Hi all,
since a big version jump of OpenVPN is around the corner --> https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25 i was thinking about to ask into the round what you guys and girls are thinking about the new upcoming version and potential new features ?
Installed it currently and checked out the crypto a little and found there some new nice toys .
This entry is more or less a reminder of potential upcoming work for the next bigger OpenVPN updateâŚ
New test with with
OpenVPN 2.5_git [git:master/a7d6977e6e14c512+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 25 2020
two new warnings appear meanwhile.
The first:
DEPRECATED OPTION: ncp-disable. Disabling dynamic cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
may there is time for that but â âncp-disableâ needs to be replaced with â âncp-ciphers cipher_listâ by time. Since version 2.5 deliver a new cipher (see above) may some other changes in the crypto world will arrive by time, let´s seeâŚ
and the second
WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
ââtopology net30â is indeed out of time even it was only for Windows systems useful to my knowledge. Since i do not use any kind of Bill Gates products the question arises for me how ââtopology subnetâ operates now with Windows systems also in backwards compatibility.
when the above OpenVPN is released by the IPFire dev team, do the existing OpenVPN connections need to be deleted and recreated? Or maybe recreating connections is not a âmust doâ but is a âshould doâ?
it was and is always a hard work to prevent such things and in fact i tried to announce all that longer time ago. Hopefully we can find a good way to a better landing into a new circumstance without being a nerd in some waysâŚ
I have just installed the last release of OpenVPN for Android (from F-Droid) which ships with OpenVPN 2.5. In addition to the previous mentioned warnings, I can no longer authenticate with the current stable OpenVPN 2.4 server from IpFire. There is a change in the cipher parameter. It was cipher and is now data-cipher this makes the Android client unable to continue the authentication. The same applies for the parameter auth which is now data-auth (not sure) It was announced that the old names will be deprecated.
I downgraded to previous client version and it works fine but I thing upgrading to 2.5 is needed.
Android clients seems to upgrade automatically the config file for the client.
I donât know about desktop clients. If they use the config file then for sure, something should be changed in it.
Either redownload the config package from ipfire (updated with the new names) or changed it by hand ?
However it seems that linux client for instance is still openvpn 2.4.4 which does not know about new names⌠Well Iâm confused on how to migrate all the stuff
Hi Jordan,
am building the new OpenVPN-2.5_* versions since Beta 1 but this messages appeared only since Beta 4 which is at that time the actual one. Have integrated a lot of stuff in ovpnmain.cgi meanwhile and my whole environment runs only in 2.5 environment. The whole error message i got is this:
openvpnserver[21442]: DEPRECATED OPTION: --cipher set to 'CHACHA20-POLY1305' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'CHACHA20-POLY1305' to --data-ciphers or change --cipher 'CHACHA20-POLY1305' to --data-ciphers-fallback 'CHACHA20-POLY1305' to silence this warning.
where also a explanation is included on how to fix it. The --data-ciphers error/development is a problem whereby updated clients does not worked with OpenVPN servers with <= 2.4.x versions. In this situation it might be the best to downgrade your client since the development of the new OpenVPN version is not completed it won´t be come up in an IPFire Core update.
Nevertheless if you want to test it have the compiled OpenVPN-2.5_beta4 here, it also not that hard to build it by yourself and i can deliver you an updated ovpnmain.cgi <-- but remember this is a testing environment even i use it also in production without problems !
Best,
Erik
EDIT: The --auth directive is here active but there are no error/problems nor i have seen something in the announcements for such changes. If you have more on it, please post it here.
I see from F-Droid that the OpenVPN for Android version is 0.7.18
I am using OpenVPN for Android from the Google Play store and the version I have is 0.7.19 and that is working without any problem.
The first Whatâs New entry for 0.7.19 says â- Add --cipher to --data-cipher since the world is not ready for pure --data-ciphers yetâ.
The app copies what is in --cipher into --data-cipher in the config file. My config file has both --cipher and --data-cipher and --data-cipher includes what is in --cipher.
I would expect there to be a further update in F-Droid before too long.
Version 0.7.19 was issued in the Google Play store on 14th Sept.
@ummeegge Thanks you for the update. I think you reply combined with the @bonnietwinâs one solve my issue.
I am already implicated in several stuff for the moment it might take a while for me your new version.
At least, if someone else has the same problem, he/she can find the answer here
About the auth issue, Iâll have to reinstall the 0.7.18 version again ⌠Iâll post here the exact message.
Thanks @bonnietwin! Iâll have a look at version 0.7.19
It might solve my issue
Testing with OpenVPN 2.4.9 (IPFire) and 2.5.0 on my client I get this deprecation warning:
DEPRECATED OPTION: --cipher set to âAES-256-CBCâ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add âAES-256-CBCâ to --data-ciphers or change --cipher âAES-256-CBCâ to --data-ciphers-fallback âAES-256-CBCâ to silence this warning.
From my local config file:
cipher AES-256-CBC
auth SHA512
afair, config should be the default one from IPFire (at least with the version I was coming from over the years). Will keep it that way, just wanted to let you know.
Thanks Larsen for your feedback,
am currently try to migrate all the new changes from 2.5.0 which can (may not?!if no interest) be a bigger one. You can find in patchwork more --> https://patchwork.ipfire.org/project/ipfire/list/ if interested for an overview or participation in testing.