Compatible with OpenVPN 2.4 ?
-
- OpenVpn Newbie
- Posts: 17
- Joined: Wed Apr 18, 2012 7:43 am
Compatible with OpenVPN 2.4 ?
Hi, When will OpenVPN connect (iOS) be compatible with openVPN 2.4 ?
Cant use tls-crypt or AES-256-GCM on client when connection to a 2.4 version server with these features enabled.
BR
Peter
Cant use tls-crypt or AES-256-GCM on client when connection to a 2.4 version server with these features enabled.
BR
Peter
-
- OpenVpn Newbie
- Posts: 1
- Joined: Sun Jan 01, 2017 5:53 pm
Re: Compatible with OpenVPN 2.4 ?
Same boat, but please also add support for:
ecdh-curve, relevant EC tls-chiper (e.g. TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384), ncp-disable (and other ncp- options) and lz4 compression.
ecdh-curve, relevant EC tls-chiper (e.g. TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384), ncp-disable (and other ncp- options) and lz4 compression.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Jan 10, 2017 2:08 pm
Re: Compatible with OpenVPN 2.4 ?
I would like to have the app updated too...
I can still connect fine to my network... but I would gladly use the newer options offered in 2.4.x if the iOS was able to use them.
I can still connect fine to my network... but I would gladly use the newer options offered in 2.4.x if the iOS was able to use them.
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
hopefully soon it will be updated. Managed to setup all my desktops with elliptic crypto and only because iOS devices have to keep sort of legacy setup on one ovpn's instance.
-
- OpenVpn Newbie
- Posts: 17
- Joined: Wed Apr 18, 2012 7:43 am
Re: Compatible with OpenVPN 2.4 ?
Do you have any good guide to share how to set up your Server/Client using elliptic crypto ?dariusz wrote:hopefully soon it will be updated. Managed to setup all my desktops with elliptic crypto and only because iOS devices have to keep sort of legacy setup on one ovpn's instance.
Thanks
BR
Peter
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
nope - i have not found anything good on internet. I might create post in this forum next week. I have this running for couple of days now and so far so good. when i am sure that all stable will post more details
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
It definitely works with both sides using the latest release 2.4. I run server on raspberry pi and clinet on mac OS.
Sun Jan 15 16:48:51 2017 us=6658 MULTI: multi_create_instance called
Sun Jan 15 16:48:51 2017 us=7112 81.109.233.126:56296 Re-using SSL/TLS context
Sun Jan 15 16:48:51 2017 us=7227 81.109.233.126:56296 LZ4 compression initializing
Sun Jan 15 16:48:51 2017 us=8148 81.109.233.126:56296 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Sun Jan 15 16:48:51 2017 us=8263 81.109.233.126:56296 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sun Jan 15 16:48:51 2017 us=8459 81.109.233.126:56296 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Sun Jan 15 16:48:51 2017 us=8532 81.109.233.126:56296 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Sun Jan 15 16:48:51 2017 us=8749 81.109.233.126:56296 TLS: Initial packet from [AF_INET]81.109.233.126:56296, sid=d27a8897 0d6387be
Sun Jan 15 16:48:51 2017 us=468990 81.109.233.126:56296 VERIFY OK: depth=1, C=US, ST=California, L=San Francisco, O=Copyleft Certificate Co, OU=My Organizational Unit, CN=EasyRSA-DB, emailAddress=me@example.net
Sun Jan 15 16:48:51 2017 us=469681 81.109.233.126:56296 Validating certificate extended key usage
Sun Jan 15 16:48:51 2017 us=469742 81.109.233.126:56296 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Sun Jan 15 16:48:51 2017 us=469786 81.109.233.126:56296 VERIFY EKU OK
Sun Jan 15 16:48:51 2017 us=469830 81.109.233.126:56296 VERIFY OK: depth=0, C=US, ST=California, L=San Francisco, O=Copyleft Certificate Co, OU=My Organizational Unit, CN=clientname1, emailAddress=me@example.net
Sun Jan 15 16:48:51 2017 us=675132 81.109.233.126:56296 peer info: IV_VER=2.4.0
Sun Jan 15 16:48:51 2017 us=675253 81.109.233.126:56296 peer info: IV_PLAT=mac
Sun Jan 15 16:48:51 2017 us=675306 81.109.233.126:56296 peer info: IV_PROTO=2
Sun Jan 15 16:48:51 2017 us=675354 81.109.233.126:56296 peer info: IV_NCP=2
Sun Jan 15 16:48:51 2017 us=675400 81.109.233.126:56296 peer info: IV_LZ4=1
Sun Jan 15 16:48:51 2017 us=675447 81.109.233.126:56296 peer info: IV_LZ4v2=1
Sun Jan 15 16:48:51 2017 us=675494 81.109.233.126:56296 peer info: IV_LZO=1
Sun Jan 15 16:48:51 2017 us=675540 81.109.233.126:56296 peer info: IV_COMP_STUB=1
Sun Jan 15 16:48:51 2017 us=675588 81.109.233.126:56296 peer info: IV_COMP_STUBv2=1
