Bug 777768 - [RFE] add "compress" option (lz4)
[RFE] add "compress" option (lz4)
Status: NEW
Product: NetworkManager
Classification: Platform
Component: VPN: openvpn
git master
Other Linux
: Normal major
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
:
Depends on:
Blocks: nm-openvpn-options
  Show dependency tree
 
Reported: 2017-01-25 22:47 UTC by trexs
Modified: 2017-09-26 08:56 UTC (History)
4 users (show)

See Also:
GNOME target: ---
GNOME version: ---


Attachments
patch: Add support for tls-crypt (4.48 KB, patch)
2017-01-29 12:37 UTC, Pau Espin Pedrol
none Details | Diff | Review

Description trexs 2017-01-25 22:47:44 UTC
Openvpn 2.4 introduced two new features : 

---
compress [algorithm]
    Enable a compression algorithm.

    The algorithm parameter may be "lzo", "lz4", or empty. LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with OpenVPN versions before 2.4, use "lzo" (which is identical to the older option "--comp-lzo yes").

    If the algorithm parameter is empty, compression will be turned off, but the packet framing for compression will still be enabled, allowing a different setting to be pushed later.
---

---
tls-crypt keyfile

    Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)

    Encrypting (and authenticating) control channel packets:

        •
            provides more privacy by hiding the certificate used for the TLS connection, 
        •
            makes it harder to identify OpenVPN traffic as such, 
        •
            provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy). 
---

Note that tls-crypt and tls-auth cannot be used together.
Comment 1 Pau Espin Pedrol 2017-01-29 12:36:16 UTC
Hi,

Yesterday I run into an issue trying to set up a VPN conn which was using tls-crypt. I created a patch and I'm now able to use it.

I sent the patch to the NM mailing-list but it seems it needs to be accepted by the moderator as I'm not subscribed to to it.

I attach the patch here as it solves one of the 2 required options to be implemented for the ticket.
Comment 2 Pau Espin Pedrol 2017-01-29 12:37:11 UTC
Created attachment 344482 [details] [review]
patch: Add support for tls-crypt
Comment 3 Thomas Haller 2017-01-29 14:41:10 UTC
(In reply to Pau Espin Pedrol from comment #2)
> Created attachment 344482 [details] [review] [review]
> patch: Add support for tls-crypt

the patch stores the tls-crypt path as NM_OPENVPN_KEY_TA, which is also used by tls-auth.

It aims to differenciate, based on the presence of NM_OPENVPN_KEY_TA_DIR.


} else if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_AUTH, 
                                    NMV_OVPN_TAG_TLS_CRYPT)) {
»···setting_vpn_add_data_item_path (s_vpn, NM_OPENVPN_KEY_TA, file);
»···if (s_direction)
»···»···setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, s_direction);

this will encode

--tls-auth PATH
--tls-crypt PATH

the same way.


I think, there should instead be a new "NM_OPENVPN_KEY_TLS_CRYPT" key.



Also, tls-auth and tls-crypt options conflict. Similarly, import should reject such connections
Maybe src/nm-openvpn-service.c should also reject such connections, or silently proceed and only do tls-crypt.
Comment 4 Pau Espin Pedrol 2017-01-30 10:38:39 UTC
Hi,

I based my patch on the idea that NM_OPENVPN_KEY_TA_DIR must be set in --tls-auth, but it seems it can actually be omitted, then obviously my patch should not work fine in that scenario.

From https://community.openvpn.net/openvpn/wiki/Hardening :

"And reference it in the configs as such. The 0/1 value is arbitrary and must be the opposite between peers (or omitted entirely.)"
Comment 5 Beniamino Galvani 2017-05-12 15:44:28 UTC
I pushed your commit to branch:

https://git.gnome.org/browse/network-manager-openvpn/log/?h=bg/options

and added two more commits for review.
Comment 6 Thomas Haller 2017-05-12 16:14:38 UTC
pushed a fixup. Branch lgtm.
Comment 7 Beniamino Galvani 2017-05-12 20:57:31 UTC
tls-crypt support merged:

https://git.gnome.org/browse/network-manager-openvpn/commit/?id=d90cf9105e33fd4f646adf4f1ef8b9f95afc737b

'compress' still to do.

Note You need to log in before you can comment on or make changes to this bug.