OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

Help on building IPFire & Feature Requests
fkienker
Posts: 126
Joined: March 3rd, 2011, 4:59 pm

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

Post by fkienker » May 29th, 2019, 3:18 pm

Sorry for not responding sooner - I'm really buried right now and have not had time to reflect on your last post. I will try to get to it soon.

Best regards,
Fred

fkienker
Posts: 126
Joined: March 3rd, 2011, 4:59 pm

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

Post by fkienker » May 30th, 2019, 3:27 pm

One of the chief issues IPFire users have is how "complicated" (versatile) OpenVPN is. To address this, maybe the best solution is to "recommend" defaults which would create a working configuration with little input from an unsophisticated user. At the same time, leave as many of the "advanced" options available for the advanced users as possible. This does make it possible for the unsophisticated to get themselves in a lot of trouble. But from a support aspect, it is much simpler to tell them to just start over and leave the defaults alone.

- I like the ability to select the tls-cypher, but the default should be "none/allow negotiation". Only people like me would notice the difference it the time necessary to connect.
- I like the ability to select the key exchange algorithms. But like you, I think the default should be "none/allow negotiation". Removing curves which don't work with older clients is counter productive. It's past time to get people off of 2.3 and onto 2.4. The only common system which is 2.3 only is Windows XP. No one even remotely concerned about security would be using XP unless they are "stuck" with a legacy application.
- I like the ability to choose the cipher sequence, something which really should be available.

PLEASE lets get rid of the DH-parameter or at least make it option-able!!! It takes 20 plus minutes to generate a 4096 bit key on our systems. I doubt very many IPFire users EVER get past 2048 bit keys just because of the pain of generating the key. This is number one on my wish list.

I am going to think about better organization for the OpenVPN pages. They seem cluttered and are hard to understand unless you REALLY know OpenVPN.

Let me think some more on other wish list items. Honestly, there is not a lot more I would ask for which would be useful to more than a very small percentage of IPFire users. This is why at the core level we are using OPNsense, because we can do the ridiculous stuff on it. Even Cisco doesn't have this level of flexibility.

Best regards,
Fred

fkienker
Posts: 126
Joined: March 3rd, 2011, 4:59 pm

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

Post by fkienker » September 20th, 2019, 4:43 pm

Any chance this will ever make into the Core production code? Its better than what is being shipped currently. We have been using it on our system but keeping the modification in our install stream is a pain.

Best regards,
Fred

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: OpenVPN - Say goodbye to --dh and hello to --ecdh-curve ?

Post by ummeegge » September 23rd, 2019, 4:00 pm

Hi Fred,
fkienker wrote:
September 20th, 2019, 4:43 pm
Any chance this will ever make into the Core production code? Its better than what is being shipped currently
have ask in the mailinglist but there was a clear favour to leave the DH-parameter where it is.

I would like to thank you nevertheless for your tests and your feedback, may this informations are usable in case IPFire decides one day to integrated ECC fully into the WUI.
fkienker wrote:
September 20th, 2019, 4:43 pm
We have been using it on our system but keeping the modification in our install stream is a pain.
Yes, the best might be to go back to the regular version in that case.

Best,

UE
Image
Image

Post Reply