Page MenuHomePhabricator

Update openvpn to support TLS 1.2
Closed, ResolvedPublic

Description

The version of openvpn we currently ship in vyos is 2.3.4, which only supports TLS up to 1.0 (see https://community.openvpn.net/openvpn/ticket/401 for more details). TLS 1.0 and 1.1 are both deprecated, and at least 1.2 is recommended.

This is causing issues in our configuration, as network-manager-openvpn-gnome doesn't support passing the the tls-version-min option to openvpn, which now defaults to 1.2 minimum.

I believe 2.3.5+ should support it properly, or 2.4.0 is available in jessie-backports (https://packages.debian.org/jessie-backports/openvpn)

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rc8
Why the issue appeared?
Will be filled on close

Event Timeline

thinkl33t created this object in space S1 VyOS Public.

Actually, I managed to get this working by passing the following:

set interfaces openvpn vtun0 openvpn-option "--tls-version-min 1.2"

Might it be worth adding a config variable & setting this as default?

c-po added a subscriber: c-po.Nov 27 2018, 11:51 PM

I never liked verbatim passed options, this will be a perfect candidate for a first controbution to VyOS as it will be rather easy! You want to give it a try?

set interfaces openvpn vtun0 disable-weak-tls-ciphers

syncer triaged this task as Low priority.Nov 30 2018, 4:34 PM
pasik added a subscriber: pasik.Dec 16 2018, 11:21 AM
syncer assigned this task to hagbard.Jan 27 2019, 5:41 AM
syncer raised the priority of this task from Low to Normal.
syncer added a subscriber: syncer.

@hagbard can you please bump version of openvpn

hagbard added a comment.EditedJan 28 2019, 4:48 PM

@syncer Currently we ship in the iso openvpn from main, we could use it from bpo which would be 2.4 (2.6 is the latest), or we replace it with a self-compiled 2.6, or do you just want cpo's solution implemented?

In T1051#27092, @c-po wrote:

set interfaces openvpn vtun0 disable-weak-tls-ciphers

I think enable-weak-ciphers and having disable set as default might make more sense.

c-po added a comment.Jan 30 2019, 5:17 AM

Sounds more reasonable (enable than disable). Will this affect backwards compatibility or will there be a migrator?

@c-po it only affects clients which enforce tls 1.0 or 1.1, at least what I have tested. The perl code needs quite some rework, so I think I split the task into getting a newer release of openvpn into the build. Newer versions have tls 1.0 and 1.1 disabled per default from what I have read, so I think it might be more a changelog announcement that with the new version only tls 1.2 is automatically supported and you have the option to enable weak ciphers via opt .... or so. I'm not too sure yet, I think I have to wait a little on the response once the newer version is in rolling and the feedback I receive.

hagbard added a comment.EditedJan 30 2019, 8:15 PM

@c-po imported and test against latest rolling, I couldn't find any issue with 2.4.

hagbard changed the task status from Open to Needs testing.Jan 31 2019, 8:14 PM

@thinkl33t Would you mind testing your use case with https://downloads.vyos.io/rolling/current/amd64/vyos-1.2.0-rolling%2B201901312041-amd64.iso or later? This iso is using the bpo package of openvpn (2.4.0).

dsummers added a subscriber: dsummers.EditedFeb 2 2019, 5:54 AM

Does this mean it can now listen on "outer" transport IPv6 addresses now that it is using 2.4.0 (even if it is just a special "option" and not yet in the VyOS CLI)?

Even if it means setting a special "option", that would be great if that were possible.

Even though the current version doesn't yet have the CLI for it to transport "inner" IPv6 addresses, you can put an "option" to do the "ifconfig" to set the inner IPv6 addresses currently which allows not having to set up a separate IPv4 <-> IPv6 tunnel to do the translation which makes things simpler. Just found out about that a month ago.

@thinkl33t Can you please test?

@thinkl33t Please test the latest rolling which has openvpn2.4 installed.

hagbard closed this task as Resolved.Feb 19 2019, 7:02 PM

Tested it myself and can't find any issues.

