GNOME Bugzilla – Bug 777768
[RFE] add "compress" option (lz4)
Last modified: 2017-09-26 08:56:36 UTC
Openvpn 2.4 introduced two new features : --- compress [algorithm] Enable a compression algorithm. The algorithm parameter may be "lzo", "lz4", or empty. LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage. For backwards compatibility with OpenVPN versions before 2.4, use "lzo" (which is identical to the older option "--comp-lzo yes"). If the algorithm parameter is empty, compression will be turned off, but the packet framing for compression will still be enabled, allowing a different setting to be pushed later. --- --- tls-crypt keyfile Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.) Encrypting (and authenticating) control channel packets: • provides more privacy by hiding the certificate used for the TLS connection, • makes it harder to identify OpenVPN traffic as such, • provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy). --- Note that tls-crypt and tls-auth cannot be used together.
Hi, Yesterday I run into an issue trying to set up a VPN conn which was using tls-crypt. I created a patch and I'm now able to use it. I sent the patch to the NM mailing-list but it seems it needs to be accepted by the moderator as I'm not subscribed to to it. I attach the patch here as it solves one of the 2 required options to be implemented for the ticket.
Created attachment 344482 [details] [review] patch: Add support for tls-crypt
(In reply to Pau Espin Pedrol from comment #2) > Created attachment 344482 [details] [review] [review] > patch: Add support for tls-crypt the patch stores the tls-crypt path as NM_OPENVPN_KEY_TA, which is also used by tls-auth. It aims to differenciate, based on the presence of NM_OPENVPN_KEY_TA_DIR. } else if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_AUTH, NMV_OVPN_TAG_TLS_CRYPT)) { »···setting_vpn_add_data_item_path (s_vpn, NM_OPENVPN_KEY_TA, file); »···if (s_direction) »···»···setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, s_direction); this will encode --tls-auth PATH --tls-crypt PATH the same way. I think, there should instead be a new "NM_OPENVPN_KEY_TLS_CRYPT" key. Also, tls-auth and tls-crypt options conflict. Similarly, import should reject such connections Maybe src/nm-openvpn-service.c should also reject such connections, or silently proceed and only do tls-crypt.
Hi, I based my patch on the idea that NM_OPENVPN_KEY_TA_DIR must be set in --tls-auth, but it seems it can actually be omitted, then obviously my patch should not work fine in that scenario. From https://community.openvpn.net/openvpn/wiki/Hardening : "And reference it in the configs as such. The 0/1 value is arbitrary and must be the opposite between peers (or omitted entirely.)"
I pushed your commit to branch: https://git.gnome.org/browse/network-manager-openvpn/log/?h=bg/options and added two more commits for review.
pushed a fixup. Branch lgtm.
tls-crypt support merged: https://git.gnome.org/browse/network-manager-openvpn/commit/?id=d90cf9105e33fd4f646adf4f1ef8b9f95afc737b 'compress' still to do.