Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2475 - openvpn: option tls_cipher is ignored #7292

Closed
openwrt-bot opened this issue Sep 1, 2019 · 0 comments
Closed

FS#2475 - openvpn: option tls_cipher is ignored #7292

openwrt-bot opened this issue Sep 1, 2019 · 0 comments
Labels

Comments

@openwrt-bot
Copy link

Slenderchat:


Devices: TL-WR841NDv9 and TL-WR840Nv4 both running OpenWRT SNAPSHOT, r10920-0cc87b3bac

The first one runs openvpn-mbedtls 2.4.7 using mbedtls 2.16.2 as server, the second one runs openvpn-openssl 2.4.7 using openssl 1.1.1c as client

Steps to reproduce:
1.Add "option tls_cipher 'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'" or "option tls_cipher 'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'" to /etc/config/openvpn of both client and server
2.Execute /etc/init.d/openvpn restart on both

The option has no effect and is not being written to /var/etc/openvpn-*.conf on both routers
Both ciphersuites is listed in "openvpn --show-tls" output of both.
Executing openvpn command with "--tls-cipher" directly do have effect
Supplying ":" separated list as argument to "option tls_cipher" do not work either

/etc/config/openvpn of the server:
config openvpn {instance}
option enabled 1
option local {IP}
option port 1194
option proto udp
option dev tun0
option ca /etc/openvpn/pki/ca.crt
option cert /etc/openvpn/pki/{server}.crt
option key /etc/openvpn/pki/{server}.key
option dh /etc/openvpn/pki/dh.pem
option tls_auth /etc/openvpn/pki/tls.key
option tls_cipher 'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'
option server "192.168.0.0 255.255.252.0 nopool"
option topology subnet
option client_config_dir /etc/openvpn/ccd
option client_to_client 1
option keepalive "10 120"
option cipher AES-128-GCM
option auth SHA224
option ncp_disable 1
option persist_key 1
option persist_tun 1
option user nobody
option status /tmp/openvpn-status.log
option verb 4

/etc/config/openvpn of the client:
config openvpn {instance}
option enabled 1
option client 1
option dev tun0
option proto udp
option remote "{IP} 1194"
option resolv_retry infinite
option nobind 1
option persist_key 1
option persist_tun 1
option user nobody
option ca /etc/openvpn/pki/ca.crt
option cert /etc/openvpn/pki/{client}.crt
option key /etc/openvpn/pki/{client}.key
option tls_auth /etc/openvpn/pki/tls.key
option tls_cipher 'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'
option cipher AES-128-GCM
option auth SHA224
option ncp_disable 1
option verb 4

/var/etc/openvpn-{instance}.conf of the server:
client-to-client
ncp-disable
persist-key
persist-tun
auth SHA224
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/{server}.crt
cipher AES-128-GCM
client-config-dir /etc/openvpn/ccd
dev tun0
dh /etc/openvpn/pki/dh.pem
keepalive 10 120
key /etc/openvpn/pki/{server}.key
local {IP}
port 1194
proto udp
server 192.168.0.0 255.255.252.0 nopool
status /tmp/openvpn-status.log
tls-auth /etc/openvpn/pki/tls.key
topology subnet
user nobody
verb 4

/var/etc/openvpn-{instance}.conf of the client:
client ncp-disable nobind persist-key persist-tun auth SHA224 ca /etc/openvpn/pki/ca.crt cert /etc/openvpn/pki/{client}.crt cipher AES-128-GCM dev tun0 key /etc/openvpn/pki/{client}.key proto udp remote {IP} 1194 resolv-retry infinite tls-auth /etc/openvpn/pki/tls.key user nobody verb 4
"logread -e openvpn" output of the server:
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (mbed TLS)] [EPOLL] [AEAD]
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: library versions: mbed TLS 2.16.2
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Diffie-Hellman initialized with 2048 bit key
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Outgoing Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Incoming Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: TLS-Auth MTU parms [ L:1621 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: TUN/TAP device tun0 opened
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: TUN/TAP TX queue length set to 100
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: /sbin/ifconfig tun0 192.168.0.1 netmask 255.255.252.0 mtu 1500 broadcast 192.168.3.255
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:4 ET:0 EL:3 ]
Sun Sep 1 09:11:07 2019 daemon.warn openvpn({server})[2870]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: UDPv4 link local (bound): [AF_INET]{SERVER_IP}:1194
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: UDPv4 link remote: [AF_UNSPEC]
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: UID set to nobody
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: MULTI: multi_init called, r=256 v=256
Sun Sep 1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Initialization Sequence Completed
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: MULTI: multi_create_instance called
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Re-using SSL/TLS context
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Control Channel MTU parms [ L:1621 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:4 ET:0 EL:3 ]
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-server'
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-client'
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 TLS: Initial packet from [AF_INET]{CLIENT_IP}:58942, sid=090c350a 58339b04
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 VERIFY OK: depth=1, CN={server}-ca
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 VERIFY OK: depth=0, CN={client}
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 peer info: IV_VER=2.4.7
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 peer info: IV_PLAT=linux
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 peer info: IV_PROTO=2
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256, 2048 bit key
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 [{client}] Peer Connection Initiated with [AF_INET]{CLIENT_IP}:58942
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/{client}
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 MULTI: Learn: 192.168.1.1 -> {client}/{CLIENT_IP}:58942
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 MULTI: primary virtual IP for {client}/{CLIENT_IP}:58942: 192.168.1.1
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 MULTI: internal route 192.168.1.0/24 -> {client}/{CLIENT_IP}:58942
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 MULTI: Learn: 192.168.1.0/24 -> {client}/{CLIENT_IP}:58942
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 PUSH: Received control message: 'PUSH_REQUEST'
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 SENT CONTROL [{client}]: 'PUSH_REPLY,route-gateway 192.168.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.1.1 255.255.252.0,peer-id 0' (status=1)

