No encryption algorithm visible under OpenVPN Server setting.



  • Hi all,

    I am setting up OpenVPN on my Pfsense V 2.3.3. Everything works fine except that under OpenVPN server settings i have no option for Encryption Algorithm. Please let me know if anyone aware of this and how to fix it.



  • Rebel Alliance Global Moderator

    Click the little black down arrow ;) In the encryption algo box..



  • Lol I checked that before posting here.. there is no other option in the drop down.



  • Rebel Alliance Developer Netgate

    That list is populated based on the output of an openvpn command:

    /usr/local/sbin/openvpn --show-ciphers
    

    If the GUI list is empty, that command must be failing. Try to run it from a console or ssh shell prompt and see what it returns. It's possible your installation has a more fundamental problem with the files on the filesystem or mismatched package versions.



  • I do get some error message when i check installed packages.

    Result of Openvpn command from console.

    [2.3.3-RELEASE][admin@spartan.alpinelan.local]/root: /usr/local/sbin/openvpn –show-ciphers
    The following ciphers and cipher modes are available
    for use with OpenVPN.  Each cipher shown below may be
    used as a parameter to the --cipher option.  The default
    key size is shown as well as whether or not it can be
    changed with the --keysize directive.  Using a CBC mode
    is recommended. In static key mode only CBC mode is allowed.

    DES-CFB 64 bit default key (fixed) (TLS client/server mode)
    DES-CBC 64 bit default key (fixed)
    IDEA-CBC 128 bit default key (fixed)
    IDEA-CFB 128 bit default key (fixed) (TLS client/server mode)
    RC2-CBC 128 bit default key (variable)
    RC2-CFB 128 bit default key (variable) (TLS client/server mode)
    RC2-OFB 128 bit default key (variable) (TLS client/server mode)
    DES-EDE-CBC 128 bit default key (fixed)
    DES-EDE3-CBC 192 bit default key (fixed)
    DES-OFB 64 bit default key (fixed) (TLS client/server mode)
    IDEA-OFB 128 bit default key (fixed) (TLS client/server mode)
    DES-EDE-CFB 128 bit default key (fixed) (TLS client/server mode)
    DES-EDE3-CFB 192 bit default key (fixed) (TLS client/server mode)
    DES-EDE-OFB 128 bit default key (fixed) (TLS client/server mode)
    DES-EDE3-OFB 192 bit default key (fixed) (TLS client/server mode)
    DESX-CBC 192 bit default key (fixed)
    BF-CBC 128 bit default key (variable)
    BF-CFB 128 bit default key (variable) (TLS client/server mode)
    BF-OFB 128 bit default key (variable) (TLS client/server mode)
    RC2-40-CBC 40 bit default key (variable)
    CAST5-CBC 128 bit default key (variable)
    CAST5-CFB 128 bit default key (variable) (TLS client/server mode)
    CAST5-OFB 128 bit default key (variable) (TLS client/server mode)
    RC5-CBC 128 bit default key (variable)
    RC5-CFB 128 bit default key (variable) (TLS client/server mode)
    RC5-OFB 128 bit default key (variable) (TLS client/server mode)
    RC2-64-CBC 64 bit default key (variable)
    AES-128-CBC 128 bit default key (fixed)
    AES-128-OFB 128 bit default key (fixed) (TLS client/server mode)
    AES-128-CFB 128 bit default key (fixed) (TLS client/server mode)
    AES-192-CBC 192 bit default key (fixed)
    AES-192-OFB 192 bit default key (fixed) (TLS client/server mode)
    AES-192-CFB 192 bit default key (fixed) (TLS client/server mode)
    AES-256-CBC 256 bit default key (fixed)
    AES-256-OFB 256 bit default key (fixed) (TLS client/server mode)
    AES-256-CFB 256 bit default key (fixed) (TLS client/server mode)
    AES-128-CFB1 128 bit default key (fixed) (TLS client/server mode)
    AES-192-CFB1 192 bit default key (fixed) (TLS client/server mode)
    AES-256-CFB1 256 bit default key (fixed) (TLS client/server mode)
    AES-128-CFB8 128 bit default key (fixed) (TLS client/server mode)
    AES-192-CFB8 192 bit default key (fixed) (TLS client/server mode)
    AES-256-CFB8 256 bit default key (fixed) (TLS client/server mode)
    DES-CFB1 64 bit default key (fixed) (TLS client/server mode)
    DES-CFB8 64 bit default key (fixed) (TLS client/server mode)
    DES-EDE3-CFB1 192 bit default key (fixed) (TLS client/server mode)
    DES-EDE3-CFB8 192 bit default key (fixed) (TLS client/server mode)
    CAMELLIA-128-CBC 128 bit default key (fixed)
    CAMELLIA-192-CBC 192 bit default key (fixed)
    CAMELLIA-256-CBC 256 bit default key (fixed)
    CAMELLIA-128-CFB 128 bit default key (fixed) (TLS client/server mode)
    CAMELLIA-192-CFB 192 bit default key (fixed) (TLS client/server mode)
    CAMELLIA-256-CFB 256 bit default key (fixed) (TLS client/server mode)
    CAMELLIA-128-CFB1 128 bit default key (fixed) (TLS client/server mode)
    CAMELLIA-192-CFB1 192 bit default key (fixed) (TLS client/server mode)
    CAMELLIA-256-CFB1 256 bit default key (fixed) (TLS client/server mode)
    CAMELLIA-128-CFB8 128 bit default key (fixed) (TLS client/server mode)
    CAMELLIA-192-CFB8 192 bit default key (fixed) (TLS client/server mode)
    CAMELLIA-256-CFB8 256 bit default key (fixed) (TLS client/server mode)
    CAMELLIA-128-OFB 128 bit default key (fixed) (TLS client/server mode)
    CAMELLIA-192-OFB 192 bit default key (fixed) (TLS client/server mode)
    CAMELLIA-256-OFB 256 bit default key (fixed) (TLS client/server mode)
    SEED-CBC 128 bit default key (fixed)
    SEED-OFB 128 bit default key (fixed) (TLS client/server mode)
    SEED-CFB 128 bit default key (fixed) (TLS client/server mode)



  • Rebel Alliance Developer Netgate

    What version of OpenVPN is on there? The output from that command on 2.3.3 should be different than what you show.



  • I am on 2.3.3 or atleast thats what shows on pfsense GUI as well as on the console.

    [2.3.3-RELEASE][admin@spartan.alpinelan.local]/root:





  • Rebel Alliance Developer Netgate

    Right but what does it show for OpenVPN?

    : openvpn --version
    
    : pkg info -x openvpn
    


  • [2.3.3-RELEASE][admin@spartan.alpinelan.local]/root: openvpn –version
    OpenVPN 2.3.11 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on May 16 2016
    library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.09
    Originally developed by James Yonan
    Copyright (C) 2002-2010 OpenVPN Technologies, Inc. sales@openvpn.netCompile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

    [2.3.3-RELEASE][admin@spartan.alpinelan.local]/root: pkg info -x openvpn
    openvpn-2.3.11
    openvpn-client-export-2.4.1_1
    pfSense-pkg-openvpn-client-export-1.4.3/sales@openvpn.net


  • Rebel Alliance Developer Netgate

    That should be OpenVPN 2.3.12 if you're on pfSense 2.3.3

    Something must not have completely finished in your upgrade.

    Go to System > Update, Update Settings tab. Make sure that 'Stable' is selected and even if you change nothing, save the settings again. Then run "pfSense-upgrade -d" from the console and update the OS to the latest version, which should be 2.3.4.



  • Thanks Jimp!!

    I did that and now i can see drop down list for encryption algorithm.

    pfsense version:

    Version 2.3.4-RELEASE (amd64)
    built on Wed May 03 15:13:29 CDT 2017
    FreeBSD 10.3-RELEASE-p19

    When i go to System - Package Manager - Installed Packages; it still shows "Package is configured but not (fully) installed. Should i be worried about that?



  • Rebel Alliance Developer Netgate

    I'd remove (uninstall) the package using the trash can icon there and then install it again from the available packages tab.



  • i am still getting the same message. It says in the message that "Newer Version Available" even though i removed and reinstalled it. Should i remove it again and try to install it using console? if yes, could you please provide me the command line?


  • Rebel Alliance Developer Netgate

    When you remove it, does it come out of that list?

    From the command prompt you could try this:

    pkg unlock openvpn-client-export
    pkg unlock pfSense-pkg-openvpn-client-export
    pkg delete -f openvpn-client-export pfSense-pkg-openvpn-client-export
    pkg install pfSense-pkg-openvpn-client-export
    


  • when i removed it from console, it did get disappear from Installed packages.

    So i ran all the commands and reinstall the package but is still gives me the same message "Package is configure but not (fully) installed.

    [2.3.4-RELEASE][admin@spartan.alpinelan.local]/root: pkg unlock openvpn-client-export
    openvpn-client-export-2.4.2: already unlocked
    [2.3.4-RELEASE][admin@spartan.alpinelan.local]/root: pkg unlock pfSense-pkg-openvpn-client-export
    pfSense-pkg-openvpn-client-export-1.4.5: already unlocked
    [2.3.4-RELEASE][admin@spartan.alpinelan.local]/root: pkg delete -f openvpn-client-export pfSense-pkg-openvpn-client-export
    Checking integrity… done (0 conflicting)
    Deinstallation has been requested for the following 2 packages (of 0 packages in the universe):

    Installed packages to be REMOVED:
            openvpn-client-export-2.4.2
            pfSense-pkg-openvpn-client-export-1.4.5

    Number of packages to be removed: 2

    The operation will free 12 MiB.

    Proceed with deinstalling packages? [y/N]: y
    [1/2] Deinstalling pfSense-pkg-openvpn-client-export-1.4.5…
    Removing openvpn-client-export components...
    Loading package instructions...
    [1/2] Deleting files for pfSense-pkg-openvpn-client-export-1.4.5: 100%
    Removing openvpn-client-export components…
    Configuration... done.
    [2/2] Deinstalling openvpn-client-export-2.4.2…
    [2/2] Deleting files for openvpn-client-export-2.4.2: 100%
    [2.3.4-RELEASE][admin@spartan.alpinelan.local]/root: pkg install pfSense-pkg-openvpn-client-export
    Updating pfSense-core repository catalogue…
    pfSense-core repository is up to date.
    Updating pfSense repository catalogue...
    pfSense repository is up to date.
    All repositories are up to date.
    Checking integrity... done (0 conflicting)
    The following 2 package(s) will be affected (of 0 checked):

    New packages to be INSTALLED:
            pfSense-pkg-openvpn-client-export: 1.4.5 [pfSense]
            openvpn-client-export: 2.4.2 [pfSense]

    Number of packages to be installed: 2

    The process will require 12 MiB more space.

    Proceed with this action? [y/N]: y
    [1/2] Installing openvpn-client-export-2.4.2…
    [1/2] Extracting openvpn-client-export-2.4.2: 100%
    [2/2] Installing pfSense-pkg-openvpn-client-export-1.4.5…
    [2/2] Extracting pfSense-pkg-openvpn-client-export-1.4.5: 100%
    Saving updated package information…
    done.
    Loading package configuration... done.
    Configuring package components...
    Loading package instructions...
    Custom commands...
    Writing configuration... done.



  • Rebel Alliance Developer Netgate

    So it's actually OK. That bit at the bottom is a legend that explains what various icons/colors mean.



  • Thank You @jimp!!

    I really appreciate all your help and prompt replies.