Security warnings using OpenVPN for Android with pfSense

kesawi · Nov 15, 2021, 9:20 PM

I'm currently using OpenVPN for Android 0.7.29 with pfSense 2.5.2 and find that it's generating security warnings when connecting to my pfSense firewall.

The warning I receive is:

Profile uses BF-CBC which depends on Open SSL legacy provider (not enabled)

I've set OpenVPN to auto negotiate data ciphers AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305, with AES-256-GCM as the fallback cipher and haven't enabled BF-CBC anywhere.

My OVPN file generated by the client export utility is:

persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
auth SHA256
tls-client
client
remote vpn.mydomain.net 1194 udp
lport 0
verify-x509-name "External Firewall" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

I notice similar warnings for some other external profiles from other providers.

Gertjan · Nov 16, 2021, 9:18 AM

@kesawi
I understand your question ....
Is this a server or client message ?

Maybe some OpenVPN client 'humor' :
I rephrase :

Profile uses BF-CBC which is not enabled

BF-CBC isn't referenced in your opvn config (profile).

If the client software is based on 2.4.x, then "BF-CBC" was a default cipher method.

The current pfSense (25.5.2 CE or comparable) uses OpenVPN 2.5.x not the 2.4.x series.