1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
|
Protocol options
----------------
Options in this section affect features available in the OpenVPN wire
protocol. Many of these options also define the encryption options
of the data channel in the OpenVPN wire protocol. These options must be
configured in a compatible way between both the local and remote side.
--allow-compression mode
As described in the ``--compress`` option, compression is a potentially
dangerous option. This option allows controlling the behaviour of
OpenVPN when compression is used and allowed.
Valid syntaxes:
::
allow-compression
allow-compression mode
The ``mode`` argument can be one of the following values:
:code:`asym`
OpenVPN will only *decompress downlink packets* but *not compress
uplink packets*. This also allows migrating to disable compression
when changing both server and client configurations to remove
compression at the same time is not a feasible option.
:code:`no` (default)
OpenVPN will refuse any compression. If data-channel offloading
is enabled, OpenVPN will additionally also refuse compression
framing (stub).
:code:`yes`
OpenVPN will send and receive compressed packets.
--auth alg
Authenticate data channel packets and (if enabled) ``tls-auth`` control
channel packets with HMAC using message digest algorithm ``alg``. (The
default is ``SHA1`` ). HMAC is a commonly used message authentication
algorithm (MAC) that uses a data string, a secure hash algorithm and a
key to produce a digital signature.
The OpenVPN data channel protocol uses encrypt-then-mac (i.e. first
encrypt a packet then HMAC the resulting ciphertext), which prevents
padding oracle attacks.
If an AEAD cipher mode (e.g. GCM) is chosen then the specified ``--auth``
algorithm is ignored for the data channel and the authentication method
of the AEAD cipher is used instead. Note that ``alg`` still specifies
the digest used for ``tls-auth``.
In static-key encryption mode, the HMAC key is included in the key file
generated by ``--genkey``. In TLS mode, the HMAC key is dynamically
generated and shared between peers via the TLS control channel. If
OpenVPN receives a packet with a bad HMAC it will drop the packet. HMAC
usually adds 16 or 20 bytes per packet. Set ``alg=none`` to disable
authentication.
For more information on HMAC see
http://www.cs.ucsd.edu/users/mihir/papers/hmac.html
--cipher alg
This option should not be used any longer in TLS mode and still
exists for two reasons:
* compatibility with old configurations still carrying it
around;
* allow users connecting to OpenVPN peers older than 2.6.0
to have ``--cipher`` configured the same way as the remote
counterpart. This can avoid MTU/frame size warnings.
Before 2.4.0, this option was used to select the cipher to be
configured on the data channel, however, later versions usually
ignored this directive in favour of a negotiated cipher.
Starting with 2.6.0, this option is always ignored in TLS mode
when it comes to configuring the cipher and will only control the
cipher for ``--secret`` pre-shared-key mode (note: this mode is
deprecated and strictly not recommended).
If you wish to specify the cipher to use on the data channel,
please see ``--data-ciphers`` (for regular negotiation) and
``--data-ciphers-fallback`` (for a fallback option when the
negotiation cannot take place because the other peer is old or
has negotiation disabled).
To see ciphers that are available with OpenVPN, use the
``--show-ciphers`` option.
Set ``alg`` to :code:`none` to disable encryption.
--compress algorithm
**DEPRECATED** Enable a compression algorithm. Compression is generally
not recommended. VPN tunnels which use compression are susceptible to
the VORALCE attack vector. See also the :code:`migrate` parameter below.
The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`,
:code:`lz4-v2`, :code:`stub`, :code:`stub-v2`, :code:`migrate` or empty.
LZO and LZ4 are different compression algorithms, with LZ4 generally
offering the best performance with least CPU usage.
The :code:`lz4-v2` and :code:`stub-v2` variants implement a better
framing that does not add overhead when packets cannot be compressed. All
other variants always add one extra framing byte compared to no
compression framing.
Especially :code:`stub-v2` is essentially identical to no compression and
no compression framing as its header indicates IP version 5 in a tun setup
and can (ab)used to complete disable compression to clients. (See the
:code:`migrate` option below)
If the ``algorithm`` parameter is :code:`stub`, :code:`stub-v2` or empty,
compression will be turned off, but the packet framing for compression
will still be enabled, allowing a different setting to be pushed later.
Additionally, :code:`stub` and :code:`stub-v2` wil disable announcing
``lzo`` and ``lz4`` compression support via *IV_* variables to the
server.
Note: the :code:`stub` (or empty) option is NOT compatible with the older
option ``--comp-lzo no``.
Using :code:`migrate` as compression algorithm enables a special migration mode.
It allows migration away from the ``--compress``/``--comp-lzo`` options to no compression.
This option sets the server to no compression mode and the server behaves identical to
a server without a compression option for all clients without a compression in their
config. However, if a client is detected that indicates that compression is used (via OCC),
the server will automatically add ``--push compress stub-v2`` to the client specific
configuration if supported by the client and otherwise switch to ``comp-lzo no``
and add ``--push comp-lzo`` to the client specific configuration.
***Security Considerations***
Compression and encryption is a tricky combination. If an attacker knows
or is able to control (parts of) the plain-text of packets that contain
secrets, the attacker might be able to extract the secret if compression
is enabled. See e.g. the *CRIME* and *BREACH* attacks on TLS and
*VORACLE* on VPNs which also leverage to break encryption. If you are not
entirely sure that the above does not apply to your traffic, you are
advised to *not* enable compression.
--comp-lzo mode
**DEPRECATED** Enable LZO compression algorithm. Compression is
generally not recommended. VPN tunnels which uses compression are
suspectible to the VORALCE attack vector.
Use LZO compression -- may add up to 1 byte per packet for incompressible
data. ``mode`` may be :code:`yes`, :code:`no`, or :code:`adaptive`
(default).
In a server mode setup, it is possible to selectively turn compression
on or off for individual clients.
First, make sure the client-side config file enables selective
compression by having at least one ``--comp-lzo`` directive, such as
``--comp-lzo no``. This will turn off compression by default, but allow
a future directive push from the server to dynamically change the
:code:`on`/:code:`off`/:code:`adaptive` setting.
Next in a ``--client-config-dir`` file, specify the compression setting
for the client, for example:
::
comp-lzo yes
push "comp-lzo yes"
The first line sets the ``comp-lzo`` setting for the server side of the
link, the second sets the client side.
--comp-noadapt
**DEPRECATED** When used in conjunction with ``--comp-lzo``, this option
will disable OpenVPN's adaptive compression algorithm. Normally, adaptive
compression is enabled with ``--comp-lzo``.
Adaptive compression tries to optimize the case where you have
compression enabled, but you are sending predominantly incompressible
(or pre-compressed) packets over the tunnel, such as an FTP or rsync
transfer of a large, compressed file. With adaptive compression, OpenVPN
will periodically sample the compression process to measure its
efficiency. If the data being sent over the tunnel is already
compressed, the compression efficiency will be very low, triggering
openvpn to disable compression for a period of time until the next
re-sample test.
--key-direction
Alternative way of specifying the optional direction parameter for the
``--tls-auth`` and ``--secret`` options. Useful when using inline files
(See section on inline files).
--data-ciphers cipher-list
Restrict the allowed ciphers to be negotiated to the ciphers in
``cipher-list``. ``cipher-list`` is a colon-separated list of ciphers,
and defaults to :code:`AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305` when
Chacha20-Poly1305 is available and otherwise :code:`AES-256-GCM:AES-128-GCM`.
For servers, the first cipher from ``cipher-list`` that is also
supported by the client will be pushed to clients that support cipher
negotiation.
For more details see the chapter on `Data channel cipher negotiation`_.
*Especially* if you need to support clients with OpenVPN versions older
than 2.4!
Starting with OpenVPN 2.6 a cipher can be prefixed with a :code:`?` to mark
it as optional. This allows including ciphers in the list that may not be
available on all platforms.
E.g. :code:`AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305` would only enable
Chacha20-Poly1305 if the underlying SSL library (and its configuration)
supports it.
Cipher negotiation is enabled in client-server mode only. I.e. if
``--mode`` is set to `server` (server-side, implied by setting
``--server`` ), or if ``--pull`` is specified (client-side, implied by
setting ``--client``).
If no common cipher is found during cipher negotiation, the connection
is terminated. To support old clients/old servers that do not provide any
cipher negotiation support see ``--data-ciphers-fallback``.
If ``--compat-mode`` is set to a version older than 2.5.0 the cipher
specified by ``--cipher`` will be appended to ``--data-ciphers`` if
not already present.
This list is restricted to be 127 chars long after conversion to OpenVPN
ciphers.
This option was called ``--ncp-ciphers`` in OpenVPN 2.4 but has been renamed
to ``--data-ciphers`` in OpenVPN 2.5 to more accurately reflect its meaning.
--data-ciphers-fallback alg
Configure a cipher that is used to fall back to if we could not determine
which cipher the peer is willing to use.
This option should only be needed to
connect to peers that are running OpenVPN 2.3 or older versions, and
have been configured with ``--enable-small``
(typically used on routers or other embedded devices).
--secret args
**DEPRECATED** Enable Static Key encryption mode (non-TLS). Use pre-shared secret
``file`` which was generated with ``--genkey``.
Valid syntaxes:
::
secret file
secret file direction
The optional ``direction`` parameter enables the use of 4 distinct keys
(HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt), so that each
data flow direction has a different set of HMAC and cipher keys. This
has a number of desirable security properties including eliminating
certain kinds of DoS and message replay attacks.
When the ``direction`` parameter is omitted, 2 keys are used
bidirectionally, one for HMAC and the other for encryption/decryption.
The ``direction`` parameter should always be complementary on either
side of the connection, i.e. one side should use :code:`0` and the other
should use :code:`1`, or both sides should omit it altogether.
The ``direction`` parameter requires that ``file`` contains a 2048 bit
key. While pre-1.5 versions of OpenVPN generate 1024 bit key files, any
version of OpenVPN which supports the ``direction`` parameter, will also
support 2048 bit key file generation using the ``--genkey`` option.
Static key encryption mode has certain advantages, the primary being
ease of configuration.
There are no certificates or certificate authorities or complicated
negotiation handshakes and protocols. The only requirement is that you
have a pre-existing secure channel with your peer (such as ``ssh``) to
initially copy the key. This requirement, along with the fact that your
key never changes unless you manually generate a new one, makes it
somewhat less secure than TLS mode (see below). If an attacker manages
to steal your key, everything that was ever encrypted with it is
compromised. Contrast that to the perfect forward secrecy features of
TLS mode (using Diffie Hellman key exchange), where even if an attacker
was able to steal your private key, he would gain no information to help
him decrypt past sessions.
Another advantageous aspect of Static Key encryption mode is that it is
a handshake-free protocol without any distinguishing signature or
feature (such as a header or protocol handshake sequence) that would
mark the ciphertext packets as being generated by OpenVPN. Anyone
eavesdropping on the wire would see nothing but random-looking data.
--tran-window n
Transition window -- our old key can live this many seconds after a new
a key renegotiation begins (default :code:`3600` seconds). This feature
allows for a graceful transition from old to new key, and removes the key
renegotiation sequence from the critical path of tunnel data forwarding.
|
