Jump to content
Not connected, Your IP: 52.15.217.86
Staff

OpenVPN 3 development by AirVPN

Recommended Posts

Hello!

We are very glad to inform you that our OpenVPN 3 development is progressing swiftly. Today we implemented directive ncp-disable which was still unsupported in OpenVPN 3.

https://github.com/AirVPN/openvpn3-airvpn

The directive is instrumental to allow clients Data Channel cipher free selection between those available on server, when ncp-ciphers is declared on server side, and keep at the same time total backward compatibility. Since when we implemented ChaCha20-Poly1305 https://airvpn.org/forums/topic/43850-openvpn-3-development/ on OpenVPN 3 Data Channel, "ncp-disable" has become a priority to provide servers and clients with maximum flexibility.

We can therefore leave total freedom to clients to pick between AES-GCM, AES-CBC and ChaCha20 while preserving full backward compatibility.

Clients with AES-NI supporting processors will prefer AES, while clients running on CPUs without AES-NI, for example most ARM CPUs, will of course tend to prefer ChaCha20.

We are working hard to bring you first and foremost a new Eddie Android edition beta version to let you test ChaCha20-Poly1305 on your Android devices as soon as possible. All internal tests both with ChaCha20 and ncp-disable have been fully successful so far. Fingers crossed, maybe you will see a beta release as early as next week.

UPDATE: Eddie Android edition with ChaCha20 support on both Data and Control Channel is now available 
https://airvpn.org/forums/topic/44201-eddie-android-edition-24-beta-1-released-chacha20-support/

https://github.com/AirVPN/openvpn3-airvpn

Changelog 3.3 AirVPN - Release date: 13 July 2019 by ProMIND

- [ProMIND] [2019/06/02] Forked master openvpn3 repository 3.2 (qa:d87f5bbc04)
- [ProMIND] [2019/06/06] Implemented CHACHA20-POLY1305 cipher for both control and data channels
- [ProMIND] {2019/07/10] Implemented ncp-disable profile option


Kind regards and datalove
AirVPN Staff
 

Share this post


Link to post

Hello!

On server side, we use OpenVPN 2.5 to support ChaCha20 on the Data Channel, so any server with OpenVPN 2.5 will be marked as "Experimental", to make clear that the OpenVPN running in it is a beta version.

As soon as OpenVPN 2.5 stable is released, all the servers will be upgraded to support ChaCha20 on the Data Channel without the "Experimental" warning.

Our next, imminent step is releasing Eddie Android edition with OpenVPN 3 supporting ChaCha20-Poly1305 to allow immediate testing from those devices based on Android that need ChaCha20 most, for performance and load reasons (such as any Android tablet, smart phone, Amazon Fire TV and any other Android based mediacenter using a CPU that does not support AES-NI).

Kind regards
 

Share this post


Link to post

Would it be possible that you implement a feature on the client to change the metric of _pushed_ routes?

ATM its possible to change it for static routes you import by hand clientside or define a metric of pushed routes serverside. Id like to change the metric from a server pushed route on the clientside.

Thanks!

Share this post


Link to post

Hello!

It is not planned at the moment but we can of course keep your suggestion into consideration. What's the purpose? By knowing the scenario we can make better decisions.

Kind regards
 

Share this post


Link to post

Thanks!

In my case id like to load balance a few openvpn connections.

ATM My setup is:
pc --> firewall --> openvpn vm --> tun0

the firewall can loadbalance on multiple interface by round robin so id like a setup like this:

pc --> firewall eth1 --> openvpn vm eth1 --> tun0
     --> firewall eth2 --> openvpn vm eth2 --> tun1
    --> firewall eth3 --> openvpn vm eth3 --> tun2

I used masquerade from eth1 to tun0, eth2 to tun1 and so on, but linux route table only imports route from tun0 0.0.0.0/0  so if i try to masquerade from eth2 to tun1 it wont work because there is no route imported for tun1 0.0.0.0/0. With multiple metric i could import tun1 with higher metric so its there but only used when its telled todo so.

The other tun instances wont import 0.0.0.0/0 because it allready exists (with that metric)
 

Quote
Sun Jul 28 14:49:54 2019 /sbin/ip route add 0.0.0.0/1 via 10.10.0.1
RTNETLINK answers: File exists
Sun Jul 28 14:49:54 2019 ERROR: Linux route add command failed: external program exited with error status: 2
Sun Jul 28 14:49:54 2019 /sbin/ip route add 128.0.0.0/1 via 10.10.0.1
RTNETLINK answers: File exists
Sun Jul 28 14:49:54 2019 ERROR: Linux route add command failed: external program exited with error status: 2

 



hope this makes sense to you.

regards

 

Share this post


Link to post

Hello!

In order to avoid confusion, we have changed our GitHub repository name into openvpn3-airvpn. URL has changed and has been edited accordingly in the first thread post.

Kind regards
 

Share this post


Link to post

Do you upstream your changes to the openvpn3 repo or why do you develop a separate one? Would be nice to have your improvements also in the original openvpn3 client.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...