Hi Michael,
On 02/09/2025 16:07, Michael Tremer wrote:
Hello Adolf,
On 2 Sep 2025, at 11:34, Adolf Belka <adolf.be...@ipfire.org> wrote:
Hi Michael,
On 28/08/2025 10:46, Michael Tremer wrote:
Hello Adolf,
This is great.
I would suggest to create a Git branch somewhere and push those changes right
now. That way, we will only have to merge them later and not even think about
what changes we need and why.
Will do so.
The changes are located at
https://git.ipfire.org/?p=people/bonnietwin/ipfire-2.x.git;a=shortlog;h=refs/heads/openvpn-2.7_alpha3
This includes the sorting out of the status extraction information and the
removal of the deprecated persist-key option.
Removing this worked fine for the server and rw clients. The server.conf and
the rw client .ovpn files all no longer have the persist-key option. as they
are all created anew when a backup is restored or an update carried out.
However for the n2n connections, these are stored as already created .conf
files and therefore keep the persist-key entry and therefore get the warning
about the deprecated option.
When we do the update of openvpn-2.7 we will need to add in a patch to remove
the persist-key from existing n2n connections.
The same for the backup. I will create an update top the backup.pl file to do
this and add it to the above openvpn-2.7 branch.
I found in the deprecated options section of OpenVPN a comment that says
WARNING: This migration approach will not work after the release of OpenVPN
v2.7. As of that release, BF-CBC, CAST or RC2 ciphers will not be accepted any
more.
This is in the section on migrating away from deprecated ciphers.
However there is also the statement in removal of insecure ciphers
For now we will not officially remove them and focus on educating users. Maybe
at some point the SSL libraries will start dropping them.
I tested out running openvpn with BF-CBC in the ciphers-data-fallback and got
the following message in the openvpn-2.7 logs
WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).
This allows attacks like SWEET32. Mitigate by using a --cipher with a larger
block size (e.g. AES-256-CBC). Support for these insecure ciphers will be
removed in OpenVPN 2.7.
I also then manually changed the server.conf file to have data-ciphers also set
to BF-CBC and then restarted openvpn-rw and the same above message is shown but
openvpn-rw is running.
So the insecure ciphers will still be accepted but there will be a warning in
the logs.
This should not *really* bother us because we should soon have all servers
supporting NCP. That way, all clients which also support NCP will automatically
migrate away from the statically configured ciphers (no matter what it is). If
people are using clients that are still not supporting NCP (pre 2.4), those will
break when they are removing support for these ciphers on the server side.
However, even 2.5 is already EOL, so nobody should be on OpenVPN <= 2.3.
On the compression front, I found the following statement in the openvpn-2.7
changes
--------------
Remove support for compression on send
We can't disable compression support on receive because
that would break too many configurations out there. But
we can remove the support for compressing outgoing traffic,
it was disabled by default anyway.
Makes "--allow-compression yes" an alias for
"--allow-compression asym" and removes all resulting dead code.
--------------
So the compress outgoing was disabled by default anyway but in 2.7 the code
will no longer exist in openvpn
I don't believe this changes how we are using the compress migrate option but I
thought I would flag it up for you to see.
Interesting that they are saying now that they can't as standard disable
compression support on receive due to so many user configs using it.
The configuration might still include “compress”, but actually, OpenVPN won’t
really compress any data any more. The “compress migrate” option might
sometimes add a special header which was formerly required when compression was
enabled, but it won’t compress the payload any more. Currently, our server is
configured to accept compressed packets (if the client really insists), but it
will never send a compressed packed as that would make the stream vulnerable to
the voracle attack.
So this should not really affect us. In fact it is a good thing because we can
rely on clients >= 2.7 never to send any compressed data either which would be
a security benefit.
So, all green lights from me on the 2.7 front for now!
I think so also. 2.7 will be much easier than the move from 2.5 to 2.6
I will also do a test and update of the openvpn-2.7 branch when the beta and rc
versions are released.
Regards,
Adolf.
-Michael
Regards,
Adolf.
Best,
-Michael
On 27 Aug 2025, at 17:58, Adolf Belka <adolf.be...@ipfire.org> wrote:
Hi Michael,
On 27/08/2025 15:24, Adolf Belka wrote:
Hi Michael,
On 18/08/2025 13:47, Michael Tremer wrote:
Hello Adolf,
This is really valuable work because we might have to start transitioning
OpenVPN changes a lot sooner than the final release is coming out because of
all this bad, static configuration stuff on both sides of the connection.
But this actually proves the opposite. The —-persist-key option can be easily
dropped then. We use it everywhere and it will then become the default. Very
good.
Regarding the status, there have been many changes over the years and it
usually should be easy to fix it. Normally more information is being added and
we just need to account for it. Hopefully that is a 5 minute job.
Based on your input I had a look at the differences in the status log from 2.6
and 2.7
With 2.6 the Real Address is IP:PORT
With 2.7 it is UDP4:IP:PORT
So that definitely looks like it should be easy to fix.
I have tested out some changes and have been able to get the OpenVPN Connection
statistics and the Status display for each of the connection lines to work
again.
So when we come to upgrade to OpenVPN-2.7.x then I know what changes will be
needed.
Regards,
Adolf.
So with this information, I am very relaxed and hopeful that the new 2.7
release will be an easy update for us and everyone using OpenVPN.
It does look like it should not be so stressful an update as we have had from
2.5 to 2.6
Regards,
Adolf.
Best,
-Michael
On 17 Aug 2025, at 14:43, Adolf Belka <adolf.be...@ipfire.org> wrote:
Hi All,
I have built and done initial testing of CU198 with OpenVPN-2.7_alpha3. Here is
my initial feedback.
My N2N connection connected and I could ping between both ends. The status on
the OpenVPN WUI page showed as Connected.
Only item was that when rebooting the following message shows up in the boot
log when the N2N connection is started
DEPRECATED: --persist-key option ignored. Keys are now always persisted across
restarts.
I the tested out the old existing Android and Linux Laptop client connections.
In both cases at the client ends they said they were connected.
On the Linux Laptop I could ping to a PC on the green network. For both the
Linux Laptop and Android phone I could access the WUI page of the IPFire
system. The logs showed that the clients were connected.
However in both cases the OpenVPN WUI page stayed showing the RW connections as
disconnected. Accessing the OpenVPN Connection Statistics never showed any
connection existing.
So the status methodology for the RW's does not seem to be working with
OpenVPN-2.7, even though the connections were successfully connected and the
standard openvpn logs show the rw clients as connected.
I will have another go with new client connections and see if that shows
anything different with regard to the status.
Also need to remember this is the alpha3 release so there might be bugs still
and maybe that is what I am experiencing.
So RW connections get made but stay showing as disconnected when they are
actually connected.
N2N connections show as connected and are connected.
Regards
Adolf
