Page 1 of 1
openvpn works with AES-256-CBC and doesnt work with AES-256-GCM
Posted: Mon Dec 27, 2021 9:26 am
by decehakan
my openvpn server runs with rsa and static dh parameters and runs super fine. On the client and on the server I have chosen cipher AES-256-CBC and when I read through the protocols it has chosen the best cipher AES-256-GCM.
Now I change the cipher on the client and server to AES-256-GCM ( server.conf / client.conf : cipher AES-256-GCM ). Now I can no longer dial in to the VPN because it somehow no longer works. This is crazy and confusing.
If I use AES-256-CBC it is upgeraded to AES-256-GCM.
and if I now select the entry cipher AES-256-GCM on both configs (server / client), it cannot dial in to the server.
Is this because GCM can only be used in conjunction with the entry "dh none"? If so, why is this up-loaded to AES-256-GCM in the case of AES-256-CBC?
Many thanks and best regards
decehakan
Re: openvpn works with AES-256-CBC and doesnt work with AES-256-GCM
Posted: Mon Dec 27, 2021 12:12 pm
by TinCanTech
decehakan wrote: ↑Mon Dec 27, 2021 9:26 am
Is this because GCM can only be used in conjunction with the entry "dh none"?
No. You did something incorrectly.
Re: openvpn works with AES-256-CBC and doesnt work with AES-256-GCM
Posted: Tue Dec 28, 2021 9:19 am
by decehakan
after i delete the --opt-verify option on server.conf and set on client/ server the cipher AES-256-GCM , the client can connect now to the server.
The reason why i couldn't connect was the auth alg which compared from --opt-verify flag
Log:
SENT CONTROL [test12]: 'AUTH_FAILED' (status=1)
But in bothside(server.conf / client.conf) i'm using auth SHA256.
Reading the Documentation
If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth
Means that: If im using GCM cipher, than i dont need the auth alg ???
kind regards
Re: openvpn works with AES-256-CBC and doesnt work with AES-256-GCM
Posted: Tue Dec 28, 2021 2:22 pm
by TinCanTech
decehakan wrote: ↑Tue Dec 28, 2021 9:19 am
Means that: If im using GCM cipher, than i dont need the auth alg ???
Not quite...
AEAD ciphers do not require authentication because it is built-in to the cipher.
However, Openvpn options still requires --
auth alg to be correctly configured.
The best solution for you: Do
not use --
auth alg or --
cipher cipher any where in your server and client config files.
The reason is: Openvpn will automatically select --
auth SHA1 (Which is the correct default) and then ignore it.
and --
cipher BF-CBC (Which is fine for testing) and then be negotiated to cipher AES-256-GCM.
You really do
not need --
auth alg in any of your configs.
And do
not worry about the default --
cipher BF-CBC because --
cipher is deprecated.
And --
data-ciphers trumps --
cipher. Default --
data-ciphers AES-256-GCM:AES-128-GCM
https://build.openvpn.net/man/openvpn-2 ... vpn.8.html
Try it for yourself..