No encryption algorithm visible under OpenVPN Server setting.

akramchattha · May 10, 2017, 6:22 PM

Hi all,

I am setting up OpenVPN on my Pfsense V 2.3.3. Everything works fine except that under OpenVPN server settings i have no option for Encryption Algorithm. Please let me know if anyone aware of this and how to fix it.

johnpoz · May 10, 2017, 8:19 PM

Click the little black down arrow ;) In the encryption algo box..

akramchattha · May 10, 2017, 9:01 PM

Lol I checked that before posting here.. there is no other option in the drop down.

jimp · May 15, 2017, 3:31 PM

That list is populated based on the output of an openvpn command:

/usr/local/sbin/openvpn --show-ciphers

If the GUI list is empty, that command must be failing. Try to run it from a console or ssh shell prompt and see what it returns. It's possible your installation has a more fundamental problem with the files on the filesystem or mismatched package versions.

akramchattha · May 18, 2017, 4:46 PM

I do get some error message when i check installed packages.

Result of Openvpn command from console.

[2.3.3-RELEASE][admin@spartan.alpinelan.local]/root: /usr/local/sbin/openvpn –show-ciphers
The following ciphers and cipher modes are available
for use with OpenVPN. Each cipher shown below may be
used as a parameter to the --cipher option. The default
key size is shown as well as whether or not it can be
changed with the --keysize directive. Using a CBC mode
is recommended. In static key mode only CBC mode is allowed.

DES-CFB 64 bit default key (fixed) (TLS client/server mode)
DES-CBC 64 bit default key (fixed)
IDEA-CBC 128 bit default key (fixed)
IDEA-CFB 128 bit default key (fixed) (TLS client/server mode)
RC2-CBC 128 bit default key (variable)
RC2-CFB 128 bit default key (variable) (TLS client/server mode)
RC2-OFB 128 bit default key (variable) (TLS client/server mode)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DES-OFB 64 bit default key (fixed) (TLS client/server mode)
IDEA-OFB 128 bit default key (fixed) (TLS client/server mode)
DES-EDE-CFB 128 bit default key (fixed) (TLS client/server mode)
DES-EDE3-CFB 192 bit default key (fixed) (TLS client/server mode)
DES-EDE-OFB 128 bit default key (fixed) (TLS client/server mode)
DES-EDE3-OFB 192 bit default key (fixed) (TLS client/server mode)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
BF-CFB 128 bit default key (variable) (TLS client/server mode)
BF-OFB 128 bit default key (variable) (TLS client/server mode)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
CAST5-CFB 128 bit default key (variable) (TLS client/server mode)
CAST5-OFB 128 bit default key (variable) (TLS client/server mode)
RC5-CBC 128 bit default key (variable)
RC5-CFB 128 bit default key (variable) (TLS client/server mode)
RC5-OFB 128 bit default key (variable) (TLS client/server mode)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-128-OFB 128 bit default key (fixed) (TLS client/server mode)
AES-128-CFB 128 bit default key (fixed) (TLS client/server mode)
AES-192-CBC 192 bit default key (fixed)
AES-192-OFB 192 bit default key (fixed) (TLS client/server mode)
AES-192-CFB 192 bit default key (fixed) (TLS client/server mode)
AES-256-CBC 256 bit default key (fixed)
AES-256-OFB 256 bit default key (fixed) (TLS client/server mode)
AES-256-CFB 256 bit default key (fixed) (TLS client/server mode)
AES-128-CFB1 128 bit default key (fixed) (TLS client/server mode)
AES-192-CFB1 192 bit default key (fixed) (TLS client/server mode)
AES-256-CFB1 256 bit default key (fixed) (TLS client/server mode)
AES-128-CFB8 128 bit default key (fixed) (TLS client/server mode)
AES-192-CFB8 192 bit default key (fixed) (TLS client/server mode)
AES-256-CFB8 256 bit default key (fixed) (TLS client/server mode)
DES-CFB1 64 bit default key (fixed) (TLS client/server mode)
DES-CFB8 64 bit default key (fixed) (TLS client/server mode)
DES-EDE3-CFB1 192 bit default key (fixed) (TLS client/server mode)
DES-EDE3-CFB8 192 bit default key (fixed) (TLS client/server mode)
CAMELLIA-128-CBC 128 bit default key (fixed)
CAMELLIA-192-CBC 192 bit default key (fixed)
CAMELLIA-256-CBC 256 bit default key (fixed)
CAMELLIA-128-CFB 128 bit default key (fixed) (TLS client/server mode)
CAMELLIA-192-CFB 192 bit default key (fixed) (TLS client/server mode)
CAMELLIA-256-CFB 256 bit default key (fixed) (TLS client/server mode)
CAMELLIA-128-CFB1 128 bit default key (fixed) (TLS client/server mode)
CAMELLIA-192-CFB1 192 bit default key (fixed) (TLS client/server mode)
CAMELLIA-256-CFB1 256 bit default key (fixed) (TLS client/server mode)
CAMELLIA-128-CFB8 128 bit default key (fixed) (TLS client/server mode)
CAMELLIA-192-CFB8 192 bit default key (fixed) (TLS client/server mode)
CAMELLIA-256-CFB8 256 bit default key (fixed) (TLS client/server mode)
CAMELLIA-128-OFB 128 bit default key (fixed) (TLS client/server mode)
CAMELLIA-192-OFB 192 bit default key (fixed) (TLS client/server mode)
CAMELLIA-256-OFB 256 bit default key (fixed) (TLS client/server mode)
SEED-CBC 128 bit default key (fixed)
SEED-OFB 128 bit default key (fixed) (TLS client/server mode)
SEED-CFB 128 bit default key (fixed) (TLS client/server mode)

jimp · May 18, 2017, 4:48 PM

What version of OpenVPN is on there? The output from that command on 2.3.3 should be different than what you show.

akramchattha · May 18, 2017, 4:50 PM

I am on 2.3.3 or atleast thats what shows on pfsense GUI as well as on the console.

[2.3.3-RELEASE][admin@spartan.alpinelan.local]/root:

jimp · May 18, 2017, 4:52 PM

Right but what does it show for OpenVPN?

: openvpn --version

: pkg info -x openvpn

akramchattha · May 18, 2017, 4:54 PM

[2.3.3-RELEASE][admin@spartan.alpinelan.local]/root: openvpn –version
OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. sales@openvpn.netCompile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

[2.3.3-RELEASE][admin@spartan.alpinelan.local]/root: pkg info -x openvpn
openvpn-2.3.11
openvpn-client-export-2.4.1_1
pfSense-pkg-openvpn-client-export-1.4.3/sales@openvpn.net

jimp · May 18, 2017, 4:56 PM

That should be OpenVPN 2.3.12 if you're on pfSense 2.3.3

Something must not have completely finished in your upgrade.

Go to System > Update, Update Settings tab. Make sure that 'Stable' is selected and even if you change nothing, save the settings again. Then run "pfSense-upgrade -d" from the console and update the OS to the latest version, which should be 2.3.4.

akramchattha · May 18, 2017, 6:14 PM

Thanks Jimp!!

I did that and now i can see drop down list for encryption algorithm.

pfsense version:

Version 2.3.4-RELEASE (amd64)
built on Wed May 03 15:13:29 CDT 2017
FreeBSD 10.3-RELEASE-p19

When i go to System - Package Manager - Installed Packages; it still shows "Package is configured but not (fully) installed. Should i be worried about that?

jimp · May 18, 2017, 6:18 PM

I'd remove (uninstall) the package using the trash can icon there and then install it again from the available packages tab.

akramchattha · May 18, 2017, 6:25 PM

i am still getting the same message. It says in the message that "Newer Version Available" even though i removed and reinstalled it. Should i remove it again and try to install it using console? if yes, could you please provide me the command line?

jimp · May 18, 2017, 6:39 PM

When you remove it, does it come out of that list?

From the command prompt you could try this:

pkg unlock openvpn-client-export
pkg unlock pfSense-pkg-openvpn-client-export
pkg delete -f openvpn-client-export pfSense-pkg-openvpn-client-export
pkg install pfSense-pkg-openvpn-client-export

akramchattha · May 18, 2017, 7:37 PM

when i removed it from console, it did get disappear from Installed packages.

So i ran all the commands and reinstall the package but is still gives me the same message "Package is configure but not (fully) installed.

[2.3.4-RELEASE][admin@spartan.alpinelan.local]/root: pkg unlock openvpn-client-export
openvpn-client-export-2.4.2: already unlocked
[2.3.4-RELEASE][admin@spartan.alpinelan.local]/root: pkg unlock pfSense-pkg-openvpn-client-export
pfSense-pkg-openvpn-client-export-1.4.5: already unlocked
[2.3.4-RELEASE][admin@spartan.alpinelan.local]/root: pkg delete -f openvpn-client-export pfSense-pkg-openvpn-client-export
Checking integrity… done (0 conflicting)
Deinstallation has been requested for the following 2 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
openvpn-client-export-2.4.2
pfSense-pkg-openvpn-client-export-1.4.5

Number of packages to be removed: 2

The operation will free 12 MiB.

Proceed with deinstalling packages? [y/N]: y
[1/2] Deinstalling pfSense-pkg-openvpn-client-export-1.4.5…
Removing openvpn-client-export components...
Loading package instructions...
[1/2] Deleting files for pfSense-pkg-openvpn-client-export-1.4.5: 100%
Removing openvpn-client-export components…
Configuration... done.
[2/2] Deinstalling openvpn-client-export-2.4.2…
[2/2] Deleting files for openvpn-client-export-2.4.2: 100%
[2.3.4-RELEASE][admin@spartan.alpinelan.local]/root: pkg install pfSense-pkg-openvpn-client-export
Updating pfSense-core repository catalogue…
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
pfSense-pkg-openvpn-client-export: 1.4.5 [pfSense]
openvpn-client-export: 2.4.2 [pfSense]

Number of packages to be installed: 2

The process will require 12 MiB more space.

Proceed with this action? [y/N]: y
[1/2] Installing openvpn-client-export-2.4.2…
[1/2] Extracting openvpn-client-export-2.4.2: 100%
[2/2] Installing pfSense-pkg-openvpn-client-export-1.4.5…
[2/2] Extracting pfSense-pkg-openvpn-client-export-1.4.5: 100%
Saving updated package information…
done.
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Writing configuration... done.

jimp · May 18, 2017, 7:41 PM

So it's actually OK. That bit at the bottom is a legend that explains what various icons/colors mean.

akramchattha · May 18, 2017, 10:02 PM

Thank You @jimp!!

I really appreciate all your help and prompt replies.