
If you get any of the GCN ciphers working, please let us know!
-
Anton
- OpenVpn Newbie
- Posts: 4
- Joined: Wed Mar 06, 2013 5:29 am
Post
by Anton » Fri Mar 08, 2013 4:19 am
I think there is not special version of openssl in the tar.gz. When openvpn starts to compile there is an include of system file /usr/include/openssl/evp.h. Here there are the constants of the cyphers of my system. I have Camellia, so I don't understand why this is not included in the compilation.
Is there another issue affecting this inclusion? What it can be?
Is there an openvpn able to include all cyphers of openssl?
Code: Select all
#/usr/include/openssl/evp.h,
#...
#ifndef OPENSSL_NO_CAMELLIA
const EVP_CIPHER *EVP_camellia_128_ecb(void);
const EVP_CIPHER *EVP_camellia_128_cbc(void);
const EVP_CIPHER *EVP_camellia_128_cfb1(void);
const EVP_CIPHER *EVP_camellia_128_cfb8(void);
const EVP_CIPHER *EVP_camellia_128_cfb128(void);
# define EVP_camellia_128_cfb EVP_camellia_128_cfb128
const EVP_CIPHER *EVP_camellia_128_ofb(void);
const EVP_CIPHER *EVP_camellia_192_ecb(void);
const EVP_CIPHER *EVP_camellia_192_cbc(void);
const EVP_CIPHER *EVP_camellia_192_cfb1(void);
const EVP_CIPHER *EVP_camellia_192_cfb8(void);
const EVP_CIPHER *EVP_camellia_192_cfb128(void);
# define EVP_camellia_192_cfb EVP_camellia_192_cfb128
const EVP_CIPHER *EVP_camellia_192_ofb(void);
const EVP_CIPHER *EVP_camellia_256_ecb(void);
const EVP_CIPHER *EVP_camellia_256_cbc(void);
const EVP_CIPHER *EVP_camellia_256_cfb1(void);
const EVP_CIPHER *EVP_camellia_256_cfb8(void);
const EVP_CIPHER *EVP_camellia_256_cfb128(void);
# define EVP_camellia_256_cfb EVP_camellia_256_cfb128
const EVP_CIPHER *EVP_camellia_256_ofb(void);
#endif
thanks!
-
IncreasedSecurity
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Feb 25, 2013 1:04 am
Post
by IncreasedSecurity » Fri Mar 08, 2013 5:45 am
Hmm... I just checked some machines, all of which have openssl and openvpn installed from the package managers (Synaptic/apt) from normal Debian repositories.
OpenVPN 2.2.1 on Debian 6 (Squeeze), with OpenSSL 0.9.8o, only shows the older ciphers - no Camellia, GCM, or EC.
OpenVPN 2.2.1 on Debian 7 (Wheezy) with OpenSSL 1.0.1e does show Camellia, GCM mode AES, and EC ciphers.
-
Anton
- OpenVpn Newbie
- Posts: 4
- Joined: Wed Mar 06, 2013 5:29 am
Post
by Anton » Fri Mar 08, 2013 5:59 am
Many thanks for your comments.
I have updated Openvpn from CentOS RPMforge repositories, and there is the same issue:
Is this normal?
Code: Select all
OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Apr 5 2012
/usr/sbin/openvpn --show-ciphers
The following ciphers and cipher modes are available
for use with OpenVPN. Each cipher shown below may be
used as a parameter to the --cipher option. The default
key size is shown as well as whether or not it can be
changed with the --keysize directive. Using a CBC mode
is recommended.
DES-CFB 64 bit default key (fixed)
DES-CBC 64 bit default key (fixed)
RC2-CBC 128 bit default key (variable)
RC2-CFB 128 bit default key (variable)
RC2-OFB 128 bit default key (variable)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DES-OFB 64 bit default key (fixed)
DES-EDE-CFB 128 bit default key (fixed)
DES-EDE3-CFB 192 bit default key (fixed)
DES-EDE-OFB 128 bit default key (fixed)
DES-EDE3-OFB 192 bit default key (fixed)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
BF-CFB 128 bit default key (variable)
BF-OFB 128 bit default key (variable)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
CAST5-CFB 128 bit default key (variable)
CAST5-OFB 128 bit default key (variable)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-128-OFB 128 bit default key (fixed)
AES-128-CFB 128 bit default key (fixed)
AES-192-CBC 192 bit default key (fixed)
AES-192-OFB 192 bit default key (fixed)
AES-192-CFB 192 bit default key (fixed)
AES-256-CBC 256 bit default key (fixed)
AES-256-OFB 256 bit default key (fixed)
AES-256-CFB 256 bit default key (fixed)
AES-128-CFB1 128 bit default key (fixed)
AES-192-CFB1 192 bit default key (fixed)
AES-256-CFB1 256 bit default key (fixed)
AES-128-CFB8 128 bit default key (fixed)
AES-192-CFB8 192 bit default key (fixed)
AES-256-CFB8 256 bit default key (fixed)
DES-CFB1 64 bit default key (fixed)
DES-CFB8 64 bit default key (fixed)
-
IncreasedSecurity
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Feb 25, 2013 1:04 am
Post
by IncreasedSecurity » Sat Mar 09, 2013 9:58 pm
I'm afraid that I am unable to help on a CentOS project.
Debian 6 and 7 do have working OpenVPN installations, and you could also run a pfSense VM (FreeBSD based) and use that for OpenVPN and perhaps other features.
Good luck - if you ever get it fixed, drop a post!
-
Douglas
- Forum Team
- Posts: 285
- Joined: Wed Aug 27, 2008 2:41 am
Post
by Douglas » Mon Mar 11, 2013 4:13 am
I know its bad to say because it makes me look bad but i use pfsense often for quick-n-dirty VPN's and it works great.