Hi,
Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday 22 June 2020 18:58, Selva Nair <selva.n...@gmail.com> wrote: > On Mon, Jun 22, 2020 at 7:31 AM David Sommerseth dav...@openvpn.net wrote: > > > This change makes the server use AES-256-GCM instead of BF-CBC as the > > default cipher for the VPN tunnel when starting OpenVPN via systemd > > and the openvpn-server@.service unit file. > > To avoid breaking existing running configurations defaulting to BF-CBC, > > the Negotiable Crypto Parameters (NCP) list contains the BF-CBC in > > addition to AES-CBC. This makes it possible to migrate existing older > > client configurations one-by-one to use at least AES-CBC unless the > > client is updated to v2.4 or newer (which defaults to upgrade to > > AES-GCM automatically) > > This has been tested in Fedora 27 (released November 2017) with no > > reported issues. By making this default for all Linux distributions > > with systemd shipping with the unit files we provide, we gradually > > expand setups using this possibility. As we gather experience from > > this change, we can further move these changes into the defaults of > > the OpenVPN binary itself with time. > > > > Signed-off-by: David Sommerseth dav...@openvpn.net > > > > --------------------------------------------------- > > > > Changes.rst | 15 +++++++++++++++ > > distro/systemd/openvpn-ser...@.service.in | 2 +- > > 2 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/Changes.rst b/Changes.rst > > index 00dd6ed8..e76d3c73 100644 > > --- a/Changes.rst > > +++ b/Changes.rst > > @@ -14,6 +14,21 @@ ChaCha20-Poly1305 cipher support > > channel. > > +User-visible Changes > > +-------------------- > > +New default cipher for systemd based Linux distributions > > > > - For Linux distributions with systemd which packages the systemd unit > > files > > - from the OpenVPN project, the default cipher is now changed to > > AES-256-GCM, > > - with BF-CBC as a fallback through the NCP feature. This change has been > > - tested successfully since the Fedora 27 release (released November > > 2017). > > - > > - WARNING This MAY break configurations where the client uses > > - ``--disable-occ`` feature where the ``--cipher`` has > > > > > > - not been explicitly configured on both client and > > > > > > - server side. It is recommended to remove the > > ``--disable-occ`` > > > > > > - option *or* explicitly add ``--cipher AES-256-GCM`` on > > the > > > > > > - client side if ``--disable-occ`` is strictly needed. > > > > > > - > > > > Overview of changes in 2.4 > > > > =========================== > > > > diff --git a/distro/systemd/openvpn-ser...@.service.in > > b/distro/systemd/openvpn-ser...@.service.in > > index d1cc72cb..f3545ff5 100644 > > --- a/distro/systemd/openvpn-ser...@.service.in > > +++ b/distro/systemd/openvpn-ser...@.service.in > > @@ -10,7 +10,7 @@ > > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO > > Type=notify > > PrivateTmp=true > > WorkingDirectory=/etc/openvpn/server > > -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > > --status-version 2 --suppress-timestamps --config %i.conf > > +ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > > --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers > > AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf > > This is why I keep my openvpn servers out of systemd's view -- it > keeps deciding what's good for us. I want to run my configs as is. > > Selva > > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel Sorry for the noise in advance but I agree. No idea how to keep it out of systemd's view :) but I change the line to -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf +ExecStart=@sbindir@/openvpn --config %i.conf and do everything in %i.conf No unexpected configuration behaviour that way like missing timestamps in log. Pippin _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
