OpenVPN-2.4.0 integration into IPFire

Help on building IPFire & Feature Requests
ummeegge
Community Developer
Community Developer
Posts: 3976

OpenVPN-2.4.0 integration into IPFire

Postby ummeegge » January 19th, 2017, 10:21 am

Hi all,
since OpenVPN-2.4.0 is out since a couple of days, i wanted to introduce a possibility to test it.
There is an installer available which can be used for 64Bit but also for 32Bit platforms. The installer delivers modified language files (de.pl and en.pl) a modified ovpnmain.cgi, a new compression library (LZ4) and of course the new OpenVPN-2.4.0 binary.
The installer provides also two installation possibilities.

Please use testing systems for this

1) Is a minimum changed ovpnmain.cgi with the following changes:
- OpenVPN on IPFire can be used as just before but nevertheless with one more (per default deactivated) feature called "Cipher negotiation". The new OpenVPN version do negotiate per default the best cipher between both sides. Have added one checkbox to activate/deactivate(is default) it in the global section.
Image
Also, the cipher negotiation can be used via CCD (client config directory) so it is usable for each client individually. If the global section allows cipher negotiation in general, but some clients should not use it, it is possible to deactivate this feature for them over the advanced settings while a new client will be generated:
Image
- Changed script-security directive causing security reasons, OpenVPN do not allow to use "system" flags anymore

2) Is a extended version with the following changes:
- The features from above are included but also,
- Added new GCM cipher, for Roadwarrior and N2N (for AES-128, 192 and 256 Bit). Sorted algorithm lists and added description (with weak, medium and strong algorithms) for ciphers, HMACs and DH-parameter.
Image
- Added Cipher lenght menu for ROOT (6144, 8192, 12288 and 16384 Bits)
and HOST (4096, 6144, 8192, 12288 and 16384 bit) CA which is available while a new PKI will be generated.
Image
... some lenghts are overkill but nevertheless may interesting for testings. The generation time of the PKI but also the Client generation will need more time as more bits are used for PKI.
- Added tls-crypt for N2N section.
Image

The installer can be found in here --> https://github.com/ummeegge/ovpn_1901/b ... staller.sh .

A usage can be:
Login to your testing Fire and execute

Code: Select all

cd /tmp
wget https://raw.githubusercontent.com/ummeegge/ovpn_1901/master/ovpn_240_in-uninstaller.sh
chmod +x ovpn_240_in-uninstaller.sh
./ovpn_240_in-uninstaller.sh

this will leads you to the menu.

IMPORTANT: After installation or uninstallation you need to check the "Save" button in the OpenVPN webinterface cause new/or_the_old directives needs to be written into the server.conf otherwise the server won´t come up.

Feedback and testings might be good ;) but also important ,
Further infos to the new version and some testing results can be found in here --> viewtopic.php?f=50&t=17656 .

Packages can also be found in here --> http://people.ipfire.org/~ummeegge/OpenVPN-2.4.0/ .

Greetings,

UE

ToDo(s):
- LZ4 (v2?) compression should to be integrated on Roadwarrior also via CCD .
DONE --> viewtopic.php?f=50&t=18067#p104669 <-- and is included in the extended version of the installerscript.
- Fade out of the "Hash-Algorithm" for N2N if any sort of GCM ciphers will be used cause GCM´s default is SHA256, modifications in that case can´t be handled via webinterface. < Needs to be overviewed and tested again..
- Discussion about ECDSA certificate chains.
- Added a fix for the new "Refactor CRL handling" of OpenVPN-2.4.0 . Problems are described in here --> viewtopic.php?f=50&t=18067#p105115 also on Debian --> https://bugs.debian.org/cgi-bin/bugrepo ... bug=849909 and the Fix for IPFire is here --> viewtopic.php?f=50&t=18067&start=15 located. Fix will for the first be made via the installerscript. Uninstallation via script brings back the old state in ovpn.cnf
Image
Image
Image

Hellfire
Posts: 204

Re: OpenVPN-2.4.0 integration into IPFire

Postby Hellfire » January 19th, 2017, 11:23 am

After installation are the various keys kept or do I have to re-configure any of the settings?

Michael
Image

ummeegge
Community Developer
Community Developer
Posts: 3976

Re: OpenVPN-2.4.0 integration into IPFire

Postby ummeegge » January 19th, 2017, 11:26 am

Hi Michael,
your made settings won´t be touched.