Sun Jan 15 16:48:51 2017 us=675634 81.109.233.126:56296 peer info: IV_TCPNL=1
Sun Jan 15 16:48:51 2017 us=683883 81.109.233.126:56296 Control Channel: TLSv1.2, cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, 521 bit key
Sun Jan 15 16:48:51 2017 us=684043 81.109.233.126:56296 [clientname1] Peer Connection Initiated with [AF_INET]81.109.233.126:56296
Sun Jan 15 16:48:51 2017 us=684179 clientname1/81.109.233.126:56296 MULTI_sva: pool returned IPv4=10.88.90.6, IPv6=(Not enabled)
Sun Jan 15 16:48:51 2017 us=684414 clientname1/81.109.233.126:56296 MULTI: Learn: 10.88.90.6 -> clientname1/81.109.233.126:56296
Sun Jan 15 16:48:51 2017 us=684477 clientname1/81.109.233.126:56296 MULTI: primary virtual IP for clientname1/81.109.233.126:56296: 10.88.90.6
Sun Jan 15 16:48:52 2017 us=780141 clientname1/81.109.233.126:56296 PUSH: Received control message: 'PUSH_REQUEST'
Sun Jan 15 16:48:52 2017 us=780528 clientname1/81.109.233.126:56296 SENT CONTROL [clientname1]: 'PUSH_REPLY,route 10.88.90.1 255.255.255.255,route 10.88.90.0 255.255.255.0,dhcp-option DNS 84.200.69.80,dhcp-option DNS 84.200.70.40,redirect-gateway def1 bypass-dhcp,block-ipv6,route 10.88.90.1,topology net30,ping 10,ping-restart 120,ifconfig 10.88.90.6 10.88.90.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Jan 15 16:48:52 2017 us=780615 clientname1/81.109.233.126:56296 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Sun Jan 15 16:48:52 2017 us=781283 clientname1/81.109.233.126:56296 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan 15 16:48:52 2017 us=781345 clientname1/81.109.233.126:56296 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan 15 16:48:51 2017 us=6658 MULTI: multi_create_instance called
Sun Jan 15 16:48:51 2017 us=7112 81.109.233.126:56296 Re-using SSL/TLS context
Sun Jan 15 16:48:51 2017 us=7227 81.109.233.126:56296 LZ4 compression initializing
Sun Jan 15 16:48:51 2017 us=8148 81.109.233.126:56296 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Sun Jan 15 16:48:51 2017 us=8263 81.109.233.126:56296 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sun Jan 15 16:48:51 2017 us=8459 81.109.233.126:56296 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Sun Jan 15 16:48:51 2017 us=8532 81.109.233.126:56296 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Sun Jan 15 16:48:51 2017 us=8749 81.109.233.126:56296 TLS: Initial packet from [AF_INET]81.109.233.126:56296, sid=d27a8897 0d6387be
Sun Jan 15 16:48:51 2017 us=468990 81.109.233.126:56296 VERIFY OK: depth=1, C=US, ST=California, L=San Francisco, O=Copyleft Certificate Co, OU=My Organizational Unit, CN=EasyRSA-DB, emailAddress=me@example.net
Sun Jan 15 16:48:51 2017 us=469681 81.109.233.126:56296 Validating certificate extended key usage
Sun Jan 15 16:48:51 2017 us=469742 81.109.233.126:56296 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Sun Jan 15 16:48:51 2017 us=469786 81.109.233.126:56296 VERIFY EKU OK
Sun Jan 15 16:48:51 2017 us=469830 81.109.233.126:56296 VERIFY OK: depth=0, C=US, ST=California, L=San Francisco, O=Copyleft Certificate Co, OU=My Organizational Unit, CN=clientname1, emailAddress=me@example.net
Sun Jan 15 16:48:51 2017 us=675132 81.109.233.126:56296 peer info: IV_VER=2.4.0
Sun Jan 15 16:48:51 2017 us=675253 81.109.233.126:56296 peer info: IV_PLAT=mac
Sun Jan 15 16:48:51 2017 us=675306 81.109.233.126:56296 peer info: IV_PROTO=2
Sun Jan 15 16:48:51 2017 us=675354 81.109.233.126:56296 peer info: IV_NCP=2
Sun Jan 15 16:48:51 2017 us=675400 81.109.233.126:56296 peer info: IV_LZ4=1
Sun Jan 15 16:48:51 2017 us=675447 81.109.233.126:56296 peer info: IV_LZ4v2=1
Sun Jan 15 16:48:51 2017 us=675494 81.109.233.126:56296 peer info: IV_LZO=1
Sun Jan 15 16:48:51 2017 us=675540 81.109.233.126:56296 peer info: IV_COMP_STUB=1
Sun Jan 15 16:48:51 2017 us=675588 81.109.233.126:56296 peer info: IV_COMP_STUBv2=1
Sun Jan 15 16:48:51 2017 us=675634 81.109.233.126:56296 peer info: IV_TCPNL=1
Sun Jan 15 16:48:51 2017 us=683883 81.109.233.126:56296 Control Channel: TLSv1.2, cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, 521 bit key
Sun Jan 15 16:48:51 2017 us=684043 81.109.233.126:56296 [clientname1] Peer Connection Initiated with [AF_INET]81.109.233.126:56296
Sun Jan 15 16:48:51 2017 us=684179 clientname1/81.109.233.126:56296 MULTI_sva: pool returned IPv4=10.88.90.6, IPv6=(Not enabled)
Sun Jan 15 16:48:51 2017 us=684414 clientname1/81.109.233.126:56296 MULTI: Learn: 10.88.90.6 -> clientname1/81.109.233.126:56296