I've finally managed to test this (apologies, we've had a super busy couple of months) and don't appear to be able to connect to the VPN anymore :(

Server config:

mode server
openvpn-option "--tls-version-min 1.2"
openvpn-option "--tls-auth /config/auth/ta.pem 0"
server {
    name-server 10.35.2.254
    subnet 172.16.2.0/24
}
tls {
    ca-cert-file /config/auth/admin.example.org.crt
    cert-file /config/auth/firewall-2.admin.example.org.crt
    dh-file /config/auth/admin.example.org-dh2048.pem
    key-file /config/auth/firewall-2.admin.example.org.key
}

Client config:

client
dev tun
proto udp
remote office.example.org 1194
resolv-retry infinite
remote-random
float
tls-auth [inline]
key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
*snip*
-----END CERTIFICATE-----
</ca>

<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
*snip*
-----END OpenVPN Static key V1-----
</tls-auth>

I've also tried removing the minimum tls version openvpn-options, and removing the TLS auth from my config, but still can't connect. The logs show the following:

OpenVPN: 10.35.2.1:1194 SIGUSR1[soft,tls-error] received, client-instance restarting 
OpenVPN: 10.35.2.1:1194 TLS: Initial packet from [AF_INET]10.35.2.1:1194, sid=4c88b2b8 7e4fa7c9 
OpenVPN: 10.35.2.1:1194 TLS: new session incoming connection from [AF_INET]10.35.2.1:1194 
OpenVPN: 10.35.2.1:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
OpenVPN: 10.35.2.1:1194 TLS Error: TLS handshake failed 
OpenVPN: 10.35.2.1:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
hagbard added a comment.EditedMar 12 2019, 6:19 PM

Sorry I can't replicate your issue, tested it with VyOS 1.2.0-rolling+201903110337.

server:

Mar 12 18:02:46 localhost openvpn-vtun01[3075]: OpenVPN 2.4.0 [git:HEAD/d119a5983835297a+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan 31 2019
Mar 12 18:02:46 localhost openvpn-vtun01[3075]: library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: MANAGEMENT: unix domain socket listening on /tmp/openvpn-mgmt-intf
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: Diffie-Hellman initialized with 2048 bit key
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: ECDH curve secp384r1 added
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: TUN/TAP device vtun01 opened
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: TUN/TAP TX queue length set to 100
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: /sbin/ip link set dev vtun01 up mtu 1500
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: /sbin/ip addr add dev vtun01 172.16.2.1/24 broadcast 172.16.2.255
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: UDPv4 link local (bound): [AF_INET][undef]:1194
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: UDPv4 link remote: [AF_UNSPEC]
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: MULTI: multi_init called, r=256 v=256
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: IFCONFIG POOL: base=172.16.2.2 size=252, ipv6=0
Mar 12 18:02:46 localhost openvpn-vtun01[3076]: Initialization Sequence Completed
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 TLS: Initial packet from [AF_INET]10.1.1.121:50689, sid=6b850fe7 31a6dff1
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 VERIFY OK: depth=1, CN=Easy-RSA CA
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 VERIFY OK: depth=0, CN=client
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 peer info: IV_VER=2.4.0
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 peer info: IV_PLAT=linux
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 peer info: IV_PROTO=2
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 peer info: IV_NCP=2
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 peer info: IV_LZ4=1
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 peer info: IV_LZ4v2=1
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 peer info: IV_LZO=1
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 peer info: IV_COMP_STUB=1
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 peer info: IV_COMP_STUBv2=1
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 peer info: IV_TCPNL=1
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: 10.1.1.121:50689 [client] Peer Connection Initiated with [AF_INET]10.1.1.121:50689
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: client/10.1.1.121:50689 MULTI_sva: pool returned IPv4=172.16.2.2, IPv6=(Not enabled)
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: client/10.1.1.121:50689 MULTI: Learn: 172.16.2.2 -> client/10.1.1.121:50689
Mar 12 18:13:32 localhost openvpn-vtun01[3076]: client/10.1.1.121:50689 MULTI: primary virtual IP for client/10.1.1.121:50689: 172.16.2.2
Mar 12 18:13:33 localhost openvpn-vtun01[3076]: client/10.1.1.121:50689 PUSH: Received control message: 'PUSH_REQUEST'
Mar 12 18:13:33 localhost openvpn-vtun01[3076]: client/10.1.1.121:50689 SENT CONTROL [client]: 'PUSH_REPLY,route-gateway 172.16.2.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.16.2.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mar 12 18:13:33 localhost openvpn-vtun01[3076]: client/10.1.1.121:50689 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 12 18:13:33 localhost openvpn-vtun01[3076]: client/10.1.1.121:50689 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

