OpenVPN 2.4 - Cipher Issue?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
shauno100
DD-WRT Novice


Joined: 19 Oct 2015
Posts: 38

PostPosted: Tue Mar 07, 2017 6:12    Post subject: OpenVPN 2.4 - Cipher Issue? Reply with quote
Hi All,

I have an Archer C7 V2 with the latest DD WRT build 31571 installed.

My OpenVPN setup is working fine but i noticed that even though i have specifically set the Cipher as AES-128-CBC on both the server side and in my client config the connection is still using the AES-256-GCM cipher. Is this a bug or is there a workaround for this?

I also noticed that the Cipher dropdown box on the DD WRT>Services>VPN>OpenVPN section does not include the new GCM ciphers introduced in OpenVPN 2.4 and only shows the CBC ciphers. Is this also a bug or by design?

Regards

Shaun
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 7241

PostPosted: Tue Mar 07, 2017 7:11    Post subject: Reply with quote
You need to be more clear about when you're referring to the OpenVPN client vs. the server. Just saying OpenVPN w/ no qualification is confusing to the reader. I'm not even sure which side (client or server) is dd-wrt, or perhaps both.

First thing I would do is go to a telnet/ssh session and verify your requested cipher is available.

Code:
openvpn --show-ciphers


Second, I would check what the OpenVPN client/server placed in the config file (since I don't know which side is using dd-wrt, or if it's dd-wrt on both sides, I included both).

Code:
cat /tmp/openvpncl/openvpn.conf # client
cat /tmp/openvpn/openvpn.conf # server


Finally, I would check the openvpn status page to see if there are any pertinent messages, such as the client/server reporting it can't support the request and renegotiating the setting.
shauno100
DD-WRT Novice


Joined: 19 Oct 2015
Posts: 38

PostPosted: Tue Mar 07, 2017 9:51    Post subject: Reply with quote
No worries. I am using an OpenVPN server configured in DD WRT. The OpenVPN server (daemon) version is 2.4

I am connecting to the OpenVPN server from my Windows 10 laptop when i am out in the field and also via my Galaxy S7 phone with the OpenVPN Connect android app.
Like i mentioned everything works fine but i just noticed recently that the cipher has changed for my connection and is no longer AES-128-CBC but is instead AES-256-GCM even though i have AES-128-CBC selected as the cipher in DD WRT>Services>VPN>OpenVPN Server.

I also have
Code:
cipher AES-128-CBC
clearly stated in my client OVPN file.

Below are the configs for my server and android client

Server Config from Conf file in /tmp/openvpn
Code:

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 63111
proto udp4
cipher aes-128-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo yes
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
push "redirect-gateway def1"
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
fast-io
tun-mtu 1500
mtu-disc yes
server 160.56.3.0 255.255.255.0
dev tun2
tls-auth /tmp/openvpn/ta.key 0
push "route 160.55.3.0 255.255.255.0"
push "dhcp-option DNS 160.55.3.33"
max-clients 2


Client config - Android Phone
Code:

client
remote-cert-tls server
remote xxx.xxx.xxx.xxx 63111
dev tun2
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float
comp-lzo yes
verb 3
ns-cert-type server
auth SHA256
cipher AES-128-CBC
auth-nocache
key-direction 1

i then have my inline certs embedded in the client OVPN file

Maybe i'm missing something but all i know is the log file always showed AES-128-CBC as the cipher in use and i have only noticed recently in later DD WRT builds that the cipher is now AES-256-GCM
shauno100
DD-WRT Novice


Joined: 19 Oct 2015
Posts: 38

PostPosted: Tue Mar 07, 2017 10:00    Post subject: Reply with quote
Below is the log, i purposely blocked out IP address/certificate info
Code:

20170307 19:54:43 120.xx.xxx.xxx:53346 TLS: Initial packet from [AF_INET]120.xx.xxx.xxx:53346 sid=795af953 19e31ed6
20170307 19:54:43 120.xx.xxx.xxx:53346 VERIFY OK: depth=1 C=AU ST=x L=x O=x OU=x CN=x name=x emailAddress=sx@hotmail.com
20170307 19:54:43 120.xx.xxx.xxx:53346 VERIFY OK: depth=0 C=AU ST=xL=x O=xOU=x CN=x name=x emailAddress=sx@hotmail.com
20170307 19:54:44 I 120.xx.xxx.xxx:53346 peer info: IV_GUI_VER=net.openvpn.connect.android_1.1.17-76
20170307 19:54:44 I 120.xx.xxx.xxx:53346 peer info: IV_VER=3.0.12
20170307 19:54:44 I 120.xx.xxx.xxx:53346 peer info: IV_PLAT=android
20170307 19:54:44 I 120.xx.xxx.xxx:53346 peer info: IV_NCP=2
20170307 19:54:44 I 120.xx.xxx.xxx:53346 peer info: IV_TCPNL=1
20170307 19:54:44 I 120.xx.xxx.xxx:53346 peer info: IV_PROTO=2
20170307 19:54:44 I 120.xx.xxx.xxx:53346 peer info: IV_LZO=1
20170307 19:54:44 120.xx.xxx.xxx:53346 Control Channel: TLSv1.2 cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384 2048 bit RSA
20170307 19:54:44 I 120.xx.xxx.xxx:53346 [GalaxyS7-Edge] Peer Connection Initiated with [AF_INET]120.xx.xxx.xxx:53346
20170307 19:54:44 I GalaxyS7-Edge/120.xx.xxx.xxx:53346 MULTI_sva: pool returned IPv4=160.56.3.2 IPv6=(Not enabled)
20170307 19:54:44 GalaxyS7-Edge/120.xx.xxx.xxx:53346 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_33a47d8c5bf50bd840739ef50a07143a.tmp
20170307 19:54:44 GalaxyS7-Edge/120.xx.xxx.xxx:53346 MULTI: Learn: 160.56.3.2 -> GalaxyS7-Edge/120.xx.xxx.xxx:53346
20170307 19:54:44 GalaxyS7-Edge/120.xx.xxx.xxx:53346 MULTI: primary virtual IP for GalaxyS7-Edge/120.xx.xxx.xxx:53346: 160.56.3.2
20170307 19:54:44 GalaxyS7-Edge/120.xx.xxx.xxx:53346 PUSH: Received control message: 'PUSH_REQUEST'
20170307 19:54:44 GalaxyS7-Edge/120.xx.xxx.xxx:53346 SENT CONTROL [GalaxyS7-Edge]: 'PUSH_REPLY redirect-gateway def1 route 160.55.3.0 255.255.255.0 dhcp-option DNS 160.55.3.33 route-gateway 160.56.3.1 topology subnet ping 10 ping-restart 120 ifconfig 160.56.3.2 255.255.255.0 peer-id 0 cipher AES-256-GCM' (status=1)
20170307 19:54:44 GalaxyS7-Edge/120.xx.xxx.xxx:53346 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
20170307 19:54:44 GalaxyS7-Edge/120.xx.xxx.xxx:53346 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
20170307 19:54:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170307 19:54:47 D MANAGEMENT: CMD 'state'
20170307 19:54:47 MANAGEMENT: Client disconnected
20170307 19:54:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170307 19:54:47 D MANAGEMENT: CMD 'state'
20170307 19:54:47 MANAGEMENT: Client disconnected
20170307 19:54:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170307 19:54:47 D MANAGEMENT: CMD 'state'
20170307 19:54:47 MANAGEMENT: Client disconnected
20170307 19:54:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170307 19:54:47 MANAGEMENT: Client disconnected
20170307 19:54:47 NOTE: --mute triggered...
20170307 19:54:47 1 variation(s) on previous 3 message(s) suppressed by --mute
20170307 19:54:47 D MANAGEMENT: CMD 'status 2'
20170307 19:54:47 MANAGEMENT: Client disconnected
20170307 19:54:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170307 19:54:47 D MANAGEMENT: CMD 'status 2'
20170307 19:54:47 MANAGEMENT: Client disconnected
20170307 19:54:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20170307 19:54:47 D MANAGEMENT: CMD 'log 500'
19700101 10:00:00

dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem keepalive 10 120 verb 3 mute 3 syslog writepid /var/run/openvpnd.pid management 127.0.0.1 14 management-log-cache 100 topology subnet script-security 2 port 63111 proto udp4 cipher aes-128-cbc auth sha256 client-connect /tmp/openvpn/clcon.sh client-disconnect /tmp/openvpn/cldiscon.sh client-config-dir /tmp/openvpn/ccd comp-lzo yes tls-server ifconfig-pool-persist /tmp/openvpn/ip-pool 86400 client-to-client push "redirect-gateway def1" tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 fast-io tun-mtu 1500 mtu-disc yes server 160.56.3.0 255.255.255.0 dev tun2 tls-auth /tmp/openvpn/ta.key 0 push "route 160.55.3.0 255.255.255.0" push "dhcp-option DNS 160.55.3.33" max-clients 2
shauno100
DD-WRT Novice


Joined: 19 Oct 2015
Posts: 38

PostPosted: Tue Mar 07, 2017 10:16    Post subject: Reply with quote
attached a screenshot of the ciphers only showing CBC ciphers available. Shouldn't it with OpenVPN 2.4 be showing more including GCM ciphers?

NOTE: The below screenshot is when i have changed the cipher in DD WRT to None but have not saved it just for illustration purposes to show the available ciphers in drop down. The cipher selected here is definitely AES-128-CBC when i have the server up and running.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 3546
Location: Texas

PostPosted: Tue Mar 07, 2017 18:47    Post subject: Reply with quote
Been seeing this for a while -- some info:
I get the same with my driod app if using openvpn 2.4 on client.
Using andriod 'OpenVPN Client free' release ver 2.15.16 (1021516)
This app has option to run what it considers 'old stable 2.3.2' or uncheck that and run the 2.4 ver.
Note: either version I use works perfectly fine.

Server conf:
# cat /tmp/openvpn/openvpn.conf
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port xxxxx
proto udp4
cipher aes-256-cbc
auth sha256
client-connect /tmp/openvpn/clcon.sh
client-disconnect /tmp/openvpn/cldiscon.sh
client-config-dir /tmp/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
push "redirect-gateway def1"
fast-io
tun-mtu 1500
mtu-disc yes
server 10.13.94.224 255.255.255.224
dev tun2
push "route 10.72.28.0 255.255.254.0"
push "dhcp-option DNS 10.72.28.13"
# uptime
12:29:15 up 3 days, 28 min, load average: 0.00, 0.00, 0.00
# cat /tmp/loginprompt
DD-WRT v3.0-r31571 std (c) 2017 NewMedia-NET GmbH
Release: 03/04/17

Here are dd-wrt logs as connected from both versions.

Mar 7 17:21:59 -- daemon.notice openvpn[4060]: 70.195.206.69:1520 peer info: IV_VER=2.3.2
Mar 7 17:21:59 -- daemon.notice openvpn[4060]: 70.195.206.69:1520 peer info: IV_PLAT=linux
Mar 7 17:21:59 -- daemon.notice openvpn[4060]: 70.195.206.69:1520 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Mar 7 17:21:59 -- daemon.notice openvpn[4060]: 70.195.206.69:1520 [mrjcd1] Peer Connection Initiated with [AF_INET]70.195.206.69:1520
Mar 7 17:21:59 -- daemon.notice openvpn[4060]: mrjcd1/70.195.206.69:1520 MULTI_sva: pool returned IPv4=10.13.94.226, IPv6=(Not enabled)
Mar 7 17:21:59 -- daemon.notice openvpn[4060]: mrjcd1/70.195.206.69:1520 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_0c7a1da4bffa86be4124ed296a291e4c.tmp
Mar 7 17:21:59 -- daemon.notice openvpn[4060]: mrjcd1/70.195.206.69:1520 MULTI: Learn: 10.13.94.226 -> mrjcd1/70.195.206.69:1520
Mar 7 17:21:59 -- daemon.notice openvpn[4060]: mrjcd1/70.195.206.69:1520 MULTI: primary virtual IP for mrjcd1/70.195.206.69:1520: 10.13.94.226
Mar 7 17:22:02 -- daemon.notice openvpn[4060]: mrjcd1/70.195.206.69:1520 PUSH: Received control message: 'PUSH_REQUEST'
Mar 7 17:22:02 -- daemon.notice openvpn[4060]: mrjcd1/70.195.206.69:1520 SENT CONTROL [mrjcd1]: 'PUSH_REPLY,redirect-gateway def1,route 10.72.28.0 255.255.254.0,dhcp-option DNS 10.72.28.13,route-gateway 10.13.94.225,topology subnet,ping 10,ping-restart 120,ifconfig 1
Mar 7 17:22:02 -- daemon.notice openvpn[4060]: mrjcd1/70.195.206.69:1520 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mar 7 17:22:02 -- daemon.notice openvpn[4060]: mrjcd1/70.195.206.69:1520 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Mar 7 17:22:02 -- daemon.notice openvpn[4060]: mrjcd1/70.195.206.69:1520 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key



Mar 7 17:36:08 -- daemon.notice openvpn[5209]: 70.195.206.69:1513 peer info: IV_VER=2.4.0
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: 70.195.206.69:1513 peer info: IV_PLAT=linux
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: 70.195.206.69:1513 peer info: IV_PROTO=2
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: 70.195.206.69:1513 peer info: IV_NCP=2
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: 70.195.206.69:1513 peer info: IV_LZ4=1
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: 70.195.206.69:1513 peer info: IV_LZ4v2=1
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: 70.195.206.69:1513 peer info: IV_LZO=1
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: 70.195.206.69:1513 peer info: IV_COMP_STUB=1
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: 70.195.206.69:1513 peer info: IV_COMP_STUBv2=1
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: 70.195.206.69:1513 peer info: IV_TCPNL=1
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: 70.195.206.69:1513 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: 70.195.206.69:1513 [mrjcd1] Peer Connection Initiated with [AF_INET]70.195.206.69:1513
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: mrjcd1/70.195.206.69:1513 MULTI_sva: pool returned IPv4=10.13.94.226, IPv6=(Not enabled)
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: mrjcd1/70.195.206.69:1513 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_03ea428e447615346c9da92496803c5d.tmp
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: mrjcd1/70.195.206.69:1513 MULTI: Learn: 10.13.94.226 -> mrjcd1/70.195.206.69:1513
Mar 7 17:36:08 -- daemon.notice openvpn[5209]: mrjcd1/70.195.206.69:1513 MULTI: primary virtual IP for mrjcd1/70.195.206.69:1513: 10.13.94.226
Mar 7 17:36:09 -- daemon.notice openvpn[5209]: mrjcd1/70.195.206.69:1513 PUSH: Received control message: 'PUSH_REQUEST'
Mar 7 17:36:09 -- daemon.notice openvpn[5209]: mrjcd1/70.195.206.69:1513 SENT CONTROL [mrjcd1]: 'PUSH_REPLY,redirect-gateway def1,route 10.72.28.0 255.255.254.0,dhcp-option DNS 10.72.28.13,route-gateway 10.13.94.225,topology subnet,ping 10,ping-restart 120,ifconfig 1
Mar 7 17:36:09 -- daemon.notice openvpn[5209]: mrjcd1/70.195.206.69:1513 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 7 17:36:09 -- daemon.notice openvpn[5209]: mrjcd1/70.195.206.69:1513 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key


I have never used openVPN Connect but looks as you are using latest ver 1.1.17 (build 76)
OpenenVPN Connect app release notes for ver 1.1.15 (build 62) says added AES-GCM cipher support.
So not sure if this is dd-wrt run-a-muck or part fault of the newer clients can't decide what its doing Rolling Eyes
shauno100
DD-WRT Novice


Joined: 19 Oct 2015
Posts: 38

PostPosted: Tue Mar 07, 2017 23:58    Post subject: Reply with quote
I tried using the other Android apps with no luck. I have all my certs as inline certs in the one OVPN file. Seems to only work with the OpenVPN Connect application.

I noticed in the logs somehow at the SENT CONTROL [GalaxyS7-Edge]: 'PUSH_REPLY section its getting the AES-256-GCM cipher automatically and seems to ignore what i have specifically set.

I hope OpenVPN fix this up in a future release or i wonder if DD WRT can be altered with a workaround for this? I know that AsusWrt-Merlin mentioned the new Cipher negotiation introduced in OpenVPN server 2.4.0 which i'm wondering if that is the problem. Although you'd think it wouldn't revert to a new GCM cipher by default.

Quote:
Cipher negotiation (NCP), with (optional)
fallback to legacy "cipher" parameter when
an OpenVPN 2.3 client connects to the
router's 2.4 server.


Shaun
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 3546
Location: Texas

PostPosted: Wed Mar 08, 2017 3:51    Post subject: Reply with quote
This is on E1200v2 w/Tomato Firmware 1.28.0000 MIPSR2-138 K26 Max
It uses OpenVPN 2.3.11 --- just a server I've had running here for long time.
Encryption cipher AES-192-CBC / Hash SHA1
Here is relevant logs from the tomato openVPN server.
Using same device I used earlier (driod turbo phone) same client.

client set to use openVPN ver 2.3.2
Mar 7 21:02:04 -- +++ Data Channel Encrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
Mar 7 21:02:04 -- +++ Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 7 21:02:04 -- +++ Data Channel Decrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
Mar 7 21:02:04 -- +++ Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 7 21:02:04 -- +++ Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA


client using openVPN ver 2.4
Mar 7 20:53:25 -- +++ Data Channel Encrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
Mar 7 20:53:25 -- +++ Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 7 20:53:25 -- +++ Data Channel Decrypt: Cipher 'AES-192-CBC' initialized with 192 bit key
Mar 7 20:53:25 -- +++ Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 7 20:53:25 -- +++ Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA

So it's a client thing that the server logs -- I'd have to do some digging to see exactly what the 'Control Channel' actually does
'bout all I know
shauno100
DD-WRT Novice


Joined: 19 Oct 2015
Posts: 38

PostPosted: Wed Mar 08, 2017 3:59    Post subject: Reply with quote
ok no worries. Should i be logging a ticket to the DD-WRT devs on TRAC to see if a workaround could be put in place to allow specified ciphers to be used in all cases?
ventz
DD-WRT Novice


Joined: 14 Mar 2018
Posts: 1

PostPosted: Wed Mar 14, 2018 0:18    Post subject: Reply with quote
You want to add:

ncp-disable

^ This will get rid of the "auto negotiation" which is always defaulting to the highest available (in this case: AES-256-GCM), and let you negotiatiate your own cipher.

If you use "ncp-disable", you MUST specify "cipher ..."
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum