OpenVPN 2.5 Development version

ummeegge · 5 May 2020 13:06

Hi all,
since a big version jump of OpenVPN is around the corner --> https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25 i was thinking about to ask into the round what you guys and girls are thinking about the new upcoming version and potential new features ?

Installed it currently and checked out the crypto a little and found there some new nice toys .

Some first insides:

New AEAD 256-Bit cipher CHACHA20-POLY1305 for the data channel.
Several new HMACs

From the BLAKE2 family:
BLAKE2b512 512 bit digest size (optimized for 64 bit systems)
BLAKE2s256 256 bit digest size (optimized for 32 bit systems)

From the Keccak family:
SHA3
SHA3-224 224 bit digest size
SHA3-256 256 bit digest size
SHA3-384 384 bit digest size
SHA3-512 512 bit digest size

SHAKE
SHAKE128 128 bit digest size
SHAKE256 256 bit digest size

Which currently simply works.

Does someone have additional ideas for new 2.5 features to test ?

Some additional links + benchmarks:
https://cr.yp.to/mac.html
https://bench.cr.yp.to/results-sha3.html

ummeegge · 27 July 2020 07:26

This entry is more or less a reminder of potential upcoming work for the next bigger OpenVPN update…
New test with with

OpenVPN 2.5_git [git:master/a7d6977e6e14c512+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 25 2020

two new warnings appear meanwhile.
The first:

DEPRECATED OPTION: ncp-disable. Disabling dynamic cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6

may there is time for that but ’ –ncp-disable’ needs to be replaced with ’ –ncp-ciphers cipher_list’ by time. Since version 2.5 deliver a new cipher (see above) may some other changes in the crypto world will arrive by time, let´s see…

and the second

WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.

‘–topology net30’ is indeed out of time even it was only for Windows systems useful to my knowledge. Since i do not use any kind of Bill Gates products the question arises for me how ‘–topology subnet’ operates now with Windows systems also in backwards compatibility.

A test with ‘–tls-crypt-v2’ might be worth too ?

Otherwise, the current DEV version works smooth and well.

jon · 27 July 2020 19:21

Erik - Thank you for the reminder!

when the above OpenVPN is released by the IPFire dev team, do the existing OpenVPN connections need to be deleted and recreated? Or maybe recreating connections is not a “must do” but is a “should do”?

ummeegge · 27 July 2020 19:57

Hi Jon,
you are welcome.

it was and is always a hard work to prevent such things and in fact i tried to announce all that longer time ago. Hopefully we can find a good way to a better landing into a new circumstance without being a nerd in some ways…

Best,

Erik

jon · 27 July 2020 20:15

never!

ummeegge · 28 July 2020 12:02

having said that “NON experts” are really really welcome to step into some testing rounds ?

Best,

Erik

diablotin · 21 September 2020 08:41

Hi there,

I have just installed the last release of OpenVPN for Android (from F-Droid) which ships with OpenVPN 2.5. In addition to the previous mentioned warnings, I can no longer authenticate with the current stable OpenVPN 2.4 server from IpFire. There is a change in the cipher parameter. It was cipher and is now data-cipher this makes the Android client unable to continue the authentication. The same applies for the parameter auth which is now data-auth (not sure) It was announced that the old names will be deprecated.
I downgraded to previous client version and it works fine but I thing upgrading to 2.5 is needed.
Android clients seems to upgrade automatically the config file for the client.
I don’t know about desktop clients. If they use the config file then for sure, something should be changed in it.
Either redownload the config package from ipfire (updated with the new names) or changed it by hand ?

However it seems that linux client for instance is still openvpn 2.4.4 which does not know about new names… Well I’m confused on how to migrate all the stuff

Best

Jordan

ummeegge · 21 September 2020 09:14

Hi Jordan,
am building the new OpenVPN-2.5_* versions since Beta 1 but this messages appeared only since Beta 4 which is at that time the actual one. Have integrated a lot of stuff in ovpnmain.cgi meanwhile and my whole environment runs only in 2.5 environment. The whole error message i got is this:

openvpnserver[21442]: DEPRECATED OPTION: --cipher set to 'CHACHA20-POLY1305' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'CHACHA20-POLY1305' to --data-ciphers or change --cipher 'CHACHA20-POLY1305' to --data-ciphers-fallback 'CHACHA20-POLY1305' to silence this warning.

where also a explanation is included on how to fix it. The --data-ciphers error/development is a problem whereby updated clients does not worked with OpenVPN servers with <= 2.4.x versions. In this situation it might be the best to downgrade your client since the development of the new OpenVPN version is not completed it won´t be come up in an IPFire Core update.

Nevertheless if you want to test it have the compiled OpenVPN-2.5_beta4 here, it also not that hard to build it by yourself and i can deliver you an updated ovpnmain.cgi <-- but remember this is a testing environment even i use it also in production without problems !

Best,

Erik

EDIT: The --auth directive is here active but there are no error/problems nor i have seen something in the announcements for such changes. If you have more on it, please post it here.

bonnietwin · 21 September 2020 12:09

I see from F-Droid that the OpenVPN for Android version is 0.7.18

I am using OpenVPN for Android from the Google Play store and the version I have is 0.7.19 and that is working without any problem.
The first What’s New entry for 0.7.19 says “- Add --cipher to --data-cipher since the world is not ready for pure --data-ciphers yet”.
The app copies what is in --cipher into --data-cipher in the config file. My config file has both --cipher and --data-cipher and --data-cipher includes what is in --cipher.

I would expect there to be a further update in F-Droid before too long.
Version 0.7.19 was issued in the Google Play store on 14th Sept.

Regards,
Adolf

diablotin · 21 September 2020 13:34

@ummeegge Thanks you for the update. I think you reply combined with the @bonnietwin’s one solve my issue.
I am already implicated in several stuff for the moment it might take a while for me your new version.
At least, if someone else has the same problem, he/she can find the answer here
About the auth issue, I’ll have to reinstall the 0.7.18 version again … I’ll post here the exact message.

Thanks @bonnietwin! I’ll have a look at version 0.7.19
It might solve my issue

Thank you

Jordan