No encryption algorithm visible under OpenVPN Server setting.

akramchattha

Hi all,

I am setting up OpenVPN on my Pfsense V 2.3.3. Everything works fine except that under OpenVPN server settings i have no option for Encryption Algorithm. Please let me know if anyone aware of this and how to fix it.

johnpoz

Click the little black down arrow ;) In the encryption algo box..

akramchattha

Lol I checked that before posting here.. there is no other option in the drop down.

jimp

That list is populated based on the output of an openvpn command:

/usr/local/sbin/openvpn --show-ciphers

If the GUI list is empty, that command must be failing. Try to run it from a console or ssh shell prompt and see what it returns. It's possible your installation has a more fundamental problem with the files on the filesystem or mismatched package versions.

akramchattha

I do get some error message when i check installed packages.

Result of Openvpn command from console.

[2.3.3-RELEASE][admin@spartan.alpinelan.local]/root: /usr/local/sbin/openvpn –show-ciphers
The following ciphers and cipher modes are available
for use with OpenVPN.  Each cipher shown below may be
used as a parameter to the --cipher option.  The default
key size is shown as well as whether or not it can be
changed with the --keysize directive.  Using a CBC mode
is recommended. In static key mode only CBC mode is allowed.

DES-CFB 64 bit default key (fixed) (TLS client/server mode)
DES-CBC 64 bit default key (fixed)
IDEA-CBC 128 bit default key (fixed)
IDEA-CFB 128 bit default key (fixed) (TLS client/server mode)
RC2-CBC 128 bit default key (variable)
RC2-CFB 128 bit default key (variable) (TLS client/server mode)
RC2-OFB 128 bit default key (variable) (TLS client/server mode)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DES-OFB 64 bit default key (fixed) (TLS client/server mode)
IDEA-OFB 128 bit default key (fixed) (TLS client/server mode)
DES-EDE-CFB 128 bit default key (fixed) (TLS client/server mode)
DES-EDE3-CFB 192 bit default key (fixed) (TLS client/server mode)
DES-EDE-OFB 128 bit default key (fixed) (TLS client/server mode)
DES-EDE3-OFB 192 bit default key (fixed) (TLS client/server mode)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
BF-CFB 128 bit default key (variable) (TLS client/server mode)
BF-OFB 128 bit default key (variable) (TLS client/server mode)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
CAST5-CFB 128 bit default key (variable) (TLS client/server mode)
CAST5-OFB 128 bit default key (variable) (TLS client/server mode)
RC5-CBC 128 bit default key (variable)
RC5-CFB 128 bit default key (variable) (TLS client/server mode)
RC5-OFB 128 bit default key (variable) (TLS client/server mode)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-128-OFB 128 bit default key (fixed) (TLS client/server mode)
AES-128-CFB 128 bit default key (fixed) (TLS client/server mode)
AES-192-CBC 192 bit default key (fixed)
AES-192-OFB 192 bit default key (fixed) (TLS client/server mode)
AES-192-CFB 192 bit default key (fixed) (TLS client/server mode)
AES-256-CBC 256 bit default key (fixed)
AES-256-OFB 256 bit default key (fixed) (TLS client/server mode)
AES-256-CFB 256 bit default key (fixed) (TLS client/server mode)
AES-128-CFB1 128 bit default key (fixed) (TLS client/server mode)
AES-192-CFB1 192 bit default key (fixed) (TLS client/server mode)
AES-256-CFB1 256 bit default key (fixed) (TLS client/server mode)
AES-128-CFB8 128 bit default key (fixed) (TLS client/server mode)
AES-192-CFB8 192 bit default key (fixed) (TLS client/server mode)
AES-256-CFB8 256 bit default key (fixed) (TLS client/server mode)
DES-CFB1 64 bit default key (fixed) (TLS client/server mode)
DES-CFB8 64 bit default key (fixed) (TLS client/server mode)
DES-EDE3-CFB1 192 bit default key (fixed) (TLS client/server mode)
DES-EDE3-CFB8 192 bit default key (fixed) (TLS client/server mode)
CAMELLIA-128-CBC 128 bit default key (fixed)
CAMELLIA-192-CBC 192 bit default key (fixed)
CAMELLIA-256-CBC 256 bit default key (fixed)
CAMELLIA-128-CFB 128 bit default key (fixed) (TLS client/server mode)
CAMELLIA-192-CFB 192 bit default key (fixed) (TLS client/server mode)
CAMELLIA-256-CFB 256 bit default key (fixed) (TLS client/server mode)
CAMELLIA-128-CFB1 128 bit default key (fixed) (TLS client/server mode)
CAMELLIA-192-CFB1 192 bit default key (fixed) (TLS client/server mode)
CAMELLIA-256-CFB1 256 bit default key (fixed) (TLS client/server mode)
CAMELLIA-128-CFB8 128 bit default key (fixed) (TLS client/server mode)
CAMELLIA-192-CFB8 192 bit default key (fixed) (TLS client/server mode)
CAMELLIA-256-CFB8 256 bit default key (fixed) (TLS client/server mode)
CAMELLIA-128-OFB 128 bit default key (fixed) (TLS client/server mode)
CAMELLIA-192-OFB 192 bit default key (fixed) (TLS client/server mode)
CAMELLIA-256-OFB 256 bit default key (fixed) (TLS client/server mode)
SEED-CBC 128 bit default key (fixed)
SEED-OFB 128 bit default key (fixed) (TLS client/server mode)
SEED-CFB 128 bit default key (fixed) (TLS client/server mode)

jimp

What version of OpenVPN is on there? The output from that command on 2.3.3 should be different than what you show.

akramchattha

I am on 2.3.3 or atleast thats what shows on pfsense GUI as well as on the console.

[2.3.3-RELEASE][admin@spartan.alpinelan.local]/root:

jimp

Right but what does it show for OpenVPN?

: openvpn --version

: pkg info -x openvpn

akramchattha

[2.3.3-RELEASE][admin@spartan.alpinelan.local]/root: openvpn –version
OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. sales@openvpn.netCompile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

[2.3.3-RELEASE][admin@spartan.alpinelan.local]/root: pkg info -x openvpn
openvpn-2.3.11
openvpn-client-export-2.4.1_1
pfSense-pkg-openvpn-client-export-1.4.3/sales@openvpn.net

jimp

That should be OpenVPN 2.3.12 if you're on pfSense 2.3.3

Something must not have completely finished in your upgrade.

Go to System > Update, Update Settings tab. Make sure that 'Stable' is selected and even if you change nothing, save the settings again. Then run "pfSense-upgrade -d" from the console and update the OS to the latest version, which should be 2.3.4.

akramchattha

Thanks Jimp!!

I did that and now i can see drop down list for encryption algorithm.

pfsense version:

Version 2.3.4-RELEASE (amd64)
built on Wed May 03 15:13:29 CDT 2017
FreeBSD 10.3-RELEASE-p19

When i go to System - Package Manager - Installed Packages; it still shows "Package is configured but not (fully) installed. Should i be worried about that?

jimp

I'd remove (uninstall) the package using the trash can icon there and then install it again from the available packages tab.

akramchattha

i am still getting the same message. It says in the message that "Newer Version Available" even though i removed and reinstalled it. Should i remove it again and try to install it using console? if yes, could you please provide me the command line?

jimp

When you remove it, does it come out of that list?

From the command prompt you could try this:

pkg unlock openvpn-client-export
pkg unlock pfSense-pkg-openvpn-client-export
pkg delete -f openvpn-client-export pfSense-pkg-openvpn-client-export
pkg install pfSense-pkg-openvpn-client-export

akramchattha

when i removed it from console, it did get disappear from Installed packages.

So i ran all the commands and reinstall the package but is still gives me the same message "Package is configure but not (fully) installed.

[2.3.4-RELEASE][admin@spartan.alpinelan.local]/root: pkg unlock openvpn-client-export
openvpn-client-export-2.4.2: already unlocked
[2.3.4-RELEASE][admin@spartan.alpinelan.local]/root: pkg unlock pfSense-pkg-openvpn-client-export
pfSense-pkg-openvpn-client-export-1.4.5: already unlocked
[2.3.4-RELEASE][admin@spartan.alpinelan.local]/root: pkg delete -f openvpn-client-export pfSense-pkg-openvpn-client-export
Checking integrity… done (0 conflicting)
Deinstallation has been requested for the following 2 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
        openvpn-client-export-2.4.2
        pfSense-pkg-openvpn-client-export-1.4.5

Number of packages to be removed: 2

The operation will free 12 MiB.

Proceed with deinstalling packages? [y/N]: y
[1/2] Deinstalling pfSense-pkg-openvpn-client-export-1.4.5…
Removing openvpn-client-export components...
Loading package instructions...
[1/2] Deleting files for pfSense-pkg-openvpn-client-export-1.4.5: 100%
Removing openvpn-client-export components…
Configuration... done.
[2/2] Deinstalling openvpn-client-export-2.4.2…
[2/2] Deleting files for openvpn-client-export-2.4.2: 100%
[2.3.4-RELEASE][admin@spartan.alpinelan.local]/root: pkg install pfSense-pkg-openvpn-client-export
Updating pfSense-core repository catalogue…
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        pfSense-pkg-openvpn-client-export: 1.4.5 [pfSense]
        openvpn-client-export: 2.4.2 [pfSense]

Number of packages to be installed: 2

The process will require 12 MiB more space.

Proceed with this action? [y/N]: y
[1/2] Installing openvpn-client-export-2.4.2…
[1/2] Extracting openvpn-client-export-2.4.2: 100%
[2/2] Installing pfSense-pkg-openvpn-client-export-1.4.5…
[2/2] Extracting pfSense-pkg-openvpn-client-export-1.4.5: 100%
Saving updated package information…
done.
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Writing configuration... done.

jimp

So it's actually OK. That bit at the bottom is a legend that explains what various icons/colors mean.

akramchattha

Thank You @jimp!!

I really appreciate all your help and prompt replies.