Page MenuHomeVyOS Platform
Create Task
Maniphest T5605

Do not generate keysize option in OpenVPN configs
Closed, ResolvedPublic
Actions

Description

Currently, our OpenVPN configuration scripts generates the following options when encryption cipher is not specified:

# Encryption options
cipher bf-cbc
keysize 128

The problem is that --keysize no longer exists in OpenVPN 2.6.

And the default config of VyOS 1.3.x makes OpenVPN fail to start:

Sep 20 08:24:01 openvpn-vtun20[4801]: Options error: Unrecognized option or missing or extra parameter(s) in vtun20.conf:67: keysize (2.6.3)
Sep 20 08:24:01 openvpn-vtun20[4801]: Use --help for more information.
Sep 20 08:24:01 systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Sep 20 08:24:01 systemd[1]: [email protected]: Failed with result 'exit-code'.

Simply removing the deprecated option fixes the problem — for the old default, BF-CBC 128. However, there seem to be no explicit "bf-128-cbc" and "bf-256-cbc", so Blowfish with 265 bit keys is no longer possible to configure.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (non-migratable)
Issue type
Feature/functionality removal

Event Timeline

dmbaturin created this task.Sep 20 2023, 9:23 AM
dmbaturin updated the task description. (Show Details)Sep 20 2023, 9:39 AM
dmbaturin changed Is it a breaking change? from Perfectly compatible to Config syntax change (non-migratable).
dmbaturin changed Issue type from Bug (incorrect behavior) to Feature/functionality removal.
pasik added a subscriber: pasik.Sep 20 2023, 10:15 AM
dmbaturin closed this task as Resolved.Thu, Apr 4, 10:31 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa1); removed VyOS 1.4 Sagitta.

Blowfish support was removed in 1.4, so its key size is no longer an issue.