client:

Mar 12 18:14:50 localhost openvpn-vtun01[2476]: OpenVPN 2.4.0 [git:HEAD/d119a5983835297a+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan 31 2019
Mar 12 18:14:50 localhost openvpn-vtun01[2476]: library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Mar 12 18:14:50 localhost openvpn-vtun01[2477]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mar 12 18:14:50 localhost openvpn-vtun01[2477]: TCP/UDP: Preserving recently used remote address: [AF_INET]10.1.1.120:1194
Mar 12 18:14:50 localhost openvpn-vtun01[2477]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Mar 12 18:14:50 localhost openvpn-vtun01[2477]: UDP link local: (not bound)
Mar 12 18:14:50 localhost openvpn-vtun01[2477]: UDP link remote: [AF_INET]10.1.1.120:1194
Mar 12 18:14:50 localhost openvpn-vtun01[2477]: TLS: Initial packet from [AF_INET]10.1.1.120:1194, sid=037b7b4f 7f51fd94
Mar 12 18:14:50 localhost openvpn-vtun01[2477]: VERIFY OK: depth=1, CN=Easy-RSA CA
Mar 12 18:14:50 localhost openvpn-vtun01[2477]: VERIFY OK: depth=0, CN=srv
Mar 12 18:14:50 localhost openvpn-vtun01[2477]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mar 12 18:14:50 localhost openvpn-vtun01[2477]: [srv] Peer Connection Initiated with [AF_INET]10.1.1.120:1194
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: SENT CONTROL [srv]: 'PUSH_REQUEST' (status=1)
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 172.16.2.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.16.2.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: OPTIONS IMPORT: timers and/or timeouts modified
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: OPTIONS IMPORT: --ifconfig/up options modified
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: OPTIONS IMPORT: route-related options modified
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: OPTIONS IMPORT: peer-id set
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: OPTIONS IMPORT: adjusting link_mtu to 1624
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: OPTIONS IMPORT: data channel crypto options modified
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: TUN/TAP device vtun01 opened
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: TUN/TAP TX queue length set to 100
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: /sbin/ip link set dev vtun01 up mtu 1500
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: /sbin/ip addr add dev vtun01 172.16.2.2/24 broadcast 172.16.2.255
Mar 12 18:14:51 localhost openvpn-vtun01[2477]: Initialization Sequence Completed

server config:
set interfaces openvpn vtun01 mode 'server'
set interfaces openvpn vtun01 server subnet '172.16.2.0/24'
set interfaces openvpn vtun01 tls ca-cert-file '/config/auth/openvpn/ca.crt'
set interfaces openvpn vtun01 tls cert-file '/config/auth/openvpn/srv.crt'
set interfaces openvpn vtun01 tls dh-file '/config/auth/openvpn/dh.pem'
set interfaces openvpn vtun01 tls key-file '/config/auth/openvpn/srv.key'

client config:
set interfaces openvpn vtun01 mode 'client'
set interfaces openvpn vtun01 remote-host '10.1.1.120'
set interfaces openvpn vtun01 tls ca-cert-file '/config/auth/openvpn/ca.crt'
set interfaces openvpn vtun01 tls cert-file '/config/auth/openvpn/client.crt'
set interfaces openvpn vtun01 tls key-file '/config/auth/openvpn/client.key'

syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.2) board.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.