Page MenuHomeVyOS Platform

OpenVPN: Remove "none" option for ncp-cipher encryption
Open, NormalPublicBUG

Description

ncp-cipher uses data-cipher in the background which does not allow to disable the encryption, only allows a list of ciphers for negotiation
Disabling the encryption fails the openvpn service.

Jul 02 17:21:29 openvpn-vtun10[1861372]: Unsupported cipher in --data-ciphers: NONE
Jul 02 17:21:29 openvpn-vtun10[1861372]: Options error: --data-ciphers list contains unsupported ciphers or is too long.
Jul 02 17:21:29 openvpn-vtun10[1861372]: Use --help for more information.
Jul 02 17:21:29 systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Jul 02 17:21:29 systemd[1]: [email protected]: Failed with result 'exit-code'.
Jul 02 17:21:29 systemd[1]: Failed to start [email protected] - OpenVPN connection to vtun10.

Configuration:

set interfaces openvpn vtun10 encryption ncp-ciphers 'none'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '10.217.80.116'
set interfaces openvpn vtun10 local-port '1195'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server subnet '10.0.0.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-certificate 'root-ca'
set interfaces openvpn vtun10 tls certificate 'server1'
set interfaces openvpn vtun10 tls dh-params 'dh-1'
vyos@test1# set int openvpn vtun10 encryption ncp-ciphers
Possible completions:
   none                 Disable encryption
   3des                 DES algorithm with triple encryption
   aes128               AES algorithm with 128-bit key CBC
   aes128gcm            AES algorithm with 128-bit key GCM
   aes192               AES algorithm with 192-bit key CBC

Details

Difficulty level
Unknown (require assessment)
Version
1.5-rolling-202405240020
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

syncer triaged this task as Normal priority.

@SrividyaA Does it work for site-to-site ciphers option?

@SrividyaA what cipher should be selected instead if none is removed and migrated away?

This looks related to T5487

@Viacheslav, For site-to-site or server/client mode, when used cipher option as none then also issue is noticed. When you commit, it gives this warning:

vyos@vyos# set int openvpn vtun1 encryption cipher none
[edit]
vyos@vyos# commit
Warning: "encryption none" was specified!
No encryption will be performed and data is transmitted in plain text over the network!

Logs:

Jul 10 14:51:39 openvpn-vtun1[12357]: Cipher NONE not supported
Jul 10 14:51:39 openvpn-vtun1[12357]: Exiting due to fatal error
Jul 10 14:51:39 systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE

@c-po , maybe to this "AES-256-GCM:AES-128-GCM" or to "providers default" (this value is set when no encryption value is configured)

https://github.com/vyos/vyos-1x/blob/d386072c2b34ad33b667c00f21062cf1c6defa3d/data/templates/openvpn/server.conf.j2#L213

@Viacheslav, For site-to-site or server/client mode, when used cipher option as none then also issue is noticed. When you commit, it gives this warning:

vyos@vyos# set int openvpn vtun1 encryption cipher none
[edit]
vyos@vyos# commit
Warning: "encryption none" was specified!
No encryption will be performed and data is transmitted in plain text over the network!

Logs:

Jul 10 14:51:39 openvpn-vtun1[12357]: Cipher NONE not supported

In configuration, it should be none not NONE or ncp-disable

@Viacheslav, Thank you for the hint. After further analysis, these are the findings from the tests done in the lab running 1.4.0 version on both sides with server/client setup.

When I manually changed the algorithm value from "NONE" to "none" for the cipher option in the "/run/openvpn/vtunx.conf" , the openvpn service is active and connection established but the encryption was not disabled rather it uses AES-256-GCM from the cipher list, as it seems to ignore the older cipher option.

Jul 11 13:24:29 openvpn-vtun10[36122]: DEPRECATED OPTION: --cipher set to 'none'
 but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). Open
VPN ignores --cipher for cipher negotiations.
Jul 11 13:24:29 openvpn-vtun10[36122]: OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (O
penSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
Jul 11 13:24:29 openvpn-vtun10[36122]: library versions: OpenSSL 3.0.11 19 Sep 2
023, LZO 2.10
Jul 11 13:24:37 openvpn-vtun10[36122]: 172.16.0.3:55186 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Jul 11 13:24:37 openvpn-vtun10[36122]: client_cert/172.16.0.3:55186 SENT CONTROL [client_cert]: 'PUSH_REPLY,route-gateway 10.10.0.1,topology subnet,ping 10,ping-restart 600,ifconfig 10.10.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)

Tried the same step with data-cipher option and encryption is disabled. So the "NONE" has to be replaced with "none" and add a warning while disabling the encryption.

Jul 12 11:50:20 openvpn-vtun10[62427]: 172.16.0.3:51752 peer info: IV_VER=2.6.3
Jul 12 11:50:20 openvpn-vtun10[62427]: 172.16.0.3:51752 peer info: IV_PLAT=linux
Jul 12 11:50:20 openvpn-vtun10[62427]: 172.16.0.3:51752 peer info: IV_TCPNL=1
Jul 12 11:50:20 openvpn-vtun10[62427]: 172.16.0.3:51752 peer info: IV_MTU=1600
Jul 12 11:50:20 openvpn-vtun10[62427]: 172.16.0.3:51752 peer info: IV_CIPHERS=no
ne
Jul 12 11:50:20 openvpn-vtun10[62427]: client_cert/172.16.0.3:51752 ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Jul 12 11:50:20 openvpn-vtun10[62427]: client_cert/172.16.0.3:51752 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Jul 12 11:50:20 openvpn-vtun10[62427]: client_cert/172.16.0.3:51752 SENT CONTROL [client_cert]: 'PUSH_REPLY,route-gateway 10.10.0.1,topology subnet,ping 10,ping-restart 600,ifconfig 10.10.0.2 255.255.255.0,peer-id 0,cipher none,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1)

ncp-disable is not supported anymore.

--ncp-disable	Removed in OpenVPN 2.6. This option mainly served a role as debug option when NCP was first introduced. It should no 
                longer be necessary. Its purpose was to disable "negotiable crypto parameters". This completely disables cipher 
                 negotiation.

Attached the output of the config file.


Reference documents:

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/#unsupported-options
https://openvpn.net/as-docs/tutorials/tutorial--turn-off-encryption.html#openvpn-2-5-and-newer