Pfsense openvpn support AES-256-GCM ?



  • Will pfsense openvpn support AES-256-GCM any time soon? Or can I somehow get a work-around to get it to work with the current version of pfsense 2.2.6?

    The problem is that AES-256-GCM is not present in the dropdown list of Encryption algorithm.



  • https://community.openvpn.net/openvpn/ticket/301

    so at this time, openvpn does not support gcm. it might make it in openvpn 2.4 (whenever that might be)





  • The problem is that AES-256-GCM is not present in the dropdown list of Encryption algorithm.

    And if it will be there also the OpenSSL version must be customized as well to use and handle the AES-GCM right.

    so at this time, openvpn does not support gcm. it might make it in openvpn 2.4 (whenever that might be)

    Following your link makes me also more hoping well to get this in the near future. The status was
    changed and the code is now in the master branch of OpenVPN 2.4
    Changed 3 weeks ago by syzzer
    Resolution set to fixed
    Status changed from accepted to closed
    And thanks to fast review by plaisthos, everything is in master now!

    Now it could really be, that the OpenVPN users are the lucky ones in the next six month or so!

    • OpenSSL is then using AES-GCM and this will be benefit from the AES-NI instruction set (crypto)
    • QuickAssist will be able doing decompression & compression (packet size)
    • netmap-fwd is speeding up the entire routing part (routing)

    So it would be the code that will be pushed more then all others in the near future.



  • @BlueKobold:

    The problem is that AES-256-GCM is not present in the dropdown list of Encryption algorithm.

    And if it will be there also the OpenSSL version must be customized as well to use and handle the AES-GCM right.

    Hmm, does it?
    I'm no expert on this but to me the commit message I posted above suggests, that it should work with 1.0.1d and above:

    OpenSSL 1.0.1-1.0.1c will not work with AEAD mode, because those
    versions have an unnecessary check that fails to update the cipher if
    the tag was not already set. 1.0.1d, which fixes that, was released in
    February 2013\. People should have updated, and distros should have
    backported the fix by now.
    


  • @arthurdent
    Yes you are right I was over seeing and reading this date ( was released in February 2013.)!
    My false.



  • Dear All,

    When doing "openvpn –show-tls" in the shell of pfSense 2.3, it does post a long list including

    TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

    That should be a good candidate for a super secure OpenVPN which should also be fast with AES-NI and pfSense 2.3. It is also included in the output of openssl ciphers, but not included in the drop down menu, however.

    Can someone with a good understanding of the issues please point out how far we are away from using such encryption?

    Regards,

    Michael



  • an someone with a good understanding of the issues please point out how far we are away from using such encryption?

    In OpenVPN 2.4 it should be done as I was reading here in that thread. Link



  • Hi,

    Connecting with latest client 2.3.10 to server on a NAS running version 2.3.6, it`s working, my server log:

    Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    

    My client log:

    Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    

    I use

    
    tls-version-min 1.2 or-highest
    cipher AES-256-CBC
    auth SHA512
    
    

    in server and client config.

    I dont know if this can be set in PFS because Im waiting for a case for my first PFS build but OpenVPN seems not to be the limit?


Log in to reply