openvpn default cipher (BF-CBC) is vulnerable to the SWEET32 attack, but since 2.4, openvpn is able to negotiate the cipher with the remote.
May 29 18:40:19 X ovpn-X[X]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key May 29 18:40:19 X ovpn-X[X]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
openvpn recommends changing the cipher using
--cipher, but since I have some
legacy devices still connecting to my server, I won’t change the server
configuration, only let the device select a better cipher.
The server runs on openwrt - lede 17.01.4, and is already running openvpn 2.4.
Unfortunately, ubuntu 16.04 only provides openvpn 2.3. And here is how to upgrade the installation.
FIXME: Write a complete setup procedure for 18.04 including certificate management.
- After a successful setup of openvpn 2.3 on 16.04, add this source to apt:
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | sudo apt-key add - echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" | sudo tee /etc/apt/sources.list.d/openvpn-aptrepo.list
- Then update openvpn (it should restart automatically)
sudo apt-get update sudo apt-get install openvpn
This extract of
/var/log/syslog will show the that this host is not
May 29 18:50:46 X ovpn-X[X]: Data Channel: using negotiated cipher 'AES-256-GCM' May 29 18:50:46 X ovpn-X[X]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key May 29 18:50:46 X ovpn-X[X]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Question, remark, bug? Don't hesitate to contact me or report a bug.