This change makes the server use AES-256-GCM instead of BF-CBC as the
default cipher for the VPN tunnel when starting OpenVPN via systemd
and the openvpn-server@.service unit file.
To avoid breaking existing running configurations defaulting to BF-CBC,
the Negotiable Crypto Parameters (NCP) list contains the BF-CBC in
addition to AES-CBC. This makes it possible to migrate existing older
client configurations one-by-one to use at least AES-CBC unless the
client is updated to v2.4 or newer (which defaults to upgrade to
AES-GCM automatically)
This has been tested in Fedora 27 (released November 2017) with no
reported issues. By making this default for all Linux distributions
with systemd shipping with the unit files we provide, we gradually
expand setups using this possibility. As we gather experience from
this change, we can further move these changes into the defaults of
the OpenVPN binary itself with time.
Signed-off-by: David Sommerseth <dav...@openvpn.net>
---
Changes.rst | 15 +++++++++++++++
distro/systemd/openvpn-ser...@.service.in | 2 +-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/Changes.rst b/Changes.rst
index 00dd6ed8..e76d3c73 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -14,6 +14,21 @@ ChaCha20-Poly1305 cipher support
channel.
+User-visible Changes
+--------------------
+New default cipher for systemd based Linux distributions
+ For Linux distributions with systemd which packages the systemd unit files
+ from the OpenVPN project, the default cipher is now changed to AES-256-GCM,
+ with BF-CBC as a fallback through the NCP feature. This change has been
+ tested successfully since the Fedora 27 release (released November 2017).
+
+ *WARNING* This MAY break configurations where the client uses
+ ``--disable-occ`` feature where the ``--cipher`` has
+ not been explicitly configured on both client and
+ server side. It is recommended to remove the ``--disable-occ``
+ option *or* explicitly add ``--cipher AES-256-GCM`` on the
+ client side if ``--disable-occ`` is strictly needed.
+
Overview of changes in 2.4
==========================
diff --git a/distro/systemd/openvpn-ser...@.service.in
b/distro/systemd/openvpn-ser...@.service.in
index d1cc72cb..f3545ff5 100644
--- a/distro/systemd/openvpn-ser...@.service.in
+++ b/distro/systemd/openvpn-ser...@.service.in
@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log
--status-version 2 --suppress-timestamps --config %i.conf
+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log
--status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers
AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
--
2.26.0
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
