Re: [Openvpn-users] wireguard encryption settings in openvpn

[Jan Just Keijser]

Hi,

On 06/04/20 15:13, Mário Barbosa wrote:

Hello,

Experienced linux sysadmin here, though rather novice with regard to
openvpn, openssl, PKI, and encryption matters in general.

Context:
I am currently in the middle of rebuilding the whole vpn infra of the
company I work for, and feeling quite overwhelmed by the amount of
critical-to-security choices I have to make that I don't understand (nor
can expect to in the limited amount of time I have). I would rather
someone more knowledgeable had either a) made those choices, or b)
pointed at secure-enough defaults. The people at wireguard did just
that, and that seems to be one of their strongest "selling points"
(simplicity of setup of security part of things).
Because of this, I have been thinking that mimicking their choices to
the extent possible might be a good idea (if you think this is wrong,
please tell me so, and explain why).

I searched the openvpn-*@lists.sourceforge.net archives for wireguard,
but couldn't find any mentions to a way to replicate wireguard's choices
with regard to encryption in openvpn roadwarrior-type of setups. I don't
expect to be able to completely replicate what is described in [1] (it
would be nice, though), just the next best option.

If you're about to suggest that I "just use wireguard, then!", please
notice that I 1) can't (the pfsense machines I am running openvpn server
on don't support it) and 2) don't want to.

[1] https://www.wireguard.com/protocol/



if you mean these encryption settings

 * ChaCha20  for symmetric encryption,
   authenticated with Poly1305 , using
   RFC7539's AEAD construction 
 * Curve25519  for ECDH
 * BLAKE2s  for hashing and keyed hashing,
   described in RFC7693 
 * SipHash24  for hashtable keys
 * HKDF  for key derivation, as
   described in RFC5869 

then the answer is simple:

- not supported
- use EC certificates
- not supported
- not needed/necessary
- not supported

As OpenVPN uses an SSL library like OpenSSL or mbedtls you can use all 
crypto features provided by that library. As far as I know, OpenSSL does 
not support chacha20 or blake2 yet, so neither does OpenVPN.


Regarding the various comments I have seen about openvpn being big and 
bloated compared to wireguard: that's comparing apples and oranges.   
Wireguard is little more than a Linux kernel module that only does 
encryption using some form of preshared keys (TLS is a no-no). OpenVPN 
is a user-space application that does way more than that, all based on 
TLS.  Someone asking you to use the same encryption settings in openvpn 
as in wireguard is similar to someone asking to use the same /proc 
pseudo filesystem settings in Windows as in Linux.


JM2CW,

JJK / Jan Just Keijser




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] wireguard encryption settings in openvpn

[Dajka Tamás]

Hi Mário,

you can find some articles on the net, how to harden an OpenVPN setup. Sincs 
OpenVPN is based on openssl, it really depends on the client what encryption 
you can use.

A couple of weeks ago I was in your shoes and come up with the following setup 
(the user authentication method can be different)

server.conf (just the security part):

# Certificates and ciphers
ca my-vpn-ca.crt
cert my-vpn-server.crt
key my-vpn-server.key  # This file should be kept secret
# replaced by tls-crypt
#tls-auth ta.key 0 # This file is secret
tls-crypt tls-crypt.key

dh dh2048.pem
#ecdh-curve ED25519
ecdh-curve secp521r1

cipher AES-256-GCM
ncp-ciphers AES-256-GCM
# TLS 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
# TLS 1.3
tls-ciphersuites 
TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256
tls-version-min 1.2

auth-nocache
auth SHA512
# token-el megyunk tovabb az elso sikeres auth utan
auth-gen-token 14400

client.conf:

verify-hash FILLME_WITH_SHA_FINGERPRINT
# Use this cipher when negotiation is disabled
cipher AES-256-GCM

# Digest algorithm for HMAC authentication
auth SHA512

verify-x509-name "CN=my.server.vpn"


-BEGIN CERTIFICATE-
FILLME
-END CERTIFICATE-



-BEGIN OpenVPN Static key V1-
FILLME
-END OpenVPN Static key V1-


remote-cert-tls server

# Don't cache credentials in virtual memory
auth-nocache


Hope this help!

Cheers,

Tom

-Original Message-
From: Mário Barbosa [mailto:mario.barb...@gmail.com] 
Sent: Monday, April 6, 2020 3:14 PM
To: openvpn-users@lists.sourceforge.net
Subject: [Openvpn-users] wireguard encryption settings in openvpn

Hello,

Experienced linux sysadmin here, though rather novice with regard to openvpn, 
openssl, PKI, and encryption matters in general.

Context:
I am currently in the middle of rebuilding the whole vpn infra of the company I 
work for, and feeling quite overwhelmed by the amount of critical-to-security 
choices I have to make that I don't understand (nor can expect to in the 
limited amount of time I have). I would rather someone more knowledgeable had 
either a) made those choices, or b) pointed at secure-enough defaults. The 
people at wireguard did just that, and that seems to be one of their strongest 
"selling points"
(simplicity of setup of security part of things).
Because of this, I have been thinking that mimicking their choices to the 
extent possible might be a good idea (if you think this is wrong, please tell 
me so, and explain why).

