OpenVPN Connect and OpenVPN Server v2.4

Post Reply
nickh
OpenVPN User
Posts: 13
Joined: Sun Mar 02, 2014 1:25 pm

OpenVPN Connect and OpenVPN Server v2.4

Post by nickh » Mon Feb 20, 2017 5:36 pm

Hi,
I am looking to upgrade to v2.4 of the client as soon as possible so I can change the cipher on the server to mitigate the SWEET32 issue. I have updated the Windoze clients so they should now (if I understand correctly) be able to negotiate an cipher with my server (which is on 2.3.13 until EPEL update so I am planning to fix my server cipher manually when my clients can negotiate the cipher). I don't think the Andorid client (or iOS) has yet been upgraded to allow this and I am not looking forward to updating all my Android clients manually. Do you know if an upgrade to OpenVPN Connect is in the pipeline to support this functionality?
TIA,
Nick

P.S. In the meanwhile I have set reneg-bytes 64000 on the server to mitigate the vulnerability

ADFHAU
OpenVpn Newbie
Posts: 7
Joined: Thu May 11, 2017 2:59 am

Re: OpenVPN Connect and OpenVPN Server v2.4

Post by ADFHAU » Thu May 11, 2017 3:06 am

+1 ... are there plans to update the Android client to support stronger algorithms and other features supported by OpenVPN 2.4 server?
How does "OpenVPN core" version relate to "OpenVPN server" version? Is there some specific featureset correlation?

I have the latest version installed from Google Play installed on my handset, and it reports that its core libraries were built a year ago in 2016.

nickh
OpenVPN User
Posts: 13
Joined: Sun Mar 02, 2014 1:25 pm

Re: OpenVPN Connect and OpenVPN Server v2.4

Post by nickh » Thu May 11, 2017 12:59 pm

Having updated my openvpn server to 2.4 and tried connecting from Android and iOS, both versions of OpenVPN Connect seem to support cipher negotiation and negotiate the AES-256-GCM cipher.

ADFHAU
OpenVpn Newbie
Posts: 7
Joined: Thu May 11, 2017 2:59 am

Re: OpenVPN Connect and OpenVPN Server v2.4

Post by ADFHAU » Wed May 17, 2017 9:40 am

I find it's still barfing on the auth cipher when I dropped it from 512 to 256.
client.ovpn
client
dev tun
proto udp
remote MYIP MYPORT
float
ncp-ciphers AES-256-GCM:AES-256-CBC
auth RSA-SHA256
compress lz4
keepalive 15 60
auth-user-pass
ns-cert-type server
config.ovpn
daemon
topology subnet
server 192.168.2.0 255.255.255.0
proto udp
port MYPORT
dev tun21
ncp-ciphers AES-256-GCM:AES-256-CBC
auth RSA-SHA256
compress lz4
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0"
client-config-dir ccd
client-to-client
duplicate-cn
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
tls-crypt static.key
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status 10
tls-version-min 1.2
cipher AES-256-GCM

nickh
OpenVPN User
Posts: 13
Joined: Sun Mar 02, 2014 1:25 pm

Re: OpenVPN Connect and OpenVPN Server v2.4

Post by nickh » Wed May 17, 2017 9:58 am

I didn't do anything to client.ovpn file, so no scp-ciphers line there. That way it is controlled from the server. My config.ovpn equivalent is also much simpler (no cipher, auth or tls-version lines and probably no tls-crypt line and I don't have a few other lines which aren't relevant to encryption).

ADFHAU
OpenVpn Newbie
Posts: 7
Joined: Thu May 11, 2017 2:59 am

Re: OpenVPN Connect and OpenVPN Server v2.4

Post by ADFHAU » Sun May 21, 2017 4:42 am

Most of mine are generated by my router's firmware (Merlin AsusWRT) based upon preferences. I'm trying to figure out the highest encryption options possible with the Android client whilst avoiding things that have already been broken.

Eg. I want to avoid anything SHA1, DSA, <256 bit for symmetric + hash functions, <2048 bit for assymetric, TLS <1.2
... partly based upon https://community.openvpn.net/openvpn/wiki/Hardening

From what I can tell, the OpenVPN Connect Android client uses an "OpenVPN 2.x" compatible C++ API called "OpenVPN".
https://staging.openvpn.net/openvpn3/
... confusing much? The client code suffixes "Core" to the library name in the "about" dialogs perhaps to retroactively deobfusfucate. Therefore, the sourcecode (including Android client) available from the website is for OpenVPN Core v3.0 from 2014. The Android Play released version is from May 2016, OpenVPN Core v3.0.12. Meanwhile, OpenVPN (not OpenVPN Core) version 2.4 was released in December 2016. Therefore, the released OpenVPN Core source code lags by a good year and a half, and the released client is behind OpenVPN 2.4.0 by 7 months.

It does seem, however, that the alternative client, which isn't built on "OpenVPN 3" (the protocol client library) is "official" at least in the community sense, based upon
https://community.openvpn.net/openvpn/w ... forAndroid
... which is available from
https://play.google.com/store/apps/deta ... kt.openvpn
... It was last updated 14th May ... but
https://github.com/schwabe/openvpn/blob ... n-plugin.h
... suggests that it's still running OpenVPN v2.3 code.

Bottom line.. no released OpenVPN client for Android uses or supports full 2.4 feature set? Or am I misreading things?

Post Reply