[Openvpn-users] OpenVPN 2.4_rc2 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.4_rc2. 
It can be downloaded from here:



Compared to OpenVPN 2.3 this is a major update with a large number of 
new features, improvements and fixes. Changes compared to previous 
OpenVPN 2.4 release are fairly minor, and include several small fixes 
and improvements.  A summary of these changes is available here:



A full list of changes is available here.



OpenVPN GUI bundled with the Windows installer has a large number of new 
features compared to the one bundled with OpenVPN 2.3. Details are 
available on the "ChangesInOpenvpn24" page, above.

For generic help use these support channels:

Official documentation: 

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires 
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How do I know my network traffic is using vpn channel?

[David Sommerseth]

On 16/12/16 15:54, James wrote:
> I have setup a static key vpn connection. I can connect my VPN "server"
> at home from outside, saying public library. But how do I know all my
> network traffic is going through my VPN server? 
> 
> I am asking this because I was traveling in China last month. I
> connected my server at home in USA from there but I still cannot access
> Google. Both machines are Windows 7. Do I need to do any special
> configuration for this purpose?
> 

You need to read-up on --redirect-gateway in the man page.  If you don't
set up any kind of routing, it will use the local interface for most of
the network traffic.


--
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Does windows (10) client need admin rights?

[David Sommerseth]

On 16/12/16 16:26, Sebastian Rubenstein wrote:

> What about OpenVPN 2.4 for Linux/BSD? Using the command line in a
> terminal, Linux/BSD users will continue to use sudo openvpn config.ovpn,
> am I correct?

Selva and JJK is correct.  Currently with the OpenVPN v2.x root is
needed for OpenVPN, unless you let NetworkManager take care of VPN
tunnels.  Which may or may not work well for you - depending on how
advanced your config and needs are.

With that said, I have started working on a Linux client based on the
OpenVPN 3 core client library which got open sourced not too long ago.
This will be a new client written from scratch, as the core client
library is written in C++.  In this work I take into consideration that
basic Linux distributions have advanced tremendously and plan privilege
separation as a core concept for the implementation.  I don't have too
much to show for just yet, but it is slowly moving forward and hope I
can have something for the publicity within a couple of months or so,
thought it won't be the final release; much more a bleeding edge
development version where contributions will be appreciated.

What I can say already is that the implementation will most likely be
two components - user front-ends and a privileged but restricted openvpn
daemon, communicating with each other over D-Bus.  D-Bus + PolicyKit
takes care of authentication and privilege authorization in regards to
starting/stopping and otherwise managing VPN tunnels.  This should also
make it far easier to write various user front-ends to manage these
tunnels while having a much better control of the privileges the core
OpenVPN daemon requires.

But as said ... the work have barely started and the first thing I had
to do was to get the core client library working with mbedtls-2.3 and
newer.  The needed pieces to make it usable is still being carved out.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Keywords to look for that may indicate a VPN provider is providing strong encryption/decryption?

[Selva Nair]

On Fri, Dec 16, 2016 at 11:02 AM, Jan Just Keijser 
wrote:

> > There is no way for a customer like me to get hold of my VPN provider's
> server and intermediate certificates to check if the cipher strength is at
> least 2048 bits, correct?
> >
> >
> the openvpn server actually sends this information to the client when it
> tries to connect, but it is quite hard to get at it. I don't have much
> time to investigate,but I'm curious what happens if the server has a
> 2048bit certificate signed by a 1024bit CA - that should pop up
> somewhere in the logs, but I simply don't know when & where.


The client config would include the ca certificate (and, I think, all
intermediate certs as well) either as inline or as a separate file. So one
could manually check the certificates. As for the server cert, you could
use
--tls-verify some-script.sh
--tls-export-cert directory
in the config. These options do work on clients though more commonly used
on servers. The script can then access each certificate at the path given
in peer_cert env variable and use /usr/bin/openssl to find key size etc...
See the man page for details about those options.

Selva
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Keywords to look for that may indicate a VPN provider is providing strong encryption/decryption?

[Jan Just Keijser]

Hi,

On 16/12/16 16:48, Sebastian Rubenstein wrote:
>
>> - a private key size of 4096 does not mean anything. What is more
>> important is that the CA certificate used to sign the client and server
>> certs is 4096 bits (or EC based) and that the remaining certs
>> (intermediate, server, client) are at least 2048 bit in strength;
>> Increasing the strenght beyond that is useless for now (RSA 2048 has not
>> been broken yet) and it will only slow things down.
>>
> There is no way for a customer like me to get hold of my VPN provider's 
> server and intermediate certificates to check if the cipher strength is at 
> least 2048 bits, correct?
>
>
the openvpn server actually sends this information to the client when it 
tries to connect, but it is quite hard to get at it. I don't have much 
time to investigate,but I'm curious what happens if the server has a 
2048bit certificate signed by a 1024bit CA - that should pop up 
somewhere in the logs, but I simply don't know when & where.

JJK


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider using weak or strong encryption algorithms?

[Sebastian Rubenstein]

Hello Jan

> Sent: Friday, December 16, 2016 at 4:41 PM
> From: "Jan Just Keijser" 
> To: "Sebastian Rubenstein" , 
> openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider 
> using weak or strong encryption algorithms?
>
> With the upcoming 2.4 release and/or the new tls-crypt option security 
> *is* improved for the clients, as it will become harder to sniff any 
> part of the initial control channel negotiation.  That doesn't mean that 
> *without* tls-crypt your connection is not secure, it just means that 
> with tls-crypt your connection is 0.5% more secure.
> 
Thanks for your reply.

OpenVPN should thank you for extolling and evangelizing the benefits of 
upgrading to 2.4 :)

Regards.

Sebastian


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Does windows (10) client need admin rights?

[Selva Nair]

On Fri, Dec 16, 2016 at 10:26 AM, Sebastian Rubenstein 
wrote:

> > Subject: Re: [Openvpn-users] Does windows (10) client need admin rights?
> >
> >
> > In version 2.4, the GUI and openvpn will run without admin privileges by
> default unless you try to run it > as administrator. If you also want to
> allow users to run arbitrary confiigs stored in their profile (as
> > opposed to the one admin installs in system-wide location), you need to
> add them to a group named
> > "OpenVPN Administrtaors" (the group name may be customized).
>
> Based on the above statements, you were referring to OpenVPN 2.4 for
> Microsoft Windows, right?
>

Yes, as subject says I was referring to Windows.

>
> What about OpenVPN 2.4 for Linux/BSD? Using the command line in a
> terminal, Linux/BSD users will continue to use sudo openvpn config.ovpn, am
> I correct?
>

The short answer is yes, you need root. But you could set it up to run as
user by giving the user access to run ip-route command, a static tun device
etc. In addition you could further drop privileges so that the process can
run with rights less than a normal user has (no access to users' files
etc..)

Selva
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Keywords to look for that may indicate a VPN provider is providing strong encryption/decryption?

[Sebastian Rubenstein]

Hello Jan,

Thanks for your reply.

> Sent: Friday, December 16, 2016 at 2:24 PM
> From: "Jan Just Keijser" 
> To: "Sebastian Rubenstein" , 
> openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Keywords to look for that may indicate a VPN 
> provider is providing strong encryption/decryption?
>
> -  you can add 'remote-cert-tls server' yourself and if your VPN does 
> not come up (i.e. the server fails this test) then I'd *not* trust the 
> server or the VPN provider

Thank you again. This is a significant piece of information for me :)

> - tls-auth + key-direction is nice but it adds a false sense of 
> security: as discussed earlier, tls-auth is based on a pre-shared secret 
> amongst *ALL* VPN clients - this means that anybody that subscribed to 
> that particular VPN provider at some point the past probably has that 
> tls-auth key file. You can also bet that security services (FBI, NSA 
> etc) will have that tls-auth key already. The only extra benefit of 
> having the tls-auth file is that it prevents some DDoS flooding attacks, 
> mostly against the *server*.

I really appreciate your taking the time to explain the above to me.

It seems to me that using the --tls-auth key file is not good for security at 
all as an expert had earlier replied that anyone who has the --tls-auth key 
file could inject malicious packets. What viable alternatives would you propose 
please?

> - a private key size of 4096 does not mean anything. What is more 
> important is that the CA certificate used to sign the client and server 
> certs is 4096 bits (or EC based) and that the remaining certs 
> (intermediate, server, client) are at least 2048 bit in strength; 
> Increasing the strenght beyond that is useless for now (RSA 2048 has not 
> been broken yet) and it will only slow things down.
> 
There is no way for a customer like me to get hold of my VPN provider's server 
and intermediate certificates to check if the cipher strength is at least 2048 
bits, correct?

