Do not generate keysize option in OpenVPN configs
Open, LowPublic
Actions

Assigned To

Authored By

	dmbaturin
	Sep 20 2023, 9:23 AM

Description

Currently, our OpenVPN configuration scripts generates the following options when encryption cipher is not specified:

# Encryption options
cipher bf-cbc
keysize 128

The problem is that --keysize no longer exists in OpenVPN 2.6.

And the default config of VyOS 1.3.x makes OpenVPN fail to start:

Sep 20 08:24:01 openvpn-vtun20[4801]: Options error: Unrecognized option or missing or extra parameter(s) in vtun20.conf:67: keysize (2.6.3)
Sep 20 08:24:01 openvpn-vtun20[4801]: Use --help for more information.
Sep 20 08:24:01 systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Sep 20 08:24:01 systemd[1]: o[email protected]: Failed with result 'exit-code'.

Simply removing the deprecated option fixes the problem — for the old default, BF-CBC 128. However, there seem to be no explicit "bf-128-cbc" and "bf-256-cbc", so Blowfish with 265 bit keys is no longer possible to configure.

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Config syntax change (non-migratable)
Issue type: Feature/functionality removal

Event Timeline

dmbaturin created this task.Sep 20 2023, 9:23 AM

dmbaturin updated the task description. (Show Details)Sep 20 2023, 9:39 AM

dmbaturin changed Is it a breaking change? from Perfectly compatible to Config syntax change (non-migratable).

dmbaturin changed Issue type from Bug (incorrect behavior) to Feature/functionality removal.

pasik added a subscriber: pasik.Sep 20 2023, 10:15 AM

Do not generate keysize option in OpenVPN configsOpen, LowPublicActions

Description

Details

Event Timeline

Do not generate keysize option in OpenVPN configs
Open, LowPublic
Actions