OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Packages
  • Assigned To No-one
  • Operating System All
  • Severity Medium
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Slenderchat - 01.09.2019
Last edited by Petr Štetiar - 16.09.2019

FS#2475 - openvpn: option tls_cipher is ignored


Devices: TL-WR841NDv9 and TL-WR840Nv4 both running OpenWRT SNAPSHOT, r10920-0cc87b3bac

The first one runs openvpn-mbedtls 2.4.7 using mbedtls 2.16.2 as server, the second one runs openvpn-openssl 2.4.7 using openssl 1.1.1c as client


Steps to reproduce:
1.Add “option tls_cipher ‘TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256’” or “option tls_cipher ‘TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256’” to /etc/config/openvpn of both client and server
2.Execute /etc/init.d/openvpn restart on both


The option has no effect and is not being written to /var/etc/openvpn-*.conf on both routers
Both ciphersuites is listed in “openvpn –show-tls” output of both.
Executing openvpn command with “–tls-cipher” directly do have effect
Supplying “:” separated list as argument to “option tls_cipher” do not work either


/etc/config/openvpn of the server:

config openvpn {instance}
        option enabled 1
        option local {IP}
        option port 1194
        option proto udp
        option dev tun0
        option ca /etc/openvpn/pki/ca.crt
        option cert /etc/openvpn/pki/{server}.crt
        option key /etc/openvpn/pki/{server}.key
        option dh /etc/openvpn/pki/dh.pem
        option tls_auth /etc/openvpn/pki/tls.key
        option tls_cipher 'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'
        option server "192.168.0.0 255.255.252.0 nopool"
        option topology subnet
        option client_config_dir /etc/openvpn/ccd
        option client_to_client 1
        option keepalive "10 120"
        option cipher AES-128-GCM
        option auth SHA224
        option ncp_disable 1
        option persist_key 1
        option persist_tun 1
        option user nobody
        option status /tmp/openvpn-status.log
        option verb 4

/etc/config/openvpn of the client:

config openvpn {instance}
        option enabled 1
        option client 1
        option dev tun0
        option proto udp
        option remote "{IP} 1194"
        option resolv_retry infinite
        option nobind 1
        option persist_key 1
        option persist_tun 1
        option user nobody
        option ca /etc/openvpn/pki/ca.crt
        option cert /etc/openvpn/pki/{client}.crt
        option key /etc/openvpn/pki/{client}.key
        option tls_auth /etc/openvpn/pki/tls.key
        option tls_cipher 'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'
        option cipher AES-128-GCM
        option auth SHA224
        option ncp_disable 1
        option verb 4

/var/etc/openvpn-{instance}.conf of the server:

client-to-client
ncp-disable
persist-key
persist-tun
auth SHA224
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/{server}.crt
cipher AES-128-GCM
client-config-dir /etc/openvpn/ccd
dev tun0
dh /etc/openvpn/pki/dh.pem
keepalive 10 120
key /etc/openvpn/pki/{server}.key
local {IP}
port 1194
proto udp
server 192.168.0.0 255.255.252.0 nopool
status /tmp/openvpn-status.log
tls-auth /etc/openvpn/pki/tls.key
topology subnet
user nobody
verb 4

/var/etc/openvpn-{instance}.conf of the client:

client                                                                                                                                                                                                                                       ncp-disable                                                                                                                                                                                                                                  nobind                                                                                                                                                                                                                                       persist-key                                                                                                                                                                                                                                  persist-tun                                                                                                                                                                                                                                  auth SHA224                                                                                                                                                                                                                                  ca /etc/openvpn/pki/ca.crt                                                                                                                                                                                                                   cert /etc/openvpn/pki/{client}.crt                                                                                                                                                                                                        cipher AES-128-GCM                                                                                                                                                                                                                           dev tun0                                                                                                                                                                                                                                     key /etc/openvpn/pki/{client}.key                                                                                                                                                                                                         proto udp                                                                                                                                                                                                                                    remote {IP} 1194                                                                                                                                                                                                                   resolv-retry infinite                                                                                                                                                                                                                        tls-auth /etc/openvpn/pki/tls.key                                                                                                                                                                                                            user nobody                                                                                                                                                                                                                                  verb 4

“logread -e openvpn” output of the server:

Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (mbed TLS)] [EPOLL] [AEAD]
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: library versions: mbed TLS 2.16.2
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Diffie-Hellman initialized with 2048 bit key
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Outgoing Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Incoming Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: TLS-Auth MTU parms [ L:1621 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: TUN/TAP device tun0 opened
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: TUN/TAP TX queue length set to 100
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: /sbin/ifconfig tun0 192.168.0.1 netmask 255.255.252.0 mtu 1500 broadcast 192.168.3.255
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:4 ET:0 EL:3 ]
Sun Sep  1 09:11:07 2019 daemon.warn openvpn({server})[2870]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: UDPv4 link local (bound): [AF_INET]{SERVER_IP}:1194
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: UDPv4 link remote: [AF_UNSPEC]
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: UID set to nobody
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: MULTI: multi_init called, r=256 v=256
Sun Sep  1 09:11:07 2019 daemon.notice openvpn({server})[2870]: Initialization Sequence Completed
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({server})[2870]: MULTI: multi_create_instance called
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Re-using SSL/TLS context
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Control Channel MTU parms [ L:1621 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:4 ET:0 EL:3 ]
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-server'
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-client'
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 TLS: Initial packet from [AF_INET]{CLIENT_IP}:58942, sid=090c350a 58339b04
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 VERIFY OK: depth=1, CN={server}-ca
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 VERIFY OK: depth=0, CN={client}
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 peer info: IV_VER=2.4.7
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 peer info: IV_PLAT=linux
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 peer info: IV_PROTO=2
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 Control Channel: TLSv1.2, cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256, 2048 bit key
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {CLIENT_IP}:58942 [{client}] Peer Connection Initiated with [AF_INET]{CLIENT_IP}:58942
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/{client}
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 MULTI: Learn: 192.168.1.1 -> {client}/{CLIENT_IP}:58942
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 MULTI: primary virtual IP for {client}/{CLIENT_IP}:58942: 192.168.1.1
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 MULTI: internal route 192.168.1.0/24 -> {client}/{CLIENT_IP}:58942
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 MULTI: Learn: 192.168.1.0/24 -> {client}/{CLIENT_IP}:58942
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 PUSH: Received control message: 'PUSH_REQUEST'
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({server})[2870]: {client}/{CLIENT_IP}:58942 SENT CONTROL [{client}]: 'PUSH_REPLY,route-gateway 192.168.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.1.1 255.255.252.0,peer-id 0' (status=1)