UE
Image
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 3976

Re: OpenVPN-2.4.0 integration into IPFire

Postby ummeegge » January 21st, 2017, 11:18 am

Next part of the ToDo List from above.
Have integrated LZ4-v2 compression for Roadwarriors but only in CCD section (Advanced configuration while a new client will be created or an old should be modified).
Image
Why only there ? Have tested it now a little and if the server.conf but also the client.ovpn have the old LZO compression ("--comp-lzo") directive integrated, it seems to be no Problem if the server pushes the new lz4-v2 directive with a

Code: Select all

#lz4-v2 compression
compress lz4-v2
push "compress lz4-v2"

this will then be written into the ccd directory under /var/ipfire/ovpn for each client. So it could be an individual setting for every client whereby it makes no difference what has been configured before.

Example Logs if client.ovpn and server.conf still uses the old "comp-lzo" directive but the new lz4-v2 directive will be pushed via CCD:

Server connection Log:

Code: Select all

Jan 21 09:51:10 ipfire-server openvpnserver[12827]: OpenVPN 2.4.0 i586-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 16 2017
Jan 21 09:51:10 ipfire-server openvpnserver[12827]: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: Diffie-Hellman initialized with 1024 bit key
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: TLS-Auth MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: ROUTE_GATEWAY 192.168.201/255.255.255.0 IFACE=red0 HWADDR=00:30:18:aa:50:55
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: TUN/TAP device tun0 opened
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: TUN/TAP TX queue length set to 100
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: /sbin/ip link set dev tun0 up mtu 1500
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: /sbin/ip addr add dev tun0 local 10.141.0.1 peer 10.141.0.2
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: /sbin/ip route add 10.123.234.0/27 via 10.141.0.2
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: /sbin/ip route add 10.141.0.0/24 via 10.141.0.2
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: UDPv4 link local (bound): [AF_INET][undef]:1194
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: UDPv4 link remote: [AF_UNSPEC]
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: GID set to nobody
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: UID set to nobody
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: MULTI: multi_init called, r=256 v=256
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: IFCONFIG POOL: base=10.141.0.4 size=62, ipv6=0
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: IFCONFIG POOL LIST
Jan 21 09:51:10 ipfire-server openvpnserver[12828]: Initialization Sequence Completed
Jan 21 09:51:24 ipfire-server openvpnserver[12828]: MULTI: multi_create_instance called
Jan 21 09:51:24 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 Re-using SSL/TLS context
Jan 21 09:51:24 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 LZO compression initializing
Jan 21 09:51:24 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Jan 21 09:51:24 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Jan 21 09:51:24 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Jan 21 09:51:24 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Jan 21 09:51:24 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 TLS: Initial packet from [AF_INET]192.168.9.2:55731, sid=0506d41e fac1cd40
Jan 21 09:51:25 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 VERIFY SCRIPT OK: depth=1, C=AF, O=test, CN=test CA
Jan 21 09:51:25 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 VERIFY OK: depth=1, C=AF, O=test, CN=test CA
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 VERIFY SCRIPT OK: depth=0, C=DE, ST=BW, O=ummeegge, OU=FZeit, CN=testLZ4RW
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 VERIFY OK: depth=0, C=DE, ST=BW, O=ummeegge, OU=FZeit, CN=testLZ4RW
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 peer info: IV_VER=2.4.0
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 peer info: IV_PLAT=linux
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 peer info: IV_PROTO=2
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 peer info: IV_NCP=2
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 peer info: IV_LZ4=1
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 peer info: IV_LZ4v2=1
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 peer info: IV_LZO=1
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 peer info: IV_COMP_STUB=1
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 peer info: IV_COMP_STUBv2=1
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 peer info: IV_TCPNL=1
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: 192.168.9.2:55731 [testLZ4RW] Peer Connection Initiated with [AF_INET]192.168.9.2:55731
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: testLZ4RW/192.168.9.2:55731 OPTIONS IMPORT: reading client specific options from: /var/ipfire/ovpn/ccd/testLZ4RW
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: testLZ4RW/192.168.9.2:55731 OPTIONS IMPORT: compression parms modified
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: testLZ4RW/192.168.9.2:55731 LZ4v2 compression initializing
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: testLZ4RW/192.168.9.2:55731 MULTI: Learn: 10.123.234.2 -> testLZ4RW/192.168.9.2:55731
Jan 21 09:51:26 ipfire-server openvpnserver[12828]: testLZ4RW/192.168.9.2:55731 MULTI: primary virtual IP for testLZ4RW/192.168.9.2:55731: 10.123.234.2
Jan 21 09:51:27 ipfire-server openvpnserver[12828]: testLZ4RW/192.168.9.2:55731 PUSH: Received control message: 'PUSH_REQUEST'
Jan 21 09:51:27 ipfire-server openvpnserver[12828]: testLZ4RW/192.168.9.2:55731 SENT CONTROL [testLZ4RW]: 'PUSH_REPLY,redirect-gateway def1,route 10.141.0.1,topology net30,ping 10,ping-restart 120,redirect-gateway,route 192.168.9.0 255.255.255.0,route 192.168.7.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,compress lz4-v2,ifconfig 10.123.234.2 10.123.234.1,peer-id 0' (status=1)


Client connection Log:

Code: Select all

Sat Jan 21 09:51:32 2017 WARNING: file 'testLZ4RW.p12' is group or others accessible
Sat Jan 21 09:51:32 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 27 2016
Sat Jan 21 09:51:32 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Enter Private Key Password: *********
Sat Jan 21 09:51:35 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jan 21 09:51:35 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.9.1:1194
Sat Jan 21 09:51:35 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat Jan 21 09:51:35 2017 UDP link local: (not bound)
Sat Jan 21 09:51:35 2017 UDP link remote: [AF_INET]192.168.9.1:1194
Sat Jan 21 09:51:35 2017 TLS: Initial packet from [AF_INET]192.168.9.1:1194, sid=5a19f79f 5f31cdee
Sat Jan 21 09:51:36 2017 VERIFY OK: depth=1, C=AF, O=test, CN=test CA
Sat Jan 21 09:51:36 2017 VERIFY OK: nsCertType=SERVER
Sat Jan 21 09:51:36 2017 VERIFY X509NAME OK: C=AF, O=test, CN=192.168.20.3
Sat Jan 21 09:51:36 2017 VERIFY OK: depth=0, C=AF, O=test, CN=192.168.20.3
Sat Jan 21 09:51:36 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sat Jan 21 09:51:36 2017 [192.168.20.3] Peer Connection Initiated with [AF_INET]192.168.9.1:1194
Sat Jan 21 09:51:38 2017 SENT CONTROL [192.168.20.3]: 'PUSH_REQUEST' (status=1)
Sat Jan 21 09:51:38 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 10.141.0.1,topology net30,ping 10,ping-restart 120,redirect-gateway,route 192.168.9.0 255.255.255.0,route 192.168.7.0 255.255.255.0,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,compress lz4-v2,ifconfig 10.123.234.2 10.123.234.1,peer-id 0'
Sat Jan 21 09:51:38 2017 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jan 21 09:51:38 2017 OPTIONS IMPORT: compression parms modified
Sat Jan 21 09:51:38 2017 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jan 21 09:51:38 2017 OPTIONS IMPORT: route options modified
Sat Jan 21 09:51:38 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jan 21 09:51:38 2017 OPTIONS IMPORT: peer-id set
Sat Jan 21 09:51:38 2017 OPTIONS IMPORT: adjusting link_mtu to 1625
Sat Jan 21 09:51:38 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Jan 21 09:51:38 2017 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Jan 21 09:51:38 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Jan 21 09:51:38 2017 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Jan 21 09:51:38 2017 ROUTE_GATEWAY 192.168.9.1/255.255.255.0 IFACE=wlp3s0 HWADDR=68:a8:6d:1d:5a:e2
Sat Jan 21 09:51:38 2017 TUN/TAP device tun0 opened
Sat Jan 21 09:51:38 2017 TUN/TAP TX queue length set to 100
Sat Jan 21 09:51:38 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jan 21 09:51:38 2017 /sbin/ip link set dev tun0 up mtu 1500
Sat Jan 21 09:51:38 2017 /sbin/ip addr add dev tun0 local 10.123.234.2 peer 10.123.234.1
Sat Jan 21 09:51:38 2017 /sbin/ip route add 192.168.9.1/32 dev wlp3s0
Sat Jan 21 09:51:38 2017 /sbin/ip route add 0.0.0.0/1 via 10.123.234.1
Sat Jan 21 09:51:38 2017 /sbin/ip route add 128.0.0.0/1 via 10.123.234.1
Sat Jan 21 09:51:38 2017 /sbin/ip route add 10.141.0.1/32 via 10.123.234.1
Sat Jan 21 09:51:38 2017 /sbin/ip route add 192.168.9.0/24 via 10.123.234.1
Sat Jan 21 09:51:38 2017 /sbin/ip route add 192.168.7.0/24 via 10.123.234.1
Sat Jan 21 09:51:38 2017 Initialization Sequence Completed


This works also with N2N connections, but is not pushable (cause N2N works not in P2MP mode) which makes it a little bit trickier cause old settings needs to be preserved.

N2N TLS-Server Logs:

Code: Select all

Jan 21 10:58:39 ipfire-tls-server testLZ4NtwoNn2n[29618]: Diffie-Hellman initialized with 4096 bit key
Jan 21 10:58:39 ipfire-tls-server testLZ4NtwoNn2n[29618]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jan 21 10:58:39 ipfire-tls-server testLZ4NtwoNn2n[29618]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jan 21 10:58:39 ipfire-tls-server testLZ4NtwoNn2n[29618]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jan 21 10:58:39 ipfire-tls-server testLZ4NtwoNn2n[29618]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jan 21 10:58:39 ipfire-tls-server testLZ4NtwoNn2n[29618]: LZ4v2 compression initializing
Jan 21 10:58:39 ipfire-tls-server testLZ4NtwoNn2n[29618]: Control Channel MTU parms [ L:1554 D:1156 EF:94 EB:0 ET:0 EL:3 ]


and N2N TLS-Client Log:

Code: Select all

Jan 21 10:58:30 ipfire-tls-client testLZ4NtwoNn2n[29016]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1198
Jan 21 10:58:30 ipfire-tls-client testLZ4NtwoNn2n[29016]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jan 21 10:58:30 ipfire-tls-client testLZ4NtwoNn2n[29016]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jan 21 10:58:30 ipfire-tls-client testLZ4NtwoNn2n[29016]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jan 21 10:58:30 ipfire-tls-client testLZ4NtwoNn2n[29016]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jan 21 10:58:30 ipfire-tls-client testLZ4NtwoNn2n[29016]: LZ4v2 compression initializing
Jan 21 10:58:30 ipfire-tls-client testLZ4NtwoNn2n[29016]: Control Channel MTU parms [ L:1554 D:1156 EF:94 EB:0 ET:0 EL:3 ]


but the "Expected Remote Options" string shows different results

Code: Select all

Jan 21 10:58:39 ipfire-tls-server testLZ4NtwoNn2n[29618]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1554,tun-mtu 1500,proto UDPv4,ifconfig 10.99.77.1 10.99.77.2,comp-lzo,mtu-dynamic,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'

<-- comp-lzo ist still listed...

Will need to take a deeper look into that.

Will make an update if unclear things getting clearer...

UE
Image
Image
Image

csmall
Posts: 30

Re: OpenVPN-2.4.0 integration into IPFire

Postby csmall » January 22nd, 2017, 1:39 am

ummeegge,

Great progress so far. Good job. :)

ummeegge
Community Developer
Community Developer
Posts: 3976

Re: OpenVPN-2.4.0 integration into IPFire

Postby ummeegge » January 23rd, 2017, 10:22 am

Thanks for your feedback csmall.

Have added now LZ4-v2 compression for Roadwarriors only in client-config-directory section as above explained. The updated files can be loaded via the new installer --> https://github.com/ummeegge/ovpn_1901/b ... staller.sh .

For easy handling login to your fire and execute:

Code: Select all

cd /tmp || exit 1 &&
wget https://raw.githubusercontent.com/ummeegge/ovpn_1901/master/ovpn_240_in-uninstaller.sh &&
chmod +x ovpn_240_in-uninstaller.sh &&
./ovpn_240_in-uninstaller.sh

you will find then a new "update" line. By pressing 'u' the files should be updated.

HINT: This update is only part of the extended version. The minimal version does not include this.

Feedback might be nice but also important.

