Cipher algorithm ChaCha20-Poly1305

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
bb8
OpenVpn Newbie
Posts: 5
Joined: Mon Nov 15, 2021 10:48 am

Cipher algorithm ChaCha20-Poly1305

Post by bb8 » Mon Nov 15, 2021 11:07 am

Hello!
I have updated the Openvpn server from version 2.4.0 to 2.5.4. To reduce the load on the CPU of some openvpn clients, I want to use the ChaCha20-Poly1305 encryption algorithm, for this I added to the server.conf:

Code: Select all

data-ciphers CHACHA20-POLY1305:AES-128-GCM
Then I restart the openvpn daemon and see an error in the logs:

Code: Select all

021-11-15 14:05:15 us=749342 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2021-11-15 14:05:15 us=749559 Cipher algorithm 'ChaCha20-Poly1305' not found
2021-11-15 14:05:15 us=749623 Unsupported cipher in --data-ciphers: CHACHA20-POLY1305
Options error: NCP cipher list contains unsupported ciphers or is too long.
Tell me how to use the Cipher algorithm ChaCha20-Poly1305 on the server?

server.conf

Code: Select all

mode server
dev tun
topology subnet
server 10.128.1.0 255.255.255.0 nopool
ifconfig-pool 10.128.1.101 10.128.1.254
client-config-dir /usr/local/etc/ccd2
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option WINS 192.168.0.102"
tls-server
#crl-verify keyDM/crl.pem
ca keyDM/ca.crt
cert keyDM/server.crt
key keyDM/server.key
dh keyDM/dh.pem
;duplicate-cn
proto udp
port 1702
client-to-client
comp-lzo
keepalive 5 20
verb 4
cipher AES-128-GCM
data-ciphers CHACHA20-POLY1305:AES-128-GCM
user nobody
group nogroup
max-clients 30
management localhost 7778
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
log-append /var/log/openvpnDM.log
route 192.168.1.0 255.255.255.0
Openvpn server logs:

Code: Select all

2021-11-15 14:07:39 us=546276 DEPRECATED OPTION: --cipher set to 'CHACHA20-POLY1305:AES-128-GCM' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'CHACHA20-POLY1305:AES-128-GCM' to --data-ciphers or change --cipher 'CHACHA20-POLY1305:AES-128-GCM' to --data-ciphers-fallback 'CHACHA20-POLY1305:AES-128-GCM' to silence this warning.
2021-11-15 14:07:39 us=546304 Cipher algorithm 'ChaCha20-Poly1305' not found
2021-11-15 14:07:39 us=546315 Unsupported cipher in --data-ciphers: CHACHA20-POLY1305
Options error: NCP cipher list contains unsupported ciphers or is too long.
Use --help for more information.
2021-11-15 14:07:58 us=228260 MULTI: Learn: 192.168.1.1 -> keeneticdm/31.173.87.205:22233
2021-11-15 14:09:07 us=507229 Cipher algorithm 'ChaCha20-Poly1305' not found
2021-11-15 14:09:07 us=507383 Unsupported cipher in --data-ciphers: CHACHA20-POLY1305
Options error: NCP cipher list contains unsupported ciphers or is too long.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cipher algorithm ChaCha20-Poly1305

Post by TinCanTech » Mon Nov 15, 2021 2:27 pm

See: openvpn --show-ciphers

bb8
OpenVpn Newbie
Posts: 5
Joined: Mon Nov 15, 2021 10:48 am

Re: Cipher algorithm ChaCha20-Poly1305

Post by bb8 » Mon Nov 15, 2021 7:08 pm

TinCanTech wrote:
Mon Nov 15, 2021 2:27 pm
See: openvpn --show-ciphers

Code: Select all

root@toys-vpn:/home/r2d2# openvpn  --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN.  Each cipher shown below may be used as a
parameter to the --data-ciphers (or --cipher) option.  The
default key size is shown as well as whether or not it can be
changed with the --keysize directive.  Using a GCM or CBC mode
is recommended.  In static key mode only CBC mode is allowed.

AES-128-CBC  (128 bit key, 128 bit block)
AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC  (192 bit key, 128 bit block)
AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC  (256 bit key, 128 bit block)
AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CBC  (128 bit key, 128 bit block)
CAMELLIA-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CBC  (192 bit key, 128 bit block)
CAMELLIA-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CBC  (256 bit key, 128 bit block)
CAMELLIA-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
SEED-CBC  (128 bit key, 128 bit block)
SEED-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
SEED-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
How to add encryption CHACHA20-POLY1305 to this list?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cipher algorithm ChaCha20-Poly1305

Post by TinCanTech » Mon Nov 15, 2021 7:57 pm

What distro are you using and what version of openssl ?

bb8
OpenVpn Newbie
Posts: 5
Joined: Mon Nov 15, 2021 10:48 am

Re: Cipher algorithm ChaCha20-Poly1305

Post by bb8 » Tue Nov 16, 2021 5:05 am

TinCanTech wrote:
Mon Nov 15, 2021 7:57 pm
What distro are you using and what version of openssl ?
lsb_release -a

Code: Select all

No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 9.13 (stretch)
Release:	9.13
Codename:	stretch
OpenSSL> version

Code: Select all

OpenSSL 1.1.0l  10 Sep 2019

bb8
OpenVpn Newbie
Posts: 5
Joined: Mon Nov 15, 2021 10:48 am

Re: Cipher algorithm ChaCha20-Poly1305

Post by bb8 » Tue Nov 16, 2021 8:46 am

Updated OpenSSL to 3.0.0.7, but still no ChaCha20-Poly1305:

Code: Select all

root@toys-vpn:/home/r2d2# openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)

Code: Select all

root@toys-vpn:/home/r2d2# openvpn --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN.  Each cipher shown below may be used as a
parameter to the --data-ciphers (or --cipher) option.  The
default key size is shown as well as whether or not it can be
changed with the --keysize directive.  Using a GCM or CBC mode
is recommended.  In static key mode only CBC mode is allowed.

AES-128-CBC  (128 bit key, 128 bit block)
AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC  (192 bit key, 128 bit block)
AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC  (256 bit key, 128 bit block)
AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CBC  (128 bit key, 128 bit block)
CAMELLIA-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CBC  (192 bit key, 128 bit block)
CAMELLIA-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CBC  (256 bit key, 128 bit block)
CAMELLIA-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
CAMELLIA-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
SEED-CBC  (128 bit key, 128 bit block)
SEED-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
SEED-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
I did the same on another server (Xubuntu 20.04 LTS), there is ChaCha20-Poly1305. I'm confused.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cipher algorithm ChaCha20-Poly1305

Post by TinCanTech » Tue Nov 16, 2021 1:05 pm

Upgrade to Debian 10.

bb8
OpenVpn Newbie
Posts: 5
Joined: Mon Nov 15, 2021 10:48 am

Re: Cipher algorithm ChaCha20-Poly1305

Post by bb8 » Wed Nov 17, 2021 10:30 am

TinCanTech wrote:
Tue Nov 16, 2021 1:05 pm
Upgrade to Debian 10.
Many thanks. The problem was in Debian 9.

Post Reply