OpenVPN server Ubuntu 16.04 (xenial) TLS 1.3 connection

Weekly dev snapshots are available for testing.
We talk about them here. Testing features in the dev snapshot helps the features make it to stable.
Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Post Reply
joenas
OpenVpn Newbie
Posts: 4
Joined: Mon Jul 23, 2018 4:19 pm

OpenVPN server Ubuntu 16.04 (xenial) TLS 1.3 connection

Post by joenas » Tue Jul 24, 2018 10:37 am

I am running on my Ubuntu 16.04 (xenial) an OpenVPN server using the OpenVPN community build script provided : https://community.openvpn.net/openvpn/w ... system#no1
Running the command: IMAGEROOT=`pwd`/image-native ./build gives me the following specs of OpenVPN:

Code: Select all

#openvpn --version
OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 24 2018
library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_
install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs
11=yes enable_plugin_auth_pam=no enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_snappy=no enable_stat
ic=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_special_build= wit
h_sysroot=no
Since OpenVPN 2.4.5 there is support for TLS 1.3 in tls-version-{min,max} added (https://community.openvpn.net/openvpn/w ... enVPN2.4.5)
This is discussed in mailinglist (https://sourceforge.net/p/openvpn/mailm ... karger.me/)

When I run the server with the default configuration

Code: Select all

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
keepalive 10 120
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
Everything works and I am able to create a connection.
However when i ad the option tls-version-min 1.3 i get the Error:
When i instead use the tls-version-min 1.2 option everything works fine again.


My Question:
What do I have to change in my setup, to create a working OpenVPN server where you can connect to with a TLS 1.3 connection?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4867
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN server Ubuntu 16.04 (xenial) TLS 1.3 connection

Post by TinCanTech » Tue Jul 24, 2018 1:32 pm

joenas wrote:
Tue Jul 24, 2018 10:37 am
Since OpenVPN 2.4.5 there is support for TLS 1.3
Technically, Openvpn has been made ready to use TLS 1.3 when it becomes available from the SSL library you build Openvpn with. It does not specifically add TLS 1.3 coding to Openvpn.
joenas wrote:
Tue Jul 24, 2018 10:37 am
However when i ad the option tls-version-min 1.3 i get the Error
Because your SSL library does not yet have TLS 1.3
joenas wrote:
Tue Jul 24, 2018 10:37 am
What do I have to change in my setup, to create a working OpenVPN server where you can connect to with a TLS 1.3 connection?
From the thread you mention earlier .. currently you would need to build Openvpn with Openssl master branch not a release branch (as of this date)

Howto build Openvpn with Openssl master branch is beyond the scope of this Forum.
You can try customising the build-system but I have my doubts that it is ready for Openssl master branch yet.
If you do try then we would be interested in your results.

NOTE: https://mta.openssl.org/pipermail/opens ... 08496.html

joenas
OpenVpn Newbie
Posts: 4
Joined: Mon Jul 23, 2018 4:19 pm

Re: OpenVPN server Ubuntu 16.04 (xenial) TLS 1.3 connection

Post by joenas » Tue Jul 24, 2018 6:57 pm

Update:

However although there is a connection created no data there is no internet working. If somebody got a clue on why the connection is succesful but the data transmission is unsuccesfull?

Installing latest OpenSSL

Code: Select all

$ git clone https://github.com/openssl/openssl.git
$ find . -name tls1.h | xargs grep TLS1_3_VERSION_DRAFT_TXT
$ mkdir build; cd ./build
$ ../config -v --prefix=/opt/openssl --openssldir=$HOME/openssl enable-tls1_3 --debug
$ make
$ make install
$ export LD_LIBRARY_PATH=/build/openssl/build
$ ./apps/openssl 
OpenSSL> version
OpenSSL 1.1.1-dev  xx XXX xxxx
Installing latests OpenVPN

Code: Select all

$ wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.6.tar.gz
$ tar xzf openvpn-2.4.6.tar.gz
$ cd openvpn-2.4.6
$ CFLAGS="-I/opt/openssl/include -Wl,-rpath=/opt/openssl/lib -L/opt/openssl/lib" ./configure --disable-lzo
$ make -j 4
$ ldd ./src/openvpn/openvpn
$ sudo make install
$ /usr/local/sbin/openvpn --version

gives me the following openvpn setup:

Code: Select all

/usr/local/sbin/openvpn --version
OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 24 2018
library versions: OpenSSL 1.1.1-pre9-dev  xx XXX xxxx
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast
_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_
pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_opti
ons=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
with the following client.ovp file:

Code: Select all

client
dev tun
proto tcp
remote <SERVER_IP> 1194
resolv-retry infinite
nobind
user nobody
group nogroup
tls-version-min 1.3
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-128-CBC
auth SHA256
comp-lzo
verb 3
#ca ca.crt
#cert client.crt
#key client.key
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
Client Log output:

