Pfsense openvpn support AES-256-GCM ?
-
Will pfsense openvpn support AES-256-GCM any time soon? Or can I somehow get a work-around to get it to work with the current version of pfsense 2.2.6?
The problem is that AES-256-GCM is not present in the dropdown list of Encryption algorithm.
-
https://community.openvpn.net/openvpn/ticket/301
so at this time, openvpn does not support gcm. it might make it in openvpn 2.4 (whenever that might be)
-
Support has been commited to the OpenVPN master branch:
https://sourceforge.net/p/openvpn/openvpn-testing/ci/66407e11c4746e564bd4285e9c1a1805ecfd82bd/
-
The problem is that AES-256-GCM is not present in the dropdown list of Encryption algorithm.
And if it will be there also the OpenSSL version must be customized as well to use and handle the AES-GCM right.
so at this time, openvpn does not support gcm. it might make it in openvpn 2.4 (whenever that might be)
Following your link makes me also more hoping well to get this in the near future. The status was
changed and the code is now in the master branch of OpenVPN 2.4
Changed 3 weeks ago by syzzer
Resolution set to fixed
Status changed from accepted to closed
And thanks to fast review by plaisthos, everything is in master now!Now it could really be, that the OpenVPN users are the lucky ones in the next six month or so!
- OpenSSL is then using AES-GCM and this will be benefit from the AES-NI instruction set (crypto)
- QuickAssist will be able doing decompression & compression (packet size)
- netmap-fwd is speeding up the entire routing part (routing)
So it would be the code that will be pushed more then all others in the near future.
-
@BlueKobold:
The problem is that AES-256-GCM is not present in the dropdown list of Encryption algorithm.
And if it will be there also the OpenSSL version must be customized as well to use and handle the AES-GCM right.
Hmm, does it?
I'm no expert on this but to me the commit message I posted above suggests, that it should work with 1.0.1d and above:OpenSSL 1.0.1-1.0.1c will not work with AEAD mode, because those versions have an unnecessary check that fails to update the cipher if the tag was not already set. 1.0.1d, which fixes that, was released in February 2013\. People should have updated, and distros should have backported the fix by now.
-
@arthurdent
Yes you are right I was over seeing and reading this date ( was released in February 2013.)!
My false. -
Dear All,
When doing "openvpn –show-tls" in the shell of pfSense 2.3, it does post a long list including
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
That should be a good candidate for a super secure OpenVPN which should also be fast with AES-NI and pfSense 2.3. It is also included in the output of openssl ciphers, but not included in the drop down menu, however.
Can someone with a good understanding of the issues please point out how far we are away from using such encryption?
Regards,
Michael
-
an someone with a good understanding of the issues please point out how far we are away from using such encryption?
In OpenVPN 2.4 it should be done as I was reading here in that thread. Link
-
Hi,
Connecting with latest client 2.3.10 to server on a NAS running version 2.3.6, it`s working, my server log:
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
My client log:
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
I use
tls-version-min 1.2 or-highest cipher AES-256-CBC auth SHA512
in server and client config.
I don
t know if this can be set in PFS because I
m waiting for a case for my first PFS build but OpenVPN seems not to be the limit?