Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Tue Oct 20, 2020 7:47 Post subject: OpenVPN 2.5
Open VPN 2.5
OpenVPN 2.5 is here in build 44627 and is a major update.
I will try to bundle what is known and what you should do to work with 2.5 and will try to summarize it in this thread, but there are still a lot of things to discover so your input is wanted.
PM me with your questions and remarks.
After you upgraded and if you are lucky and connect to newer servers/clients it may just work, but you probably have to revise and adapt your (encryption) cipher settings and the new data-ciphers settings.
The most important changes are in the cipher settings, OpenVPN 2.5 works with data-ciphers which is a new and improved version of ncp-ciphers.
From the manual:
Quote:
OpenVPN clients will now signal all supported ciphers from the data-ciphers option to the server via IV_CIPHERS.
OpenVPN servers will select the first common cipher from the data-ciphers list instead of blindly pushing the first cipher of the list.
This allows to use a configuration like data-ciphers ChaCha20-Poly1305:AES-256-GCM on the server that prefers ChaCha20-Poly1305 but uses it only if the client supports it.
The old (Encryption) cipher settings that we know and which is implemented in DDWRT will be deprecated, but is now kept for compatibility reasons.
For both OpenVPN Server and Client you can set up to three Data Ciphers in the DDWRT GUI.
WARNING
There might be bugs in the first builds, although until now no major problems have been reported so everything looks good.
If you decide to upgrade do the following:
Before upgrading
For the OpenVPN Server and OpenVPN client make a note of your current Encryption Cipher setting
After upgrading
If the GUI shows some settings with undefined then refresh your browser cache (usually CTRL + F5)
OpenVPN server
Check Encryption Cipher and set back if it is changed.
Set a value for the Data Ciphers 1,2 and 3.
There are default settings if you are unsure keep it at their default settings, but set the third data cipher the same as your Encryption Cipher
The clients for your server will try to use the first of the servers Data Ciphers they have in common.
Very old clients will try to use the Encryption cipher setting.
If your clients cannot connect because they are pre OpenVNP 2.4 you can add in the Additional Config:
Code:
data-ciphers-fallback BF-CBC
Instead of BF-CBC set your own encryption cipher
Note: be sure to reboot your router after setting up or restart the firewall!
OpenVPN Client
Check Encryption Cipher and set back if it is changed.
Set a value for the Data Ciphers 1,2 and 3.
Set the first data cipher the same as your Encryption Cipher, set the second Data Cipher at AES-128-GCM and the third Data Cipher at AES-256-GCM
If your client cannot connect, you can force the use of the Encryption Cipher instead of the Data Ciphers by adding the following to the Additional Config of the OpenVPN client:
after thinking about it I spoke (posted) too soon What I will do is take another router and configure it with the new build and test it. That way if it fails it just a matter of putting the working router & build back in place. Currently using r42856 as OpenVPN client on EA8500 and its rock solid, been up 55 days and NO issues.
Just wanted to say thanks for posting this. I remember last time I setup openvpn it was not on dd-wrt but took a long time reading through the openvpn documentation pages.
@ egc, FWIW all was good until I tried Netflix and received this error, see image. I put the other router back in place with build r42856 and no problems with Netflix. Netflix is suppose to work with NordVPN