Regards.

Sebastian

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Does windows (10) client need admin rights?

[Jan Just Keijser]

On 16/12/16 16:38, Sebastian Rubenstein wrote:
> Hello Jan
>
>> Sent: Friday, December 16, 2016 at 2:26 PM
>> From: "Jan Just Keijser" 
>> To: "Kevin Long" , 
>> openvpn-users@lists.sourceforge.net
>> Subject: Re: [Openvpn-users] Does windows (10) client need admin rights?
>>
>>
>> There is little to be done about this, as Windows *requires* admin
>> privileges if someone tries to alter the system routing tables. As most
>> VPNs typically do just that, you will always end up needing admin privs
>> somewhere. Complain to Microsoft about their horrendous security system,
>> not to OpenVPN.
>>
> What about OpenVPN 2.4 for Linux/BSD users? If they use the command line in a 
> terminal, they still need to use sudo openvpn name-of-config-file.ovpn, is 
> that right?

yes, on all other OSes you still need root (using e.g. sudo) to 
*manually* start OpenVPN. However, on most Linux distro's you'd use 
NetworkManager to manage your VPN, for which no root rights are needed: 
NetworkManager consists of a daemon running as root (compare: the 
Windows 7/8/10 OpenVPN interactive service) and a user-space client 
applet (nm-applet) that can start and stop connections (compare: the 
Windows 7/8/10 OpenVPN GUI)

JJK

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider using weak or strong encryption algorithms?

[Jan Just Keijser]

Hi,

On 16/12/16 16:34, Sebastian Rubenstein wrote:
>> Sent: Friday, December 16, 2016 at 2:31 PM
>> From: "Jan Just Keijser" 
>> To: "Sebastian Rubenstein" , 
>> openvpn-users@lists.sourceforge.net
>> Subject: Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider 
>> using weak or strong encryption algorithms?
> Hello Jan, thanks for your reply.
>
> I have learnt something new from you. I was under the impression that 
> tls-auth is used to protect customers while in actual fact, it is used to 
> protect the VPN provider's servers. How ignorant of me!
>>
>> Not really - it means they use tls-auth to protect their servers against
>> DDoS attacks. I'd not trust the tls-auth key file provided by a large
>> VPN provider at all, as almost *anybody* will have access to that file.
>>
>>
> Having said that, what alternatives would you propose that a large VPN 
> provider could use, since *every customer* will have access to tls-auth key 
> file?
>
>
well, it's not 100% black and white:   current VPN providers will use 
tls-auth mostly to protect their own servers, but it *does* protect the 
clients a little bit as well - it prevents DDoS attacks on the VPN 
client as well (but those hardly ever occur in the first place) and it 
actually makes it slightly harder for the NSA to decrypt the traffic ;)

With the upcoming 2.4 release and/or the new tls-crypt option security 
*is* improved for the clients, as it will become harder to sniff any 
part of the initial control channel negotiation.  That doesn't mean that 
*without* tls-crypt your connection is not secure, it just means that 
with tls-crypt your connection is 0.5% more secure.

JJK


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Does windows (10) client need admin rights?

[Sebastian Rubenstein]

Hello Jan

> Sent: Friday, December 16, 2016 at 2:26 PM
> From: "Jan Just Keijser" 
> To: "Kevin Long" , 
> openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Does windows (10) client need admin rights?
>
>
> There is little to be done about this, as Windows *requires* admin 
> privileges if someone tries to alter the system routing tables. As most 
> VPNs typically do just that, you will always end up needing admin privs 
> somewhere. Complain to Microsoft about their horrendous security system, 
> not to OpenVPN.
> 

What about OpenVPN 2.4 for Linux/BSD users? If they use the command line in a 
terminal, they still need to use sudo openvpn name-of-config-file.ovpn, is that 
right?

Regards.

Sebastian

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider using weak or strong encryption algorithms?

[Sebastian Rubenstein]

> Sent: Friday, December 16, 2016 at 2:31 PM
> From: "Jan Just Keijser" 
> To: "Sebastian Rubenstein" , 
> openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider 
> using weak or strong encryption algorithms?

Hello Jan, thanks for your reply.

I have learnt something new from you. I was under the impression that tls-auth 
is used to protect customers while in actual fact, it is used to protect the 
VPN provider's servers. How ignorant of me!
>
> 
> Not really - it means they use tls-auth to protect their servers against 
> DDoS attacks. I'd not trust the tls-auth key file provided by a large 
> VPN provider at all, as almost *anybody* will have access to that file.
>
>
Having said that, what alternatives would you propose that a large VPN provider 
could use, since *every customer* will have access to tls-auth key file?

Regards.

Sebastian

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Does windows (10) client need admin rights?

[Sebastian Rubenstein]

Hi Selva
 
> Sent: Friday, December 16, 2016 at 3:10 PM
> From: "Selva Nair" 
> To: "Kevin Long" 
> Cc: "openvpn users list (openvpn-users@lists.sourceforge.net)" 
> 
> Subject: Re: [Openvpn-users] Does windows (10) client need admin rights?
>
> 
> In version 2.4, the GUI and openvpn will run without admin privileges by 
> default unless you try to run it > as administrator. If you also want to 
> allow users to run arbitrary confiigs stored in their profile (as
> opposed to the one admin installs in system-wide location), you need to add 
> them to a group named 
> "OpenVPN Administrtaors" (the group name may be customized).

Based on the above statements, you were referring to OpenVPN 2.4 for Microsoft 
Windows, right?

What about OpenVPN 2.4 for Linux/BSD? Using the command line in a terminal, 
Linux/BSD users will continue to use sudo openvpn config.ovpn, am I correct?

Regards.

Sebastian

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] How do I know my network traffic is using vpn channel?

[James]

I have setup a static key vpn connection. I can connect my VPN "server" at home 
from outside, saying public library. But how do I know all my network traffic 
is going through my VPN server? 
I am asking this because I was traveling in China last month. I connected my 
server at home in USA from there but I still cannot access Google. Both 
machines are Windows 7. Do I need to do any special configuration for this 
purpose?
thanks,
James--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Keywords to look for that may indicate a VPN provider is providing strong encryption/decryption?

[Jan Just Keijser]

On 16/12/16 15:06, Dreetjeh D wrote:

Hi,
If i`m allowed again (:

>- a private key size of 4096 does not mean anything. What is more
>important is that the CA certificate used to sign the client and server
>certs is 4096 bits (or EC based) and that the remaining certs
>(intermediate, server, client) are at least 2048 bit in strength;
>Increasing the strenght beyond that is useless for now (RSA 2048 has not
>been broken yet) and*it will only slow things down*.

>JM2CW,

>JJK


>From client point of view, slowdown only when authenticating?
No slow down after that, except when rekeying occurs after set 
time/byte interval (default 1 hr.)?


correct - the slowdown occurs whenever a (re)keying needs to be done: 
when the connection starts and then every 1 hour (or XXX bytes, 
depending on the config).


JJK

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Does windows (10) client need admin rights?

[Selva Nair]

On Fri, Dec 16, 2016 at 12:27 AM, Kevin Long 
wrote:

> Having the OpenVPN GUI require admin privileges to run is certainly not
> ideal. Am I missing something or is there a way around this?


In version 2.4, the GUI and openvpn will run without admin privileges by
default unless you try to run it as administrator. If you also want to
allow users to run arbitrary confiigs stored in their profile (as opposed
to the one admin installs in system-wide location), you need to add them to
a group named "OpenVPN Administrtaors" (the group name may be customized).

Version 2.4_rc1 is already out, the stable release is scheduled for the end
of this month.

Selva
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Keywords to look for that may indicate a VPN provider is providing strong encryption/decryption?

[Dreetjeh D]

Hi,
If i`m allowed again (:

>- a private key size of 4096 does not mean anything. What is more
>important is that the CA certificate used to sign the client and server
>certs is 4096 bits (or EC based) and that the remaining certs
>(intermediate, server, client) are at least 2048 bit in strength;
>Increasing the strenght beyond that is useless for now (RSA 2048 has not
>been broken yet) and it will only slow things down.

>JM2CW,

>JJK


>From client point of view, slowdown only when authenticating?
No slow down after that, except when rekeying occurs after set time/byte 
interval (default 1 hr.)?


Thanks,
Pippin
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider using weak or strong encryption algorithms?

[Jan Just Keijser]

Hi,


On 16/12/16 13:27, Sebastian Rubenstein wrote:
 > Can I take your above statement into consideration when I shop for a 
commercial VPN provider? For example, before I buy a subscription plan, 
I will ask if they use tls-auth ta.key. If they do, it means they trust 
their customers, yes?

Not really - it means they use tls-auth to protect their servers against 
DDoS attacks. I'd not trust the tls-auth key file provided by a large 
VPN provider at all, as almost *anybody* will have access to that file.


On 16/12/16 13:31, Sebastian Rubenstein wrote:

> AES-GCM has a shorter authentication tag (128 bits) than HMAC-SHA256 
> (256 bits). Also, AES-GCM doesn't need a unpredictable IV but rather 
> just a unique-per-key nonce, which mean we can transfer 8 less bytes 
> per packet for the IV. This saves us a total of 24 bytes per packet 
> overhead compared to cipher AES-256-CBC + auth SHA256. Furthermore, 
> AES-GCM can maximallu leverage the AES-NI hardware acceleration 
> available in modern Intel CPUs, which will result is *much* faster 
> crypto.
> in terms of cryptographic strength, AES-256-GCM is comparable to HMAC-SHA256?
>
>

AES-256-GCM is an alternative for AES-256 + SHA2 and is , as Steffan 
wrote, much faster due to a very nicely optimized implementation in the 
underlying OpenSSL libs.
Most https:// connections nowadays are based on AES-256-GCM so they can 
be considered trusted+secure.

HTH,

JJK


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Does windows (10) client need admin rights?

[Jan Just Keijser]

Hi,

On 16/12/16 06:27, Kevin Long wrote:
>
> I recently deployed an OpenVPN server (Linux) for a company that has 
> primarily Windows 10 computers for client machines,  on a Windows Domain 
> Controller environment, where the end users don’t have Local Admin or Domain 
> Admin rights, as policy.
>
> Having the OpenVPN GUI require admin privileges to run is certainly not 
> ideal. Am I missing something or is there a way around this?
>
with the current release (OpenVPN 2.3) the generic answer is "yes admin 
privileges are necessary".
With the upcoming 2.4 release the need for admin privileges have 
somewhat been decreased (a new interactive service takes over the part 
of needing admin privileges).
There is little to be done about this, as Windows *requires* admin 
privileges if someone tries to alter the system routing tables. As most 
VPNs typically do just that, you will always end up needing admin privs 
somewhere. Complain to Microsoft about their horrendous security system, 
not to OpenVPN.

HTH,

JJK


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Keywords to look for that may indicate a VPN provider is providing strong encryption/decryption?

[Jan Just Keijser]

Hi,

On 15/12/16 16:53, Sebastian Rubenstein wrote:
> Hi,
>
> There are many criteria to judge if a VPN provider is good, reliable, 
> trustworthy, etc.. and in this thread I am focusing on just the technical 
> criteria. And thanks to Steffan for helping me to understand better what they 
> are to be considered.
>
> In addition to the ones listed below, what other keywords should I look for 
> in config files and client-side log of when my machine is connecting to the 
> VPN server?
>
> 1. tls-client (for Perfect Forward Secrecy)
>
> 2. remote-cert-tls server
>
> 3. cipher AES-256-CBC
>
> 4. auth SHA512 or auth SHA256
>
> 5. tls-auth
>
> 6. key-directing 1
>
> 7. Private key is at least RSA-4096
>
>
options 1 and 2 are normally always set
- 'client' implies 'tls-client'
-  you can add 'remote-cert-tls server' yourself and if your VPN does 
not come up (i.e. the server fails this test) then I'd *not* trust the 
server or the VPN provider
- cipher+auth = AES-256 + SHA256 is nice but other options can also be valid
- tls-auth + key-direction is nice but it adds a false sense of 
security: as discussed earlier, tls-auth is based on a pre-shared secret 
amongst *ALL* VPN clients - this means that anybody that subscribed to 
that particular VPN provider at some point the past probably has that 
tls-auth key file. You can also bet that security services (FBI, NSA 
etc) will have that tls-auth key already. The only extra benefit of 
having the tls-auth file is that it prevents some DDoS flooding attacks, 
mostly against the *server*.
- a private key size of 4096 does not mean anything. What is more 
important is that the CA certificate used to sign the client and server 
certs is 4096 bits (or EC based) and that the remaining certs 
(intermediate, server, client) are at least 2048 bit in strength; 
Increasing the strenght beyond that is useless for now (RSA 2048 has not 
been broken yet) and it will only slow things down.