Sun Jan 15 16:48:51 2017 us=684477 clientname1/81.109.233.126:56296 MULTI: primary virtual IP for clientname1/81.109.233.126:56296: 10.88.90.6
Sun Jan 15 16:48:52 2017 us=780141 clientname1/81.109.233.126:56296 PUSH: Received control message: 'PUSH_REQUEST'
Sun Jan 15 16:48:52 2017 us=780528 clientname1/81.109.233.126:56296 SENT CONTROL [clientname1]: 'PUSH_REPLY,route 10.88.90.1 255.255.255.255,route 10.88.90.0 255.255.255.0,dhcp-option DNS 84.200.69.80,dhcp-option DNS 84.200.70.40,redirect-gateway def1 bypass-dhcp,block-ipv6,route 10.88.90.1,topology net30,ping 10,ping-restart 120,ifconfig 10.88.90.6 10.88.90.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Jan 15 16:48:52 2017 us=780615 clientname1/81.109.233.126:56296 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Sun Jan 15 16:48:52 2017 us=781283 clientname1/81.109.233.126:56296 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan 15 16:48:52 2017 us=781345 clientname1/81.109.233.126:56296 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
As you can see above in my server log it connects with no errors and warnings.
I have tried multiple options with iOS and I am almost sure now that it does not support it yet. Hopefully it will be upgraded soon. It seems that iOS openvpn client does not understand how to use new EC keys. I have experimented with both in-line and p12 files installed in certificate store. nothing worked.
Dariusz
I have tried multiple options with iOS and I am almost sure now that it does not support it yet. Hopefully it will be upgraded soon. It seems that iOS openvpn client does not understand how to use new EC keys. I have experimented with both in-line and p12 files installed in certificate store. nothing worked.
Dariusz
-
- OpenVpn Newbie
- Posts: 17
- Joined: Wed Apr 18, 2012 7:43 am
Re: Compatible with OpenVPN 2.4 ?
Looks good!!, please let me know when and where you add your guide
-
- OpenVpn Newbie
- Posts: 17
- Joined: Wed Apr 18, 2012 7:43 am
Re: Compatible with OpenVPN 2.4 ?
I have only tested and change one line in easyrsa (RSA to EC) , but I don't think that is not enough to switch completed to EC for server/client
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
Nope. Few more changes... stay with me. I will write everything down next week. 2.4 introduced some changes - it took me many frustrated tries and man pages reading to get it working. What is missing now, at least for me is 2.4 iOS client. Hopefully it is already in making.
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
I have posted some details here:
viewtopic.php?f=4&t=23227
if you have any questions let's continue there.
viewtopic.php?f=4&t=23227
if you have any questions let's continue there.
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
Is there any place I can see the latest status of dev for iOS client? Maybe some beta to help testing with etc...
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Feb 03, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
Also found that the tls-crypt work on my Mac Tunnelblick, but not iOS OpenVPN Connect
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
tls-crypt has been only introduced in OpenVPN 2.4 and iOS client is not compatible with it yet. Still the lowest common denominator is to use RSA crypto with OpenVPN 2.3 compatible options.
I hope that iOS client will be updated soon.
I hope that iOS client will be updated soon.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Feb 03, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
I tried "auth SHA256" and the iOS client can connect, but full tunnel traffic is not usable
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
what you mean client can connect? Would you mind to share you server and client config?
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Feb 03, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
I am not talking about tls-crypt. i just means when I use auth SHA256 (instead of my previous config that use auth SHA1), on my iPhone the traffic is extremely slow
on my mac it is working great
on my mac it is working great
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
FYi - I use SHA512 and with relatively old iphone 5s it works flawlessly with full speed
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Feb 03, 2017 1:42 pm
Re: Compatible with OpenVPN 2.4 ?
I see. Thanks for letting me know.
I have no idea why. the same settings (same ovpn file) for SHA256 as auth does not have problem with my Mac
I have no idea why. the same settings (same ovpn file) for SHA256 as auth does not have problem with my Mac