Code: Select all

Tue Jul 24 20:38:08 2018 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 24 2018
Tue Jul 24 20:38:08 2018 library versions: OpenSSL 1.1.1-pre9-dev  xx XXX xxxx
Tue Jul 24 20:38:08 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 24 20:38:08 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 24 20:38:08 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]<server_IP>:1194
Tue Jul 24 20:38:08 2018 Socket Buffers: R=[87380->87380] S=[16384->16384]
Tue Jul 24 20:38:08 2018 Attempting to establish TCP connection with [AF_INET]<server_IP>:1194 [nonblock]
Tue Jul 24 20:38:09 2018 TCP connection established with [AF_INET]<server_IP>:1194
Tue Jul 24 20:38:09 2018 TCP_CLIENT link local: (not bound)
Tue Jul 24 20:38:09 2018 TCP_CLIENT link remote: [AF_INET]<server_IP>:1194
Tue Jul 24 20:38:09 2018 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Tue Jul 24 20:38:09 2018 TLS: Initial packet from [AF_INET]<server_IP>:1194, sid=2bdfc1e3 81d19792
Tue Jul 24 20:38:09 2018 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=server, emailAddress=me@myhost.mydomain
Tue Jul 24 20:38:09 2018 VERIFY KU OK
Tue Jul 24 20:38:09 2018 Validating certificate extended key usage
Tue Jul 24 20:38:09 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jul 24 20:38:09 2018 VERIFY EKU OK
Tue Jul 24 20:38:09 2018 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=server, name=server, emailAddress=me@myhost.mydomain
Tue Jul 24 20:38:09 2018 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Jul 24 20:38:09 2018 [server] Peer Connection Initiated with [AF_INET]<server_IP>:1194
Tue Jul 24 20:38:10 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Jul 24 20:38:10 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Tue Jul 24 20:38:10 2018 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 24 20:38:10 2018 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 24 20:38:10 2018 OPTIONS IMPORT: route options modified
Tue Jul 24 20:38:10 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jul 24 20:38:10 2018 OPTIONS IMPORT: peer-id set
Tue Jul 24 20:38:10 2018 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Jul 24 20:38:10 2018 OPTIONS IMPORT: data channel crypto options modified
Tue Jul 24 20:38:10 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Jul 24 20:38:10 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 24 20:38:10 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 24 20:38:10 2018 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:5f:11:bf
Tue Jul 24 20:38:10 2018 TUN/TAP device tun0 opened
Tue Jul 24 20:38:10 2018 TUN/TAP TX queue length set to 100
Tue Jul 24 20:38:10 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jul 24 20:38:10 2018 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Tue Jul 24 20:38:10 2018 /sbin/route add -net <server_IP> netmask 255.255.255.255 gw 10.0.2.2
SIOCADDRT: File exists
Tue Jul 24 20:38:10 2018 ERROR: Linux route add command failed: external program exited with error status: 7
Tue Jul 24 20:38:10 2018 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue Jul 24 20:38:10 2018 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Tue Jul 24 20:38:10 2018 /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5
Tue Jul 24 20:38:10 2018 GID set to nogroup
Tue Jul 24 20:38:10 2018 UID set to nobody
Tue Jul 24 20:38:10 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jul 24 20:38:10 2018 Initialization Sequence Completed

Server Log:

Code: Select all

Tue Jul 24 18:38:08 2018 TCP connection established with [AF_INET]<CLIENT_IP>:55655
Tue Jul 24 18:38:09 2018 CLIENT_IP>:55655 TLS: Initial packet from [AF_INET]<CLIENT_IP>:55655, sid=5152e782 47dec795
Tue Jul 24 18:38:09 2018 CLIENT_IP>:55655 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=server, emailAddress=me@myhost.mydomain
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=client1, name=server, emailAddress=me@myhost.mydomain
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 peer info: IV_VER=2.4.6
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 peer info: IV_PLAT=linux
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 peer info: IV_PROTO=2
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 peer info: IV_NCP=2
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 peer info: IV_LZ4=1
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 peer info: IV_LZ4v2=1
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 peer info: IV_LZO_STUB=1
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 peer info: IV_COMP_STUB=1
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 peer info: IV_COMP_STUBv2=1
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 peer info: IV_TCPNL=1
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Jul 24 18:38:09 2018 <CLIENT_IP>:55655 [client1] Peer Connection Initiated with [AF_INET]<CLIENT_IP>:55655
Tue Jul 24 18:38:09 2018 client1/<CLIENT_IP>:55655 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Tue Jul 24 18:38:09 2018 client1/<CLIENT_IP>:55655 MULTI: Learn: 10.8.0.6 -> client1/<CLIENT_IP>:55655
Tue Jul 24 18:38:09 2018 client1/<CLIENT_IP>:55655 MULTI: primary virtual IP for client1/<CLIENT_IP>:55655: 10.8.0.6
Tue Jul 24 18:38:10 2018 client1/<CLIENT_IP>:55655 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jul 24 18:38:10 2018 client1/<CLIENT_IP>:55655 SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 1
20,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Jul 24 18:38:10 2018 client1/<CLIENT_IP>:55655 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Jul 24 18:38:10 2018 client1/<CLIENT_IP>:55655 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 24 18:38:10 2018 client1/<CLIENT_IP>:55655 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 24 18:39:05 2018 client1/<CLIENT_IP>:55655 Connection reset, restarting [0]
Tue Jul 24 18:39:05 2018 client1/<CLIENT_IP>:55655 SIGUSR1[soft,connection-reset] received, client-instance restarting

However although there is a connection created no data there is no internet working. If somebody got a clue on why the connection is succesful but the data transmission is unsuccesfull?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4867
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN server Ubuntu 16.04 (xenial) TLS 1.3 connection

Post by TinCanTech » Tue Jul 24, 2018 10:17 pm

Can you ping over the VPN ?

joenas
OpenVpn Newbie
Posts: 4
Joined: Mon Jul 23, 2018 4:19 pm

Re: OpenVPN server Ubuntu 16.04 (xenial) TLS 1.3 connection

Post by joenas » Tue Jul 24, 2018 10:30 pm

Ping over VPN works

Post Reply