[LEDE-DEV] [PATCH RFC 1/2] openvpn: update to 2.4_rc2

Martin Blumenstingl martin.blumenstingl at googlemail.com
Sun Dec 25 05:23:44 PST 2016 

Hello Magnus, Hi Felix,

On Sat, Dec 17, 2016 at 1:53 AM, Magnus Kroken <mkroken at gmail.com> wrote:
> OpenVPN 2.4 builds with mbedTLS 2.x, rename openvpn-polarssl
> variant to openvpn-mbedtls.
>
> Some feature highlights:
> * Data channel cipher negotiation
> * AEAD cipher support for data channel encryption (currently only AES-GCM)
> * ECDH key exchange for control channel
> * LZ4 compression support
it seems that there's a small compatibility problem for "older VPN
servers" with OpenVPN 2.4 and mbedTLS:
TLS-DHE-* ciphers don't seem to be supported anymore. I'm not sure if
that's a problem in real-world (I just upgraded to latest LEDE git
HEAD and found one of my VPN connections "broken" - but I can't tell
if this is whether that VPN-server was exotic or if it's a real-world
problem).

the list of avaiable TLS ciphers in LEDE's OpenVPN when using mbedTLS:
# openvpn --show-tls
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-PSK-WITH-AES-256-GCM-SHA384
TLS-PSK-WITH-AES-256-CBC-SHA384
TLS-PSK-WITH-AES-256-CBC-SHA
TLS-PSK-WITH-AES-128-GCM-SHA256
TLS-PSK-WITH-AES-128-CBC-SHA256
TLS-PSK-WITH-AES-128-CBC-SHA

I guess this worked on LEDE with PolarSSL with OpenVPN 2.3:
#define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
while
//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED

can you tell if I ran into some corner case (the affected server was
using OpenVPN 2.3.14, most probably with OpenSSL backend) or if this
is a real problem?


Regards,
Martin

More information about the Lede-dev mailing list