Greetings,

UE
Image
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 3976

Re: OpenVPN-2.4.0 integration into IPFire

Postby ummeegge » January 31st, 2017, 4:54 pm

Hi all,
(as a beside info {probably only for myself?})
after a little more research i decided to leave the LZ4-v2 feature out of the Net-to-Net section.
Taking benchmarks from this site --> https://github.com/lz4/lz4 the performance boost arises in the decompression algorithm, whereby the compression values are closed to the values of LZO. In my opinion only the server mode (Roadwarrior) have a real benefit with this whereby a large(r) number of clients can possibly sends data and the decompression can play out their advantages.
Net-to-Net handles always only with one TLS-Client or TLS-Server so one side might always be the bottleneck.

May i´ am wrong and if someone have another idea why it could be better to provide Lz4 also for N2N connections let it me know ;) .

More infos from N2N ;) : "--tls-crypt" works nice with N2N connections, tested it now the second week and have had only one connection interrupt where the connection comes only up after an connection stop|start.

But anyhow, there seems to be no interest in this topic if i look to the testing/technical feedback here...

UE
Image
Image
Image

csmall
Posts: 30

Re: OpenVPN-2.4.0 integration into IPFire

Postby csmall » January 31st, 2017, 8:02 pm

How can we get PAM integrated with ipfire so we can use it with OpenVPN? Is that a planned feature? Or maybe some sort of OTP?

I know you mentioned it before but I'm not sure where it stands or if any interest has been shown from devs.

doc
Posts: 120
Location: Hannover

Re: OpenVPN-2.4.0 integration into IPFire

Postby doc » February 1st, 2017, 9:07 am

ummeegge, what you are doing here is important! The latest version of OVPN brings a ton of fixes and improvements.
So, it's necessary to get this integrated in IPFire as soon as possible. But anyway, I can't say that our OVPN tunnels are not stablein the moement. :D
Unfortunately, I have only production machines/tunnels running, so I can't test anything experimental with no impact on daily business life. Sorry.

Regarding compression: IMHO you really should implement the new LZ4! It's extremly fast and in a net-to-net setup every site has to do decompression as well as compression. So, when decompression is about 3 times faster, that's what we want: There's a lot of VoIP traffic in our tunnels, so every millisecond we might gain is an advantage.
Thanx a lot for your work!!!
Image

ummeegge
Community Developer
Community Developer
Posts: 3976

Re: OpenVPN-2.4.0 integration into IPFire

Postby ummeegge » February 2nd, 2017, 5:41 am

Thank you both for your replies,
csmall wrote:How can we get PAM integrated with ipfire so we can use it with OpenVPN? Is that a planned feature? Or maybe some sort of OTP?

I know you mentioned it before but I'm not sure where it stands or if any interest has been shown from devs.

I have searched a little around causing that topic an idea was to integrate a section like the local authentication in the proxy area but this won´t be part in this development here cause it would sprinkle the frame, anyway i have way too much stuff in here meanwhile to push it all for a merge request. This is also why i brought up two different versions to test whereby i think the minimal version delivers a minimum to jump to the new 2.4er OpenVPN with IPFire.
Causing your quested feature, i have some more infos but also more questions, let´ s discuss them in an own/or_old topic.

doc wrote:ummeegge, what you are doing here is important! The latest version of OVPN brings a ton of fixes and improvements.

I think so, this version fixes really a lot of stuff but brings also great improvements and new features but also big changes which might be probable difficult for all environments...

doc wrote:Regarding compression: IMHO you really should implement the new LZ4! It's extremly fast and in a net-to-net setup every site has to do decompression as well as compression. So, when decompression is about 3 times faster, that's what we want: There's a lot of VoIP traffic in our tunnels, so every millisecond we might gain is an advantage.

The code is already there --> https://github.com/ummeegge/ovpn_1901/c ... 84b95b8b00 even it isn´t integrated in the testing files here. Did you have experiences with LZO and without and VoIP compressions ? Does the compression makes recognizable speed differences ?

doc wrote:Unfortunately, I have only production machines/tunnels running, so I can't test anything experimental with no impact on daily business life. Sorry.

This is indeed a problem, i can test a lot of stuff but it is in general only my environment, things which works here might not for others. My intend to bring all that to the community is that as much people as possible test that stuff too so we can be better aware of bugs and/or incompatibilities. Also if the community have ideas they can bring it on and i will try to implement it if it matters the topic.
The lack of testings is always a problem even there are thousands of systems out there which i can´t consider, especially the commercial users which uses this software should have an interest to support those requests cause they do have a sustainable problem if something have been missed.

