peer info: IV_VER=2.3.4 every hour in server log

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ThePiratkapten
OpenVpn Newbie
Posts: 5
Joined: Sat May 20, 2017 9:11 am

peer info: IV_VER=2.3.4 every hour in server log

Post by ThePiratkapten » Sun Oct 29, 2017 4:43 pm

Hi!

I have a tunnel between two RPis. I recently upgraded the server to use OpenVPN 2.4.4 instead of 2.3.something. I did not change the configuration (except added ncp-disable). The client still use the 2.3 version.

Now in the server log, this is printed exactly once every hour, and I want to get rid of it, so that more vital messages aren't missed when I check the log.

Sun Oct 29 17:13:48 2017 cn-name/x.x.x.x:37708 peer info: IV_VER=2.3.4
Sun Oct 29 17:13:48 2017 cn-name/x.x.x.x:37708 peer info: IV_PLAT=linux

Server


; General
; ---------------------------------------------------------

dev tun0
proto udp
port 1234
client-config-dir /etc/openvpn/ccd

keepalive 10 120
max-clients 20
tls-server

log-append /home/openvpnn/server/log.txt
status /home/openvpnn/server/status.txt

mute-replay-warnings
verb 1

; Network
; ---------------------------------------------------------

topology subnet
client-to-client

server 10.1.2.0 255.255.255.0

route 10.2.1.0 255.255.255.0 10.1.2.2 30


; Security
; ---------------------------------------------------------

dh /etc/openvpn/auth/dh4096.pem
tls-auth /etc/openvpn/auth/static.key 0
ca /etc/openvpn/auth/ca.crt
cert /etc/openvpn/auth/serverA-v1.crt
key /etc/openvpn/auth/serverA-v1.key
crl-verify /etc/openvpn/auth/crl.pem

ncp-disable
cipher AES-256-CBC
auth SHA256

tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
remote-cert-eku "TLS Web Client Authentication" # Extended key usage
remote-cert-tls client # Key usage

persist-key
persist-tun
user openvpnr
group openvpnr

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn


Client


; General
; ---------------------------------------------------------

client
dev tun1
proto udp
remote x.x.x.x 1234

resolv-retry infinite
connect-retry 5 300
explicit-exit-notify
nobind
tls-client

log-append /home/openvpnn/client/log.txt
status /home/openvpnn/client/status.txt

verb 2

; Network
; ---------------------------------------------------------

route 10.1.1.0 255.255.255.0 10.1.2.1


; Security
; ---------------------------------------------------------

tls-auth /etc/openvpn/auth/static.key 1
ca /etc/openvpn/auth/ca.crt
cert /etc/openvpn/auth/clientB-v1.crt
key /etc/openvpn/auth/clientB-v1.key
crl-verify /etc/openvpn/auth/crl.pem

tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
remote-cert-eku "TLS Web Server Authentication"
remote-cert-tls server
verify-x509-name serverA-v1 name

cipher AES-256-CBC
auth SHA256

auth-user-pass /etc/openvpn/auth/login.conf
auth-retry nointeract

persist-key
persist-tun
user openvpnr
group openvpnr

Pippin
OpenVPN Expert
Posts: 276
Joined: Wed Jul 01, 2015 8:03 am

Re: peer info: IV_VER=2.3.4 every hour in server log

Post by Pippin » Sun Oct 29, 2017 7:47 pm

A message every hour is hardly a problem in my eyes but you could do

Code: Select all

reneg-sec 0
which will make it disappear from the log.
But look at the manual 2.4 --reneg-sec.

I`m not aware of another "solution".
If you can, update to the latest version.

ThePiratkapten
OpenVpn Newbie
Posts: 5
Joined: Sat May 20, 2017 9:11 am

Re: peer info: IV_VER=2.3.4 every hour in server log

Post by ThePiratkapten » Mon Oct 30, 2017 4:21 pm

Thanks for replying! Having read the manual I don't think I will disable the renogiation. But what about increasing the interval to perhaps 8 or 24 hours? What impact will it have on security?

Pippin
OpenVPN Expert
Posts: 276
Joined: Wed Jul 01, 2015 8:03 am

Re: peer info: IV_VER=2.3.4 every hour in server log

Post by Pippin » Tue Oct 31, 2017 1:42 pm

Renegotiation every hour is default.
By the time the used crypto is broken it would mean the adversary can decrypt 1 hour of data.
For the next hour the process of decrypting would have to be repeated because off different key.
Extending renegotiation time to 2 hours.... you get the point I think.

So I would think it depends on how important the data is, for how long it must be safe.
Your encrypted data can/could be stored now and by the time crypto is broken be decrypted.

I can off course be wrong so anyone more knowledgeable, chime in...

ThePiratkapten
OpenVpn Newbie
Posts: 5
Joined: Sat May 20, 2017 9:11 am

Re: peer info: IV_VER=2.3.4 every hour in server log

Post by ThePiratkapten » Wed Nov 01, 2017 6:42 pm

If all my data is stored, couldn't it all eventuelly be decrypted? If I have half the interval between the renegotians it would just mean it would take twice as long, wouldn't it?

Pippin
OpenVPN Expert
Posts: 276
Joined: Wed Jul 01, 2015 8:03 am

Re: peer info: IV_VER=2.3.4 every hour in server log

Post by Pippin » Wed Nov 01, 2017 8:09 pm

If all my data is stored, couldn't it all eventuelly be decrypted?
Yes, that why I wrote "for how long it must be safe"
If some authority is interested in your traffic and trying to decrypt it, you have other problems, I would think ;)
it would take twice as long, wouldn't it?
To decrypt the same amount of data, I would think yes.

ThePiratkapten
OpenVpn Newbie
Posts: 5
Joined: Sat May 20, 2017 9:11 am

Re: peer info: IV_VER=2.3.4 every hour in server log

Post by ThePiratkapten » Thu Nov 02, 2017 6:51 pm

All right, fair enough. Thanks for the insight :)

Post Reply