On 22/06/2020 19:20, André via Openvpn-devel wrote: > Hi, > > > Sent with ProtonMail Secure Email. > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Monday 22 June 2020 18:58, Selva Nair <selva.n...@gmail.com> wrote: > >> On Mon, Jun 22, 2020 at 7:31 AM David Sommerseth dav...@openvpn.net wrote: >> >>> This change makes the server use AES-256-GCM instead of BF-CBC as the >>> default cipher for the VPN tunnel when starting OpenVPN via systemd >>> and the openvpn-server@.service unit file. >>> To avoid breaking existing running configurations defaulting to BF-CBC, >>> the Negotiable Crypto Parameters (NCP) list contains the BF-CBC in >>> addition to AES-CBC. This makes it possible to migrate existing older >>> client configurations one-by-one to use at least AES-CBC unless the >>> client is updated to v2.4 or newer (which defaults to upgrade to >>> AES-GCM automatically) >>> This has been tested in Fedora 27 (released November 2017) with no >>> reported issues. By making this default for all Linux distributions >>> with systemd shipping with the unit files we provide, we gradually >>> expand setups using this possibility. As we gather experience from >>> this change, we can further move these changes into the defaults of >>> the OpenVPN binary itself with time. >>> >>> Signed-off-by: David Sommerseth dav...@openvpn.net >>> >>> --------------------------------------------------- >>> >>> Changes.rst | 15 +++++++++++++++ >>> distro/systemd/openvpn-ser...@.service.in | 2 +- >>> 2 files changed, 16 insertions(+), 1 deletion(-) >>> diff --git a/Changes.rst b/Changes.rst >>> index 00dd6ed8..e76d3c73 100644 >>> --- a/Changes.rst >>> +++ b/Changes.rst >>> @@ -14,6 +14,21 @@ ChaCha20-Poly1305 cipher support >>> channel. >>> +User-visible Changes >>> +-------------------- >>> +New default cipher for systemd based Linux distributions >>> >>> - For Linux distributions with systemd which packages the systemd unit >>> files >>> - from the OpenVPN project, the default cipher is now changed to >>> AES-256-GCM, >>> - with BF-CBC as a fallback through the NCP feature. This change has been >>> - tested successfully since the Fedora 27 release (released November >>> 2017). >>> - >>> - WARNING This MAY break configurations where the client uses >>> - ``--disable-occ`` feature where the ``--cipher`` has >>> >>> >>> - not been explicitly configured on both client and >>> >>> >>> - server side. It is recommended to remove the >>> ``--disable-occ`` >>> >>> >>> - option *or* explicitly add ``--cipher AES-256-GCM`` on >>> the >>> >>> >>> - client side if ``--disable-occ`` is strictly needed. >>> >>> >>> - >>> >>> Overview of changes in 2.4 >>> >>> =========================== >>> >>> diff --git a/distro/systemd/openvpn-ser...@.service.in >>> b/distro/systemd/openvpn-ser...@.service.in >>> index d1cc72cb..f3545ff5 100644 >>> --- a/distro/systemd/openvpn-ser...@.service.in >>> +++ b/distro/systemd/openvpn-ser...@.service.in >>> @@ -10,7 +10,7 @@ >>> Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO >>> Type=notify >>> PrivateTmp=true >>> WorkingDirectory=/etc/openvpn/server >>> -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log >>> --status-version 2 --suppress-timestamps --config %i.conf >>> +ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log >>> --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers >>> AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf >> >> This is why I keep my openvpn servers out of systemd's view -- it >> keeps deciding what's good for us. I want to run my configs as is. >> >> Selva >> >> Openvpn-devel mailing list >> Openvpn-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/openvpn-devel > > Sorry for the noise in advance but I agree. > No idea how to keep it out of systemd's view :) but I change the line to > -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > --status-version 2 --suppress-timestamps --config %i.conf > +ExecStart=@sbindir@/openvpn --config %i.conf > and do everything in %i.conf > No unexpected configuration behaviour that way like missing timestamps in log.
The --suppress-timestamps is actually the _only_ option there which cannot be overridden. By not having it there, a lot of users would be annoyed by duplicated timestamps in their logs when they don't use log files directly. But I can agree, having a way to override this option could be beneficial for some users. There might be many reasons why to use separate log files, but on a busy server it may actually slow openvpn down a little bit (it is still single threaded and logging happens in the same thread as key negotiations and VPN network traffic) - especially if file write caches fills up and the fprint() calls are blocked until file system has synced up. By default, all logging is easily accessible via 'journalctl -u openvpn-server@CONFIG_NAME', where you can do all sorts of filtering (like --since today or --since yesterday ... and you can pipe it through grep if you want). The journal also has built in log rotation plus it ensures your file system will never go completely full (unless you've explicitly disabled that feature). Plus it contains a lot more meta-data to use for filtering and debugging than most other logging systems on Linux these days (try journalctl -o json-pretty); we don't make use of those features in openvpn 2.x though. If you do have a syslog daemon running, all logging will normally also go to the syslog files as well (where rsyslog and syslog-ng allows you to filter out log events from specific servivces to a separate log file, if that's a requirement). Most distros also ship with preconfigured log rotation tools, or the syslog service has that included into the service. By using the journal or syslog will _not_ block openvpn when it does log operations. I can understand if you feel I have this "I know better" attitude here. I really don't intend that, but I also do not understand this resistance of new tools which can really make your life simpler - if you just care enough to learn these new tools. Neither systemd nor the journal are new tools these days. On the other hand ... this resistance to embrace new tools might also explain better why some users are still clinging to BF-CBC - *not* saying they are the same persons ... but, as Steffan said in regards to BF-CBC, we need to move on ... also on the tooling around openvpn. -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