“logread -e openvpn” output of the client:

Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: OpenVPN 2.4.7 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [EPOLL] [AEAD]
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: library versions: OpenSSL 1.1.1c  28 May 2019
Sun Sep  1 09:10:44 2019 daemon.warn openvpn({client})[29010]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Outgoing Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Incoming Control Channel Authentication: Using 224 bit message hash 'SHA224' for HMAC authentication
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Control Channel MTU parms [ L:1621 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:4 ET:0 EL:3 ]
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-client'
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-server'
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: TCP/UDP: Preserving recently used remote address: [AF_INET]{SERVER_IP}:1194
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: UDP link local: (not bound)
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: UDP link remote: [AF_INET]{SERVER_IP}:1194
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sun Sep  1 09:10:44 2019 daemon.notice openvpn({client})[29010]: TLS: Initial packet from [AF_INET]{SERVER_IP}:1194, sid=4963e57f 95fa1ba4
Sun Sep  1 09:10:45 2019 daemon.notice openvpn({client})[29010]: VERIFY OK: depth=1, CN={server}-ca
Sun Sep  1 09:10:45 2019 daemon.notice openvpn({client})[29010]: VERIFY OK: depth=0, CN={server}
Sun Sep  1 09:10:46 2019 daemon.notice openvpn({client})[29010]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 2048 bit RSA
Sun Sep  1 09:10:46 2019 daemon.notice openvpn({client})[29010]: [{server}] Peer Connection Initiated with [AF_INET]{SERVER_IP}:1194
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: SENT CONTROL [{server}]: 'PUSH_REQUEST' (status=1)
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.1.1 255.255.252.0,peer-id 0'
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: route-related options modified
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: peer-id set
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: adjusting link_mtu to 1624
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:4 ET:0 EL:3 ]
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: TUN/TAP device tun0 opened
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: TUN/TAP TX queue length set to 100
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: /sbin/ifconfig tun0 192.168.1.1 netmask 255.255.252.0 mtu 1500 broadcast 192.168.3.255
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: UID set to nobody
Sun Sep  1 09:10:47 2019 daemon.warn openvpn({client})[29010]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Sep  1 09:10:47 2019 daemon.notice openvpn({client})[29010]: Initialization Sequence Completed
Sun Sep  1 09:12:58 2019 daemon.notice openvpn({client})[29010]: [{server}] Inactivity timeout (--ping-restart), restarting
Sun Sep  1 09:12:58 2019 daemon.notice openvpn({client})[29010]: TCP/UDP: Closing socket
Sun Sep  1 09:12:58 2019 daemon.notice openvpn({client})[29010]: SIGUSR1[soft,ping-restart] received, process restarting
Sun Sep  1 09:12:58 2019 daemon.notice openvpn({client})[29010]: Restart pause, 5 second(s)
Sun Sep  1 09:13:03 2019 daemon.warn openvpn({client})[29010]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Re-using SSL/TLS context
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Control Channel MTU parms [ L:1621 D:1176 EF:74 EB:0 ET:0 EL:3 ]
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:4 ET:0 EL:3 ]
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-client'
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth [null-digest],keysize 128,tls-auth,key-method 2,tls-server'
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({client})[29010]: TCP/UDP: Preserving recently used remote address: [AF_INET]{SERVER_IP}:1194
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({client})[29010]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({client})[29010]: UDP link local: (not bound)
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({client})[29010]: UDP link remote: [AF_INET]{SERVER_IP}:1194
Sun Sep  1 09:13:03 2019 daemon.notice openvpn({client})[29010]: TLS: Initial packet from [AF_INET]{SERVER_IP}:1194, sid=2796bdad af860497
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({client})[29010]: VERIFY OK: depth=1, CN={server}-ca
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({client})[29010]: VERIFY OK: depth=0, CN={server}
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({client})[29010]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 2048 bit RSA
Sun Sep  1 09:13:04 2019 daemon.notice openvpn({client})[29010]: [{server}] Peer Connection Initiated with [AF_INET]{SERVER_IP}:1194
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({client})[29010]: SENT CONTROL [{server}]: 'PUSH_REQUEST' (status=1)
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({client})[29010]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 192.168.1.1 255.255.252.0,peer-id 0'
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: route-related options modified
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: peer-id set
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({client})[29010]: OPTIONS IMPORT: adjusting link_mtu to 1624
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:4 ET:0 EL:3 ]
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Preserving previous TUN/TAP instance: tun0
Sun Sep  1 09:13:05 2019 daemon.notice openvpn({client})[29010]: Initialization Sequence Completed
Closed by  Petr ┼átetiar
16.09.2019 11:58
Reason for closing:  Not a bug

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing