Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense openvpn support AES-256-GCM ?

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 6 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mithrondil
      last edited by

      Will pfsense openvpn support AES-256-GCM any time soon? Or can I somehow get a work-around to get it to work with the current version of pfsense 2.2.6?

      The problem is that AES-256-GCM is not present in the dropdown list of Encryption algorithm.

      1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        https://community.openvpn.net/openvpn/ticket/301

        so at this time, openvpn does not support gcm. it might make it in openvpn 2.4 (whenever that might be)

        1 Reply Last reply Reply Quote 0
        • A
          athurdent
          last edited by

          Support has been commited to the OpenVPN master branch:

          https://sourceforge.net/p/openvpn/openvpn-testing/ci/66407e11c4746e564bd4285e9c1a1805ecfd82bd/

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by

            The problem is that AES-256-GCM is not present in the dropdown list of Encryption algorithm.

            And if it will be there also the OpenSSL version must be customized as well to use and handle the AES-GCM right.

            so at this time, openvpn does not support gcm. it might make it in openvpn 2.4 (whenever that might be)

            Following your link makes me also more hoping well to get this in the near future. The status was
            changed and the code is now in the master branch of OpenVPN 2.4
            Changed 3 weeks ago by syzzer
            Resolution set to fixed
            Status changed from accepted to closed
            And thanks to fast review by plaisthos, everything is in master now!

            Now it could really be, that the OpenVPN users are the lucky ones in the next six month or so!

            • OpenSSL is then using AES-GCM and this will be benefit from the AES-NI instruction set (crypto)
            • QuickAssist will be able doing decompression & compression (packet size)
            • netmap-fwd is speeding up the entire routing part (routing)

            So it would be the code that will be pushed more then all others in the near future.

            1 Reply Last reply Reply Quote 0
            • A
              athurdent
              last edited by

              @BlueKobold:

              The problem is that AES-256-GCM is not present in the dropdown list of Encryption algorithm.

              And if it will be there also the OpenSSL version must be customized as well to use and handle the AES-GCM right.

              Hmm, does it?
              I'm no expert on this but to me the commit message I posted above suggests, that it should work with 1.0.1d and above:

              OpenSSL 1.0.1-1.0.1c will not work with AEAD mode, because those
              versions have an unnecessary check that fails to update the cipher if
              the tag was not already set. 1.0.1d, which fixes that, was released in
              February 2013\. People should have updated, and distros should have
              backported the fix by now.
              
              1 Reply Last reply Reply Quote 0
              • ?
                Guest
                last edited by

                @arthurdent
                Yes you are right I was over seeing and reading this date ( was released in February 2013.)!
                My false.

                1 Reply Last reply Reply Quote 0
                • M
                  michaelschefczyk
                  last edited by

                  Dear All,

                  When doing "openvpn –show-tls" in the shell of pfSense 2.3, it does post a long list including

                  TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

                  That should be a good candidate for a super secure OpenVPN which should also be fast with AES-NI and pfSense 2.3. It is also included in the output of openssl ciphers, but not included in the drop down menu, however.

                  Can someone with a good understanding of the issues please point out how far we are away from using such encryption?

                  Regards,

                  Michael

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by

                    an someone with a good understanding of the issues please point out how far we are away from using such encryption?

                    In OpenVPN 2.4 it should be done as I was reading here in that thread. Link

                    1 Reply Last reply Reply Quote 0
                    • PippinP
                      Pippin
                      last edited by

                      Hi,

                      Connecting with latest client 2.3.10 to server on a NAS running version 2.3.6, it`s working, my server log:

                      Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
                      

                      My client log:

                      Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
                      

                      I use

                      
                      tls-version-min 1.2 or-highest
                      cipher AES-256-CBC
                      auth SHA512
                      
                      

                      in server and client config.

                      I dont know if this can be set in PFS because Im waiting for a case for my first PFS build but OpenVPN seems not to be the limit?

                      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                      Halton Arp

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.