openvpn works with AES-256-CBC and doesnt work with AES-256-GCM

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
decehakan
OpenVpn Newbie
Posts: 5
Joined: Sun Dec 26, 2021 6:12 pm

openvpn works with AES-256-CBC and doesnt work with AES-256-GCM

Post by decehakan » Mon Dec 27, 2021 9:26 am

my openvpn server runs with rsa and static dh parameters and runs super fine. On the client and on the server I have chosen cipher AES-256-CBC and when I read through the protocols it has chosen the best cipher AES-256-GCM.

Now I change the cipher on the client and server to AES-256-GCM ( server.conf / client.conf : cipher AES-256-GCM ). Now I can no longer dial in to the VPN because it somehow no longer works. This is crazy and confusing.

If I use AES-256-CBC it is upgeraded to AES-256-GCM.

and if I now select the entry cipher AES-256-GCM on both configs (server / client), it cannot dial in to the server.


Is this because GCM can only be used in conjunction with the entry "dh none"? If so, why is this up-loaded to AES-256-GCM in the case of AES-256-CBC?

Many thanks and best regards

decehakan

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: openvpn works with AES-256-CBC and doesnt work with AES-256-GCM

Post by TinCanTech » Mon Dec 27, 2021 12:12 pm

decehakan wrote:
Mon Dec 27, 2021 9:26 am
Is this because GCM can only be used in conjunction with the entry "dh none"?
No. You did something incorrectly.

decehakan
OpenVpn Newbie
Posts: 5
Joined: Sun Dec 26, 2021 6:12 pm

Re: openvpn works with AES-256-CBC and doesnt work with AES-256-GCM

Post by decehakan » Tue Dec 28, 2021 9:19 am

after i delete the --opt-verify option on server.conf and set on client/ server the cipher AES-256-GCM , the client can connect now to the server.

The reason why i couldn't connect was the auth alg which compared from --opt-verify flag
Log:

SENT CONTROL [test12]: 'AUTH_FAILED' (status=1)

But in bothside(server.conf / client.conf) i'm using auth SHA256.

Reading the Documentation
If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth

Means that: If im using GCM cipher, than i dont need the auth alg ???

kind regards

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: openvpn works with AES-256-CBC and doesnt work with AES-256-GCM

Post by TinCanTech » Tue Dec 28, 2021 2:22 pm

decehakan wrote:
Tue Dec 28, 2021 9:19 am
Means that: If im using GCM cipher, than i dont need the auth alg ???
Not quite...

AEAD ciphers do not require authentication because it is built-in to the cipher.

However, Openvpn options still requires --auth alg to be correctly configured.

The best solution for you: Do not use --auth alg or --cipher cipher any where in your server and client config files.

The reason is: Openvpn will automatically select --auth SHA1 (Which is the correct default) and then ignore it.
and --cipher BF-CBC (Which is fine for testing) and then be negotiated to cipher AES-256-GCM.

You really do not need --auth alg in any of your configs.

And do not worry about the default --cipher BF-CBC because --cipher is deprecated.
And --data-ciphers trumps --cipher. Default --data-ciphers AES-256-GCM:AES-128-GCM

https://build.openvpn.net/man/openvpn-2 ... vpn.8.html

Try it for yourself..

Post Reply