"logread -e openvpn" output of the client:
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [EPOLL] [AEAD]
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: library versions: OpenSSL 1.1.1c 28 May 2019
Sun Sep 1 09:10:44 2019 daemon.warn openvpn({client})[29010]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Outgoing Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Incoming Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Control Channel MTU parms [ L:1621 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:4 ET:0 EL:3 ]
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-client'
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-server'
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: TCP/UDP: Preserving recently used remote address: [AF_INET]{SERVER_IP}:1194
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: UDP link local: (not bound)
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: UDP link remote: [AF_INET]{SERVER_IP}:1194
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sun Sep 1 09:10:44 2019 daemon.notice openvpn({client})[29010]: TLS: Initial packet from [AF_INET]{SERVER_IP}:1194, sid=4963e57f 95fa1ba4
Sun Sep 1 09:10:45 2019 daemon.notice openvpn({client})[29010]: VERIFY OK: depth=1, CN={server}-ca
Sun Sep 1 09:10:45 2019 daemon.notice openvpn({client})[29010]: VERIFY OK: depth=0, CN={server}
Sun Sep 1 09:10:46 2019 daemon.notice openvpn({client})[29010]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 2048 bit RSA
Sun Sep 1 09:10:46 2019 daemon.notice openvpn({client})[29010]: [{server}] Peer Connection Initiated with [AF_INET]{SERVER_IP}:1194
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: SENT CONTROL [{server}]: 'PUSH_REQUEST' (status=1)
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.1.1 255.255.252.0,peer-id 0'
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: route-related options modified
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: peer-id set
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: adjusting link_mtu to 1624
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:4 ET:0 EL:3 ]
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: TUN/TAP device tun0 opened
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: TUN/TAP TX queue length set to 100
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: /sbin/ifconfig tun0 192.168.1.1 netmask 255.255.252.0 mtu 1500 broadcast 192.168.3.255
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: UID set to nobody
Sun Sep 1 09:10:47 2019 daemon.warn openvpn({client})[29010]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Sep 1 09:10:47 2019 daemon.notice openvpn({client})[29010]: Initialization Sequence Completed
Sun Sep 1 09:12:58 2019 daemon.notice openvpn({client})[29010]: [{server}] Inactivity timeout (--ping-restart), restarting
Sun Sep 1 09:12:58 2019 daemon.notice openvpn({client})[29010]: TCP/UDP: Closing socket
Sun Sep 1 09:12:58 2019 daemon.notice openvpn({client})[29010]: SIGUSR1[soft,ping-restart] received, process restarting
Sun Sep 1 09:12:58 2019 daemon.notice openvpn({client})[29010]: Restart pause, 5 second(s)
Sun Sep 1 09:13:03 2019 daemon.warn openvpn({client})[29010]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Re-using SSL/TLS context
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Control Channel MTU parms [ L:1621 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:4 ET:0 EL:3 ]
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-client'
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-server'
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: TCP/UDP: Preserving recently used remote address: [AF_INET]{SERVER_IP}:1194
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: UDP link local: (not bound)
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: UDP link remote: [AF_INET]{SERVER_IP}:1194
Sun Sep 1 09:13:03 2019 daemon.notice openvpn({client})[29010]: TLS: Initial packet from [AF_INET]{SERVER_IP}:1194, sid=2796bdad af860497
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({client})[29010]: VERIFY OK: depth=1, CN={server}-ca
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({client})[29010]: VERIFY OK: depth=0, CN={server}
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({client})[29010]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 2048 bit RSA
Sun Sep 1 09:13:04 2019 daemon.notice openvpn({client})[29010]: [{server}] Peer Connection Initiated with [AF_INET]{SERVER_IP}:1194
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: SENT CONTROL [{server}]: 'PUSH_REQUEST' (status=1)
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.1.1 255.255.252.0,peer-id 0'
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: route-related options modified
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: peer-id set
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: adjusting link_mtu to 1624
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:4 ET:0 EL:3 ]
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Preserving previous TUN/TAP instance: tun0
Sun Sep 1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Initialization Sequence Completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant