This change makes the server use AES-256-GCM instead of BF-CBC as the default cipher for the VPN tunnel when starting OpenVPN via systemd and the openvpn-server@.service unit file.
To avoid breaking existing running configurations defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains the BF-CBC in addition to AES-CBC. This makes it possible to migrate existing older client configurations one-by-one to use at least AES-CBC unless the client is updated to v2.4 or newer (which defaults to upgrade to AES-GCM automatically) This has been tested in Fedora 27 (released November 2017) with no reported issues. By making this default for all Linux distributions with systemd shipping with the unit files we provide, we gradually expand setups using this possibility. As we gather experience from this change, we can further move these changes into the defaults of the OpenVPN binary itself with time. Signed-off-by: David Sommerseth <dav...@openvpn.net> --- Changes.rst | 15 +++++++++++++++ distro/systemd/openvpn-ser...@.service.in | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index 00dd6ed8..e76d3c73 100644 --- a/Changes.rst +++ b/Changes.rst @@ -14,6 +14,21 @@ ChaCha20-Poly1305 cipher support channel. +User-visible Changes +-------------------- +New default cipher for systemd based Linux distributions + For Linux distributions with systemd which packages the systemd unit files + from the OpenVPN project, the default cipher is now changed to AES-256-GCM, + with BF-CBC as a fallback through the NCP feature. This change has been + tested successfully since the Fedora 27 release (released November 2017). + + *WARNING* This MAY break configurations where the client uses + ``--disable-occ`` feature where the ``--cipher`` has + not been explicitly configured on both client and + server side. It is recommended to remove the ``--disable-occ`` + option *or* explicitly add ``--cipher AES-256-GCM`` on the + client side if ``--disable-occ`` is strictly needed. + Overview of changes in 2.4 ========================== diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in index d1cc72cb..f3545ff5 100644 --- a/distro/systemd/openvpn-ser...@.service.in +++ b/distro/systemd/openvpn-ser...@.service.in @@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/server -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf +ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE LimitNPROC=10 DeviceAllow=/dev/null rw -- 2.26.0 _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel