Magnuz Prime
2017-02-08 09:14:53 UTC
A.R Moreno
Send Openvpn-users mailing list submissions to
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/openvpn-users
or, via email, send a message with subject or body 'help' to
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Openvpn-users digest..."
1. Re: Is it safe to disable packet authentication (auth) with
GCM ciphers? (Steffan Karger)
2. Re: Is it safe to disable packet authentication (auth) with
GCM ciphers? (Dreetjeh D)
3. Re: ipv6 static address with ccd (Sachin Garg)
----------------------------------------------------------------------
Message: 1
Date: Thu, 2 Feb 2017 13:43:15 +0100
Subject: Re: [Openvpn-users] Is it safe to disable packet
authentication (auth) with GCM ciphers?
Content-Type: text/plain; charset=UTF-8
Hi,
Correct. --tls-crypt *always* uses HMAC-SHA256 for authentication, no
matter what you specify as --auth.
-Steffan
------------------------------
Message: 2
Date: Thu, 2 Feb 2017 12:56:53 +0000
Subject: Re: [Openvpn-users] Is it safe to disable packet
authentication (auth) with GCM ciphers?
Content-Type: text/plain; charset="utf-8"
P.S.
Possibly interesting read for who understands, ... i don`t :)
"Achieving 128-bit Security against Quantum Attacks in OpenVPN"
http://essay.utwente.nl/70677/1/2016-08-09%20MSc%20Thesis%20Simon%20de%20Vries%20final%20color.pdf
------------------------------
Message: 3
Date: Thu, 2 Feb 2017 09:35:58 -0500
Subject: Re: [Openvpn-users] ipv6 static address with ccd
Content-Type: text/plain; charset="utf-8"
I have a similar setup with OpenVPN 2.3 (2.4 didn't work - do not know why).
What I have done is given a pool (from within the /112) to IPv6 dynamic
(say starting from a000 onwards), while static clients in CCD take the
earlier addresses. Guess this should prevent address clashes.
My config files ...
/etc/staticclients/ccd/client.ccd
----------------------------------
ifconfig-push 192.168.252.62 255.255.255.0
ifconfig-ipv6-push 2001:648:2C00:xxxx:::dead/112 2001:648:2C00:xxxx::1
--------------
mode server
tls-server
proto udp
port 1194
dev tun
topology subnet
push topology subnet
tun-ipv6
push tun-ipv6
ca /etc/openvpn/ca.crt
cert /etc/openvpn/cert.crt
key /etc/openvpn/key.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
tls-auth /etc/openvpn/ta.key 0 # This file is secret
## https://blog.ipredator.se/howto/getting-openvpn-to-work-with-openvz.html
script-security 2
route-noexec
route-up /etc/openvpn/route-up-112.sh
down /etc/openvpn/route-down-112.sh
# https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
# subnet example with static ccd
ifconfig 192.168.252.1 255.255.255.0
ifconfig-pool 192.168.252.150 192.168.252.249 255.255.255.0
ifconfig-ipv6 2001:648:2C00:xxxx::1 2001:648:2C00:xxxx::2
ifconfig-ipv6-pool 2001:648:2C00:xxxx::a000/112
ifconfig-pool-persist /var/log/openvpn/openvpn_ipp_udp.txt
push "route-gateway 192.168.252.1"
push "route-ipv6 2001:648:2C00:xxxx::/112"
push "route-ipv6 2000::/3" # tell the client to route
Internet IPv6 traffic through the VPN
client-config-dir /etc/openvpn/staticclients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 2001:4860:4860::8888"
push "dhcp-option DNS 2001:4860:4860::8844"
client-to-client
pool".
So if your IPv4 pool is a, say, /16 (65000 addresses), your IPv6 address
will never be more than "server base address plus 0x1000 plus 65000" - just
start your static addresses at "server base address plus 0x1:0000:0000"
(4 billion), which the assignment algorithm will never reach.
You have 64 bits available - so using
$net::1 for the server, and thus $net:0:0:0:nnnn for dynamic clients
$net:0:1:0001:mmmm for static client 1
$net:0:1:0002:xxxx for static client 2
$net:0:1:0003:zzzz for static client 3
...
will be guaranteed collision-free.
gert
Thanks for the details :)
I've also looked at pool.c and found out how the pool size is done.
Nevertheless, there seems to be some strange assumptions with ipv6_base
pool->base_ipv6 = ipv6_base;
pool->size_ipv6 = ipv6_netbits>96 ? ( 1<<(128-ipv6_netbits) )
: IFCONFIG_POOL_MAX;
/64 to /96: size_ipv6=65536 (essentially a /112 capped by IFCONFIG_POOL_MAX)
/97: size_ipv6=2^31 (probably a print problem here for %d. msg() gives
-2147483648 in logs)
/98: size_ipv6=2^30
...
/112: size_ipv6=65536
So a /98 to /111 gives more IPs for allocation, than /64 to /96
Why is that?
Essentially if I use a /64 I should keep the first /112 for dynamic
allocation and not the first 4 billion (/96) as you say.
correct?
I would skip the first /96 anyways :)
regards,
G
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
------------------------------
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
End of Openvpn-users Digest, Vol 129, Issue 3
*********************************************
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/openvpn-users
or, via email, send a message with subject or body 'help' to
You can reach the person managing the list at
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Openvpn-users digest..."
1. Re: Is it safe to disable packet authentication (auth) with
GCM ciphers? (Steffan Karger)
2. Re: Is it safe to disable packet authentication (auth) with
GCM ciphers? (Dreetjeh D)
3. Re: ipv6 static address with ccd (Sachin Garg)
----------------------------------------------------------------------
Message: 1
Date: Thu, 2 Feb 2017 13:43:15 +0100
Subject: Re: [Openvpn-users] Is it safe to disable packet
authentication (auth) with GCM ciphers?
Content-Type: text/plain; charset=UTF-8
Hi,
<.....>
The --auth parameter is ..... still used to determine the --tls-auth HMAC digest.
I guess in case of --tls-crypt, --auth is not needed/doing anything?The --auth parameter is ..... still used to determine the --tls-auth HMAC digest.
matter what you specify as --auth.
-Steffan
------------------------------
Message: 2
Date: Thu, 2 Feb 2017 12:56:53 +0000
Subject: Re: [Openvpn-users] Is it safe to disable packet
authentication (auth) with GCM ciphers?
Content-Type: text/plain; charset="utf-8"
Hi,
Correct. --tls-crypt *always* uses HMAC-SHA256 for authentication, no
matter what you specify as --auth.
-Steffan
Thank you.<.....>
The --auth parameter is ..... still used to determine the --tls-auth HMAC digest.
I guess in case of --tls-crypt, --auth is not needed/doing anything?The --auth parameter is ..... still used to determine the --tls-auth HMAC digest.
matter what you specify as --auth.
-Steffan
P.S.
Possibly interesting read for who understands, ... i don`t :)
"Achieving 128-bit Security against Quantum Attacks in OpenVPN"
http://essay.utwente.nl/70677/1/2016-08-09%20MSc%20Thesis%20Simon%20de%20Vries%20final%20color.pdf
------------------------------
Message: 3
Date: Thu, 2 Feb 2017 09:35:58 -0500
Subject: Re: [Openvpn-users] ipv6 static address with ccd
Content-Type: text/plain; charset="utf-8"
I have a similar setup with OpenVPN 2.3 (2.4 didn't work - do not know why).
What I have done is given a pool (from within the /112) to IPv6 dynamic
(say starting from a000 onwards), while static clients in CCD take the
earlier addresses. Guess this should prevent address clashes.
You can put each client in a different /112 just fine ("just use different
ranges"), just keep using a common /64 subnet.
Any idea how to do that?ranges"), just keep using a common /64 subnet.
My config files ...
/etc/staticclients/ccd/client.ccd
----------------------------------
ifconfig-push 192.168.252.62 255.255.255.0
ifconfig-ipv6-push 2001:648:2C00:xxxx:::dead/112 2001:648:2C00:xxxx::1
--------------
mode server
tls-server
proto udp
port 1194
dev tun
topology subnet
push topology subnet
tun-ipv6
push tun-ipv6
ca /etc/openvpn/ca.crt
cert /etc/openvpn/cert.crt
key /etc/openvpn/key.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
tls-auth /etc/openvpn/ta.key 0 # This file is secret
## https://blog.ipredator.se/howto/getting-openvpn-to-work-with-openvz.html
script-security 2
route-noexec
route-up /etc/openvpn/route-up-112.sh
down /etc/openvpn/route-down-112.sh
# https://community.openvpn.net/openvpn/wiki/Concepts-Addressing
# subnet example with static ccd
ifconfig 192.168.252.1 255.255.255.0
ifconfig-pool 192.168.252.150 192.168.252.249 255.255.255.0
ifconfig-ipv6 2001:648:2C00:xxxx::1 2001:648:2C00:xxxx::2
ifconfig-ipv6-pool 2001:648:2C00:xxxx::a000/112
ifconfig-pool-persist /var/log/openvpn/openvpn_ipp_udp.txt
push "route-gateway 192.168.252.1"
push "route-ipv6 2001:648:2C00:xxxx::/112"
push "route-ipv6 2000::/3" # tell the client to route
Internet IPv6 traffic through the VPN
client-config-dir /etc/openvpn/staticclients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 2001:4860:4860::8888"
push "dhcp-option DNS 2001:4860:4860::8844"
client-to-client
I don't want that. The IPs from the pool are assigned in a serial way or
in a random way?
Serial.in a random way?
Is there a way to put an upper limit on the dynamic pool or to make it
more specific?
It's "server base address plus 0x1000 plus the relative number in the IPv4more specific?
pool".
So if your IPv4 pool is a, say, /16 (65000 addresses), your IPv6 address
will never be more than "server base address plus 0x1000 plus 65000" - just
start your static addresses at "server base address plus 0x1:0000:0000"
(4 billion), which the assignment algorithm will never reach.
You have 64 bits available - so using
$net::1 for the server, and thus $net:0:0:0:nnnn for dynamic clients
$net:0:1:0001:mmmm for static client 1
$net:0:1:0002:xxxx for static client 2
$net:0:1:0003:zzzz for static client 3
...
will be guaranteed collision-free.
gert
I've also looked at pool.c and found out how the pool size is done.
Nevertheless, there seems to be some strange assumptions with ipv6_base
pool->base_ipv6 = ipv6_base;
pool->size_ipv6 = ipv6_netbits>96 ? ( 1<<(128-ipv6_netbits) )
: IFCONFIG_POOL_MAX;
/64 to /96: size_ipv6=65536 (essentially a /112 capped by IFCONFIG_POOL_MAX)
/97: size_ipv6=2^31 (probably a print problem here for %d. msg() gives
-2147483648 in logs)
/98: size_ipv6=2^30
...
/112: size_ipv6=65536
So a /98 to /111 gives more IPs for allocation, than /64 to /96
Why is that?
Essentially if I use a /64 I should keep the first /112 for dynamic
allocation and not the first 4 billion (/96) as you say.
correct?
I would skip the first /96 anyways :)
regards,
G
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
An HTML attachment was scrubbed...
------------------------------
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
------------------------------
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
End of Openvpn-users Digest, Vol 129, Issue 3
*********************************************