since OpenVPN-2.4.0 is out since a couple of days, i wanted to introduce a possibility to test it.
There is an installer available which can be used for 64Bit but also for 32Bit platforms. The installer delivers modified language files (de.pl and en.pl) a modified ovpnmain.cgi, a new compression library (LZ4) and of course the new OpenVPN-2.4.0 binary.
The installer provides also two installation possibilities.
Please use testing systems for this
1) Is a minimum changed ovpnmain.cgi with the following changes:
- OpenVPN on IPFire can be used as just before but nevertheless with one more (per default deactivated) feature called "Cipher negotiation". The new OpenVPN version do negotiate per default the best cipher between both sides. Have added one checkbox to activate/deactivate(is default) it in the global section.
Also, the cipher negotiation can be used via CCD (client config directory) so it is usable for each client individually. If the global section allows cipher negotiation in general, but some clients should not use it, it is possible to deactivate this feature for them over the advanced settings while a new client will be generated:
- Changed script-security directive causing security reasons, OpenVPN do not allow to use "system" flags anymore
2) Is a extended version with the following changes:
- The features from above are included but also,
- Added new GCM cipher, for Roadwarrior and N2N (for AES-128, 192 and 256 Bit). Sorted algorithm lists and added description (with weak, medium and strong algorithms) for ciphers, HMACs and DH-parameter.
- Added Cipher lenght menu for ROOT (6144, 8192, 12288 and 16384 Bits)
and HOST (4096, 6144, 8192, 12288 and 16384 bit) CA which is available while a new PKI will be generated.
... some lenghts are overkill but nevertheless may interesting for testings. The generation time of the PKI but also the Client generation will need more time as more bits are used for PKI.
- Added tls-crypt for N2N section.
The installer can be found in here --> https://github.com/ummeegge/ovpn_1901/b ... staller.sh .
A usage can be:
Login to your testing Fire and execute
Code: Select all
chmod +x ovpn_240_in-uninstaller.sh
this will leads you to the menu.
IMPORTANT: After installation or uninstallation you need to check the "Save" button in the OpenVPN webinterface cause new/or_the_old directives needs to be written into the server.conf otherwise the server won´t come up.
Feedback and testings might be good but also important ,
Further infos to the new version and some testing results can be found in here --> viewtopic.php?f=50&t=17656 .
Packages can also be found in here --> http://people.ipfire.org/~ummeegge/OpenVPN-2.4.0/ .
- LZ4 (v2?) compression should to be integrated on Roadwarrior also via CCD .
DONE --> viewtopic.php?f=50&t=18067#p104669 <-- and is included in the extended version of the installerscript.
- Fade out of the "Hash-Algorithm" for N2N if any sort of GCM ciphers will be used cause GCM´s default is SHA256, modifications in that case can´t be handled via webinterface. < Needs to be overviewed and tested again..
- Discussion about ECDSA certificate chains.
- Added a fix for the new "Refactor CRL handling" of OpenVPN-2.4.0 . Problems are described in here --> viewtopic.php?f=50&t=18067#p105115 also on Debian --> https://bugs.debian.org/cgi-bin/bugrepo ... bug=849909 and the Fix for IPFire is here --> viewtopic.php?f=50&t=18067&start=15 located. Fix will for the first be made via the installerscript. Uninstallation via script brings back the old state in ovpn.cnf