Chacha on Gnome Network Manager?

[dwright 25]

Hi,

Is it possible to use ChaCha20 if I'm using the Gnome Network Manager OpenVPN wrapper?

If so, how do I do it?

[OpenSourcerer 1359]

It is not. That cipher will be released with OpenVPN 2.5.

[Staff 9750]

@dwright

Hello,

as an alternative, you might test OpenVPN 3 AirVPN client 1.0. beta 1, it supports CHACHA20-POLY1305 even on Data Channel:
https://airvpn.org/forums/topic/45631-airvpn-client-based-on-openvpn-361-airvpn/

You will have also "Network Lock" available to prevent any traffic leak outside the VPN tunnel, as well as proper handling of DNS push (not available on OpenVPN 2).

Kind regards
 

[mariusffm 0]

I compiled OpenVPN 2.5, which supports ChaCha20 as data cipher for my router (OpenWRT), but I'm unable to connect to the ChaCha20 servers, there is simply a timeout / no connection. All other servers work fine. Does your customized OpenVPN version use a different protocol?

[Staff 9750]

Hello!

On the experimental servers we use OpenVPN 2.5 beta linked against mbedTLS 2.16.3 (on Comae and Chamalaeon) or OpenSSL 1.1.1d (on Luhman, Luyten and Ross).

Can you publish the log showing the failure? Does the failure occur on both mbedTLS and OpenSSL "based" servers?

Kind regards
 

[mariusffm 0]

Hi

thanks for your fast reply. I only tested it with openvpn-openssl. I will try mbedTLS also.
 

Quote

root@OpenWrt:~# openvpn --version
OpenVPN 2.5_git arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  5 2019
library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>

This is my config:
 

Quote

client
dev tun
remote 134.19.179.29 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
explicit-exit-notify 5
cipher CHACHA20-POLY1305
remote-cert-tls server
comp-lzo no
proto udp
key-direction 1
fast-io

This is my log file:

Mon Dec  2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: OpenVPN 2.5_git arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  5 2019
Mon Dec  2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Mon Dec  2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec  2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec  2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: TCP/UDP: Preserving recently used remote address: [AF_INET]134.19.179.29:443
Mon Dec  2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Dec  2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: UDP link local: (not bound)
Mon Dec  2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: UDP link remote: [AF_INET]134.19.179.29:443
Mon Dec  2 13:43:44 2019 daemon.err openvpn(AirVPN)[2289]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Dec  2 13:43:44 2019 daemon.err openvpn(AirVPN)[2289]: TLS Error: TLS handshake failed
Mon Dec  2 13:43:44 2019 daemon.notice openvpn(AirVPN)[2289]: SIGUSR1[soft,tls-error] received, process restarting
Mon Dec  2 13:43:44 2019 daemon.notice openvpn(AirVPN)[2289]: Restart pause, 5 second(s)
Mon Dec  2 13:43:48 2019 daemon.info dnsmasq-dhcp[2027]: DHCPINFORM(br-lan) 192.168.3.232 00:1a:6b:ce:53:ae
Mon Dec  2 13:43:48 2019 daemon.info dnsmasq-dhcp[2027]: DHCPACK(br-lan) 192.168.3.232 00:1a:6b:ce:53:ae t61-nv
Mon Dec  2 13:43:49 2019 daemon.notice openvpn(AirVPN)[2289]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec  2 13:43:49 2019 daemon.notice openvpn(AirVPN)[2289]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec  2 13:43:49 2019 daemon.notice openvpn(AirVPN)[2289]: TCP/UDP: Preserving recently used remote address: [AF_INET]134.19.179.29:443
Mon Dec  2 13:43:49 2019 daemon.notice openvpn(AirVPN)[2289]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Dec  2 13:43:49 2019 daemon.notice openvpn(AirVPN)[2289]: UDP link local: (not bound)
Mon Dec  2 13:43:49 2019 daemon.notice openvpn(AirVPN)[2289]: UDP link remote: [AF_INET]134.19.179.29:443

When I connect to the .26 address I get:

Mon Dec  2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: UDP link remote: [AF_INET]134.19.179.26:443
Mon Dec  2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: TLS: Initial packet from [AF_INET]134.19.179.26:443, sid=9b95877b 11ed2244
Mon Dec  2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Mon Dec  2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: VERIFY KU OK
Mon Dec  2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: Validating certificate extended key usage
Mon Dec  2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Dec  2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: VERIFY EKU OK
Mon Dec  2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Luhman, emailAddress=info@airvpn.org
Mon Dec  2 13:54:11 2019 daemon.warn openvpn(AirVPN)[2550]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1535', remote='link-mtu 1558'
Mon Dec  2 13:54:11 2019 daemon.warn openvpn(AirVPN)[2550]: WARNING: 'cipher' is used inconsistently, local='cipher CHACHA20-POLY1305', remote='cipher AES-256-CBC'
Mon Dec  2 13:54:11 2019 daemon.warn openvpn(AirVPN)[2550]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Mon Dec  2 13:54:11 2019 daemon.notice openvpn(AirVPN)[2550]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 4096 bit RSA
Mon Dec  2 13:54:11 2019 daemon.notice openvpn(AirVPN)[2550]: [Luhman] Peer Connection Initiated with [AF_INET]134.19.179.26:443
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: SENT CONTROL [Luhman]: 'PUSH_REQUEST' (status=1)
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.34.196.1,dhcp-option DNS6 fde6:7a:7d20:1ec4::1,tun-ipv6,route-gateway 10.34.196.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:1ec4::1019/64 fde6:7a:7d20:1ec4::1,ifconfig 10.34.196.27 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: timers and/or timeouts modified
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: compression parms modified
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: --ifconfig/up options modified
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: route options modified
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: route-related options modified
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: peer-id set
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: adjusting link_mtu to 1625
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: data channel crypto options modified
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Dec  2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

 

[Staff 9750]

@mariusffm

In the first log the key is wrong, that's fine (you use TLS crypt key on entry-IP address 2 whose daemons expect TLS Auth key). TLS Crypt key can be used on entry-IP addresses 3 and 4.

In the second log the cipher mismatch is caused by missing "ncp-disable" directive in your configuration file. OpenVPN "ncp" directive is engineered in quite a bizarre way (check the manuals for details), so you need to disable "ncp" on the cllient side to tell the server that the client needs to negotiate (if available on server side) exclusively one specific cipher on the Data Channel.

Kind regards
 

[mariusffm 0]

5 hours ago, Staff said:

In the second log the cipher mismatch is caused by missing "ncp-disable" directive in your configuration file

Thanks a lot!. I added ncp-disable to the configuration and finally chacha20 works.

Here my complete config without keys and certificates for the others:
 

Quote

client
dev tun
remote 134.19.179.26 443
resolv-retry infinite
nobind
ncp-disable
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
explicit-exit-notify 5
cipher CHACHA20-POLY1305
remote-cert-tls server
comp-lzo no
proto udp
key-direction 1
fast-io