JM2CW,

JJK


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider using weak or strong encryption algorithms?

[Sebastian Rubenstein]

Hello David,

Thanks for the time that you spent on explaining basic concepts to me.

> Sent: Friday, December 16, 2016 at 2:11 AM
> From: "David Sommerseth" 
> To: "Sebastian Rubenstein" , 
> openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider 
> using weak or strong encryption algorithms?
> 
> But --tls-auth makes it far harder to inject packets, as
> both client and server will just throw away packets with an unexpected
> HMAC signature.  However, commercial public VPN providers will need to
> provide the same key to all its users, so if the packet injection comes
> from a user who managed to get a copy of that --tls-auth key, the
> protection isn't effective any more.

Thanks David for highlighting the above. When you wrote --tls-auth key, you 
were referring to the server-side --tls-auth key, which is owned and kept by 
the VPN provider, yes?

> 
> So if the VPN provider uses a proper community based version and not
> their own AES-GCM implementation, this should work quite fine out of the
> box with v2.4.

My VPN provider has its own AES-GCM implementation and has even offered me the 
source code to check for security risks. As I am no expert in OpenVPN 
technologies and cryptography, I declined to use their software.

Regards.

Sebastian

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider using weak or strong encryption algorithms?

[Sebastian Rubenstein]

Thanks Steffan for your explanation but

> Sent: Friday, December 16, 2016 at 6:05 AM
> From: "Steffan Karger" 
> To: "openvpn-users@lists.sourceforge.net" 
> 
> Subject: Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider 
> using weak or strong encryption algorithms?
>
> 
> AES-GCM has a shorter authentication tag (128 bits) than HMAC-SHA256
> (256 bits).  Also, AES-GCM doesn't need a unpredictable IV but rather
> just a unique-per-key nonce, which mean we can transfer 8 less bytes
> per packet for the IV.  This saves us a total of 24 bytes per packet
> overhead compared to cipher AES-256-CBC + auth SHA256.
> 
> Furthermore, AES-GCM can maximallu leverage the AES-NI hardware
> acceleration available in modern Intel CPUs, which will result is
> *much* faster crypto.

in terms of cryptographic strength, AES-256-GCM is comparable to HMAC-SHA256?

Regards.

Sebastian

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Fwd: Re: Experts' opinions needed: Is my VPN provider using weak or strong encryption algorithms?

[Sebastian Rubenstein]

Hello

> Sent: Friday, December 16, 2016 at 6:14 AM
> From: "Steffan Karger" 
> To: "Dreetjeh D" 
> Cc: "openvpn-users@lists.sourceforge.net" 
> 
> Subject: Re: [Openvpn-users] Fwd: Re: Experts' opinions needed: Is my VPN 
> provider using weak or strong encryption algorithms?
>
> 
> The reason why you won't see much VPN providers use the tls-auth key
> is that it doesn't work that well with their model: they can't really
> trust their clients, but have to give all clients the same tls-auth
> key.  This model works much better for company or private VPNs, where
> the clients can be trusted to some extend.

Can I take your above statement into consideration when I shop for a commercial 
VPN provider? For example, before I buy a subscription plan, I will ask if they 
use tls-auth ta.key. If they do, it means they trust their customers, yes?

> (I'm working on adding
> support for client-specific tls-auth/tls-crypt keys to fix this, you
> can expect a proposal on the openvpn-devel list early next year.)

That's good news, Steffan. I wonder why your proposed feature was not included 
in earlier versions of OpenVPN? Was it because of time constraints? complexity 
in coding?

Regards.

Sebastian


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider using weak or strong encryption algorithms?

[Dreetjeh D]

Hi,

Thanks for the explanations.

Pippin

--
Op 15-12-2016 om 23:05 schreef Steffan Karger:

Op 15-12-2016 om 21:10 schreef David Sommerseth:

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users