So since this is a community project my hope is always that more people come together to reach to a better state of development of new features with not that much work for each one if we find a bigger resonance by testings and the big snivelling if things do not work could be prevented.

A long story short. I won´t make the next step if those things won´t be checked before as it is a requirement for me to do this before i communicate with the developers and ask for a merge. I tried to make it as easy as i can for you all to help me/and_us out with this let´s see if we get some good feedback otherwise others needs to do that, time will tell.

Greetings,

UE
Image
Image
Image

fkienker
Posts: 65

Re: OpenVPN-2.4.0 integration into IPFire

Postby fkienker » February 6th, 2017, 9:32 pm

I've been watching, as I am sure others have been, for some response to this thread. I'm considering trying to test this but I don't really have an easy way to do this other than for road-warrior configurations. I am contemplating setting up a net-to-net as well, but if there are issues others have found it would be helpful to know about them before starting.

Thanks in advance!

ummeegge
Community Developer
Community Developer
Posts: 3976

Re: OpenVPN-2.4.0 integration into IPFire

Postby ummeegge » February 7th, 2017, 9:31 am

Hi fkienker,
all tests i have made until now was made with 32 bit machines, hopefully today i will shift my Prime to 64 bit and will make there also some tests, will give here then also some feedback with this .
As a beside one, if you do not trust the in- uninstaller (which needs also to be tested ;-), you can also make the installation manually. In here --> http://people.ipfire.org/~ummeegge/OpenVPN-2.4.0/ all files has been deposited.

Greetings,

UE
Image
Image
Image

cibgiu
Posts: 15

Re: OpenVPN-2.4.0 integration into IPFire

Postby cibgiu » February 7th, 2017, 10:12 am

Hi ummeegge,

thanks for the great work.

I will test it, but for my limited knowledge on linux and network my contribute is minimal.

I have installed on a working ipfire installed and configured one year earlier.
Your installation was fine, I installed the extended version.

Make the first connect but hang, on opnevon log: 'VERIFY ERROR: depth=0, error=CRL has expired'
Little googling and find the solution https://forums.openvpn.net/viewtopic.php?t=23166

Here what I made:
in /var/ipfire/ovpn/openssl/ovpn.cnf default_crl_days from 30 to 3650

log in ssh

cd /var/ipfire/ovpn

openssl ca -gencrl -keyfile ca/cakey.pem -cert ca/cacert.pem -out crls/cacrl.pem -config openssl/ovpn.cnf

verify that /var/ipfire/ovpn/openssl/crls/cacrl.pem was updated

and then now I can connect to the server.

Giuseppe

csmall
Posts: 30

Re: OpenVPN-2.4.0 integration into IPFire

Postby csmall » February 7th, 2017, 7:01 pm

This may be worth a look as am open VPN replacement at some point.

Just thought I would put it out there.

https://www.wireguard.io

ummeegge
Community Developer
Community Developer
Posts: 3976

Re: OpenVPN-2.4.0 integration into IPFire

Postby ummeegge » February 8th, 2017, 4:40 am

Hi Giuseppe,
thanks for testing and your feedback.
cibgiu wrote:I will test it, but for my limited knowledge on linux and network my contribute is minimal.

this is very good cause the switch to the new version should be without any hassle or further knowledge in that manner.

cibgiu wrote:I have installed on a working ipfire installed and configured one year earlier.
Your installation was fine, I installed the extended version.

Good to know. Are you using a 32 or 64 bit machine ? Did you configured something else on the OpenVPN after installation or did you use it out of the box ?

cibgiu wrote:Make the first connect but hang, on opnevon log: 'VERIFY ERROR: depth=0, error=CRL has expired'
Little googling and find the solution https://forums.openvpn.net/viewtopic.php?t=23166

This is a little bit strange, event this development do not changes anything in the cacrl.pem and i have here either no problem with it (same settings). Will take there a deeper look may i will find also something in the 2.4.0 change logs.

cibgiu wrote:and then now I can connect to the server.

Did you checked the logs for control channel and data encryption ? Or did you tried some of the new features ?

Hi csmall,
csmall wrote:This may be worth a look as am open VPN replacement at some point.

Just thought I would put it out there.

https://www.wireguard.io

This was not the feedback i was hoping for ::) , even it is OT and another discussion it might be better if you open up a new topic for this. Thanks.

Greetings,

UE
Image
Image
Image


Return to “Development”



Who is online

Users browsing this forum: No registered users and 1 guest