dwright 25 Posted ... Hi, Is it possible to use ChaCha20 if I'm using the Gnome Network Manager OpenVPN wrapper? If so, how do I do it? Quote Share this post Link to post
OpenSourcerer 1442 Posted ... It is not. That cipher will be released with OpenVPN 2.5. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
Staff 10016 Posted ... @dwright Hello, as an alternative, you might test OpenVPN 3 AirVPN client 1.0. beta 1, it supports CHACHA20-POLY1305 even on Data Channel:https://airvpn.org/forums/topic/45631-airvpn-client-based-on-openvpn-361-airvpn/ You will have also "Network Lock" available to prevent any traffic leak outside the VPN tunnel, as well as proper handling of DNS push (not available on OpenVPN 2). Kind regards Quote Share this post Link to post
mariusffm 0 Posted ... I compiled OpenVPN 2.5, which supports ChaCha20 as data cipher for my router (OpenWRT), but I'm unable to connect to the ChaCha20 servers, there is simply a timeout / no connection. All other servers work fine. Does your customized OpenVPN version use a different protocol? Quote Share this post Link to post
Staff 10016 Posted ... Hello! On the experimental servers we use OpenVPN 2.5 beta linked against mbedTLS 2.16.3 (on Comae and Chamalaeon) or OpenSSL 1.1.1d (on Luhman, Luyten and Ross). Can you publish the log showing the failure? Does the failure occur on both mbedTLS and OpenSSL "based" servers? Kind regards Quote Share this post Link to post
mariusffm 0 Posted ... Hi thanks for your fast reply. I only tested it with openvpn-openssl. I will try mbedTLS also. Quote root@OpenWrt:~# openvpn --version OpenVPN 2.5_git arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 5 2019 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 Originally developed by James Yonan Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> This is my config: Quote client dev tun remote 134.19.179.29 443 resolv-retry infinite nobind persist-key persist-tun auth-nocache route-delay 5 verb 3 explicit-exit-notify 5 cipher CHACHA20-POLY1305 remote-cert-tls server comp-lzo no proto udp key-direction 1 fast-io This is my log file: Mon Dec 2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: OpenVPN 2.5_git arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 5 2019 Mon Dec 2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 Mon Dec 2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Dec 2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Dec 2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: TCP/UDP: Preserving recently used remote address: [AF_INET]134.19.179.29:443 Mon Dec 2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: Socket Buffers: R=[163840->163840] S=[163840->163840] Mon Dec 2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: UDP link local: (not bound) Mon Dec 2 13:42:44 2019 daemon.notice openvpn(AirVPN)[2289]: UDP link remote: [AF_INET]134.19.179.29:443 Mon Dec 2 13:43:44 2019 daemon.err openvpn(AirVPN)[2289]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Mon Dec 2 13:43:44 2019 daemon.err openvpn(AirVPN)[2289]: TLS Error: TLS handshake failed Mon Dec 2 13:43:44 2019 daemon.notice openvpn(AirVPN)[2289]: SIGUSR1[soft,tls-error] received, process restarting Mon Dec 2 13:43:44 2019 daemon.notice openvpn(AirVPN)[2289]: Restart pause, 5 second(s) Mon Dec 2 13:43:48 2019 daemon.info dnsmasq-dhcp[2027]: DHCPINFORM(br-lan) 192.168.3.232 00:1a:6b:ce:53:ae Mon Dec 2 13:43:48 2019 daemon.info dnsmasq-dhcp[2027]: DHCPACK(br-lan) 192.168.3.232 00:1a:6b:ce:53:ae t61-nv Mon Dec 2 13:43:49 2019 daemon.notice openvpn(AirVPN)[2289]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Dec 2 13:43:49 2019 daemon.notice openvpn(AirVPN)[2289]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Dec 2 13:43:49 2019 daemon.notice openvpn(AirVPN)[2289]: TCP/UDP: Preserving recently used remote address: [AF_INET]134.19.179.29:443 Mon Dec 2 13:43:49 2019 daemon.notice openvpn(AirVPN)[2289]: Socket Buffers: R=[163840->163840] S=[163840->163840] Mon Dec 2 13:43:49 2019 daemon.notice openvpn(AirVPN)[2289]: UDP link local: (not bound) Mon Dec 2 13:43:49 2019 daemon.notice openvpn(AirVPN)[2289]: UDP link remote: [AF_INET]134.19.179.29:443 When I connect to the .26 address I get: Mon Dec 2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: UDP link remote: [AF_INET]134.19.179.26:443 Mon Dec 2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: TLS: Initial packet from [AF_INET]134.19.179.26:443, sid=9b95877b 11ed2244 Mon Dec 2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Mon Dec 2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: VERIFY KU OK Mon Dec 2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: Validating certificate extended key usage Mon Dec 2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Dec 2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: VERIFY EKU OK Mon Dec 2 13:54:10 2019 daemon.notice openvpn(AirVPN)[2550]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Luhman, emailAddress=info@airvpn.org Mon Dec 2 13:54:11 2019 daemon.warn openvpn(AirVPN)[2550]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1535', remote='link-mtu 1558' Mon Dec 2 13:54:11 2019 daemon.warn openvpn(AirVPN)[2550]: WARNING: 'cipher' is used inconsistently, local='cipher CHACHA20-POLY1305', remote='cipher AES-256-CBC' Mon Dec 2 13:54:11 2019 daemon.warn openvpn(AirVPN)[2550]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1' Mon Dec 2 13:54:11 2019 daemon.notice openvpn(AirVPN)[2550]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 4096 bit RSA Mon Dec 2 13:54:11 2019 daemon.notice openvpn(AirVPN)[2550]: [Luhman] Peer Connection Initiated with [AF_INET]134.19.179.26:443 Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: SENT CONTROL [Luhman]: 'PUSH_REQUEST' (status=1) Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.34.196.1,dhcp-option DNS6 fde6:7a:7d20:1ec4::1,tun-ipv6,route-gateway 10.34.196.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:1ec4::1019/64 fde6:7a:7d20:1ec4::1,ifconfig 10.34.196.27 255.255.255.0,peer-id 1,cipher AES-256-GCM' Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: timers and/or timeouts modified Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: compression parms modified Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: --ifconfig/up options modified Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: route options modified Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: route-related options modified Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: peer-id set Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: adjusting link_mtu to 1625 Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: OPTIONS IMPORT: data channel crypto options modified Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: Data Channel: using negotiated cipher 'AES-256-GCM' Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Mon Dec 2 13:54:12 2019 daemon.notice openvpn(AirVPN)[2550]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Quote Share this post Link to post
Staff 10016 Posted ... @mariusffm In the first log the key is wrong, that's fine (you use TLS crypt key on entry-IP address 2 whose daemons expect TLS Auth key). TLS Crypt key can be used on entry-IP addresses 3 and 4. In the second log the cipher mismatch is caused by missing "ncp-disable" directive in your configuration file. OpenVPN "ncp" directive is engineered in quite a bizarre way (check the manuals for details), so you need to disable "ncp" on the cllient side to tell the server that the client needs to negotiate (if available on server side) exclusively one specific cipher on the Data Channel. Kind regards Quote Share this post Link to post
mariusffm 0 Posted ... 5 hours ago, Staff said: In the second log the cipher mismatch is caused by missing "ncp-disable" directive in your configuration file Thanks a lot!. I added ncp-disable to the configuration and finally chacha20 works. Here my complete config without keys and certificates for the others: Quote client dev tun remote 134.19.179.26 443 resolv-retry infinite nobind ncp-disable persist-key persist-tun auth-nocache route-delay 5 verb 3 explicit-exit-notify 5 cipher CHACHA20-POLY1305 remote-cert-tls server comp-lzo no proto udp key-direction 1 fast-io Quote Share this post Link to post