I searched the openvpn-*@lists.sourceforge.net archives for wireguard, but 
couldn't find any mentions to a way to replicate wireguard's choices with 
regard to encryption in openvpn roadwarrior-type of setups. I don't expect to 
be able to completely replicate what is described in [1] (it would be nice, 
though), just the next best option.

If you're about to suggest that I "just use wireguard, then!", please notice 
that I 1) can't (the pfsense machines I am running openvpn server on don't 
support it) and 2) don't want to.

[1] https://www.wireguard.com/protocol/

Thank you in advance for your time and advice, Mário Barbosa


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] wireguard encryption settings in openvpn

[Mário Barbosa]

Hello,

Experienced linux sysadmin here, though rather novice with regard to
openvpn, openssl, PKI, and encryption matters in general.

Context:
I am currently in the middle of rebuilding the whole vpn infra of the
company I work for, and feeling quite overwhelmed by the amount of
critical-to-security choices I have to make that I don't understand (nor
can expect to in the limited amount of time I have). I would rather
someone more knowledgeable had either a) made those choices, or b)
pointed at secure-enough defaults. The people at wireguard did just
that, and that seems to be one of their strongest "selling points"
(simplicity of setup of security part of things).
Because of this, I have been thinking that mimicking their choices to
the extent possible might be a good idea (if you think this is wrong,
please tell me so, and explain why).

I searched the openvpn-*@lists.sourceforge.net archives for wireguard,
but couldn't find any mentions to a way to replicate wireguard's choices
with regard to encryption in openvpn roadwarrior-type of setups. I don't
expect to be able to completely replicate what is described in [1] (it
would be nice, though), just the next best option.

If you're about to suggest that I "just use wireguard, then!", please
notice that I 1) can't (the pfsense machines I am running openvpn server
on don't support it) and 2) don't want to.

[1] https://www.wireguard.com/protocol/

Thank you in advance for your time and advice,
Mário Barbosa


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Samuli Seppänen]

Il 04/04/20 05:46, blz ha scritto:
> On 4/3/2020 12:06 PM, Nathan Stratton Treadway wrote:
>> On Fri, Apr 03, 2020 at 20:00:54 +0300, Samuli Seppänen wrote:
>>> Hi,
>>>
>>> Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto:
 Would this second option be consistent with the fact that the failed
 setupapi log says the driver package was "already imported?
>>> Seems like it. You can use
>>>
>>> 
>>>
>>> to get rid of all tap-windows instances in the Driver Store. That's what
>>> I use when I need to be 100% positive the latest driver version is
>>> actually being used and not some cached version.
>> Yeah, I will plan to do that once it seems like there's nothing more to
>> learn investigating the system in its current state
>>
 Is "oemvista.inf_amd64_6d4bec28a2ef0cdf" a name that is hard-coded
 inside the TAP-Windows installer, or is that generated dynamically at
 installer-execution time?
>>> I have absolutely no idea. We don't actively create such identifiers,
>>> identifiers so I have to assume it's Windows.
>> Well, I guess the interesting thing is that the same directory name was
>> used on both the failing- and succeeding-installation machines.  So I
>> guess it is baked into the driver-installer somewhere (unlike the
>> "c:\windows\inf\oem*.inf" name used, which was different between the two
>> machines)  But I'm wondering whether or not that directory name is
>> constant across tap-windows versions, etc.
> What I am wondering is Windows Update, which can and does sometimes
> download drivers from Microsoft's repository, could be a possible
> culprit? I've seen WU time and again be the root cause of some pretty
> big driver-related headaches before.

We have not uploaded tap-windows6 to the Microsoft driver repository.
Fortunately it seems :).

Samuli



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

[Samuli Seppänen]

Il 04/04/20 18:20, Gert Doering ha scritto:
> Hi,
> 
> On Sat, Apr 04, 2020 at 10:37:23AM -0400, Selva Nair wrote:
>> (ii) Add an identifier to the inf file to make the two versions (win7/win10)
>> different.
> 
> If we can figure out how to do that, this sounds like a robust way
>forward.
>

Added https://community.openvpn.net/openvpn/ticket/1269

>> (iii) Have the installer delete all tap adapters and do a cleanup before
>> starting installation. This is very invasive and adversely affects those
>> who have multiple adapters, removes customized adapter names etc.
> 
> I have thought about this, but I find it too intrusive to do on a 
> "default" install.
> 
> We could offer it as an extra submodule?  checkbox item?  that users
> could activate if they have installation problems

We could, though I'd like to avoid any extra work going into the NSIS
installers. I'm not sure how MSI would handle this.

>   [ ] remove all existing TAP adapters before upgrading
> 
> but if we can get identifiers done, this should not even be necessary.
> 
>> By the way, while the Remove-tapwindows.ps1 script is very handy, it
>> works only if all adapters are first removed using deltapall.bat or
>> something
>> equivalent. Adding that functionality to the script would be very useful.
> 
> +1

I added a (private) task about this for me, though I'm open to PRs :).

> 
> Samuli, you're listening? :-)
> 
> gert
> 

Yes, I've read each and every email related to this and there sure have
been plenty :).

Samuli



signature.asc
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users