Hello,
After upgrading debian11 >> debian12 on my notebook, client side OpenVPN access via IPF no longer worked.
The cause seems to be a change in OpenVPN V.2.6.3, which is probably due to the one I use Key on iPFire (AES-CBC 256bit). What do I have to do ?
I’m currently using OpenVPN V.2.5.5 via apt-pinning, but that’s not a real solution.
Do you have an error log?
AES-CBC isn’t excluded yet (although you do get a warning)
Newer OpenVPN clients have issue with some older ovpn configurations and how the security information is stored.
You may need to re-download the OpenVPN connection profile from IPFire as a new insecure package.
EDIT: Also forgot to mention, newer client need the cipher string to be declared as: data-ciphers AES-256-CBC
instead of the older: cipher AES…
Older config packages from IPFire will not have that.
Thank you very much,
–cipher could be the reason, but what I should edit?
This is the warning/error:
> 2024-09-28 09:50:43 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
> 2024-09-28 09:50:43 Note: cipher 'AES-256-CBC' in --data-ciphers is not supported by ovpn-dco, disabling data channel offload.
> 2024-09-28 09:50:43 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
> 2024-09-28 09:50:43 library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
> 2024-09-28 09:50:43 DCO version: N/A
> Enter Private Key Password:
> 2024-09-28 09:51:32 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
> 2024-09-28 09:51:32 OpenSSL: error:0308010C:digital envelope routines::unsupported
> 2024-09-28 09:51:32 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
> 2024-09-28 09:51:32 Error: private key password verification failed
> 2024-09-28 09:51:32 Exiting due to fatal error
Ideally the server side would have this in place:
--data-ciphers AES-256-GCM:AES-256-CBC:BF-CBC
But you can add it to the client .ovpn file which hopefully should fix it. You can remove the unwanted ciphers and just keep the AES-256-CBC bit.
EDIT: This is one area where I think the IPFire OpenVPN settings page needs to potentially be updated to reflect the changing behaviour of OpenVPN when it comes to the fact that ‘NCP’ feature exists and might impact ‘expected’ behaviour.
We are and have been working on updating OpenVPN from the 2.5 branch to the 2.6 branch.
There are a large range of changes including many deprecated options and the challenge has been to be able to update the IPFire code to allow the new negotiation process to work without suddenly causing all old client connection profiles to stop functioning and needing them all to be updated in one go, which is not realistic for any users that have several hundred clients using a specified old cipher.
We are close to having a process that allows that. We will be able to move to 2.6.x, have negotiation working and anyone using old ciphers on their clients will have a period of time to update the clients, one at a time, to use the newer ciphers. The same will apply to anyone that has enabled compression on their clients. There will be an upgrade path to allow clients to be updated one at a time.
Being able to use negotiation will resolve a lot of the sort of issues being highlighted here.
We hope to have this ready for testing early in the new year.
2 Likes