What's coming for OpenVPN in VyOS 1.4?
Hello, Community!
OpenVPN is one of the oldest open-source VPN protocols and implementations. It took the world by storm in the early 2000s because it was a huge improvement over VPN solutions of the time: PPTP that used a patent-encumbered cipher with questionable security; IPsec or L2TP/IPsec, which was hard to set up and very unfriendly to NATed and poorly configured networks; and a variety of proprietary SSL VPNs. OpenVPN was trivial to set up on the client — give it a single config file, and you are done, and it was open-source and available for all popular OSes.
I'm personally a big fan of OpenVPN: its ability to push a variety of configuration options to clients is a huge boon for client-server setups, its negotiation protocol is well-designed, and it's trivial to figure out any connection problem from either client or server logs, and it has a site-to-site mode that allowed people to set up point-to-point VPN tunnels in minutes long before WireGuard existed.
However, there were two big issues with OpenVPN: poor performance and no longer secure defaults. Fortunately, OpenVPN developers have been working on both problems, and the solutions are already here, but they are somewhat disruptive and require adjustments. Let's discuss them in detail.
Data Channel Offload (DCO)
The main reason why OpenVPN was so slow compared to its competitors is that it was doing all its packet processing and encryption in user space. IPsec in Linux was always implemented in the kernel, and WireGuard was also a kernel module from the start — once configured, they can do all their work without spending any time on context switches required to pass data between the kernel and userspace programs.
The only way to make OpenVPN as fast as IPsec and WireGuard is to move its data processing to the kernel, and that's exactly what its developers have been doing lately in the DCO project. It can already make OpenVPN tunnels much faster, and we are happy to be the first to support it out of the box.
set interfaces openvpn vtun0 offload dco
Currently, DCO is still experimental and has multiple limitations: for example, it only supports AES-GCM and ChaCha20-Poly1305 ciphers and only the L2 (TUN) mode. Some of those limitations may be lifted in the future, and others are there to stay. But we hope that DCO support will help everyone set up VPN servers that are both flexible and fast.
Site-to-site mode with peer certificate fingerprint verification
The site-to-site mode of OpenVPN remains an obscure feature, and VyOS is one of the few systems that has an interface for configuring it. Some may claim that WireGuard made it obsolete. I don't think it's true: funny networks where OpenVPN's ability to work over TCP is valuable still exist, and the option to push routes and other options can remove the need for dynamic routing protocols or additional configuration in many cases.
However, there was an important compromise involved. You could either set up a full-blown PKI with a CA certificate to get the long-term security of TLS and peer authentication, but the time needed to set up a PKI for a single point-to-point tunnel arguably defeats the purpose — you could as well make a client-server setup. Or you could use pre-shared keys — save time but sacrifice important features of TLS such as session keys and key re-negotiation that make brute force attacks impractical.
OpenVPN developers added an option to specify one or more fingerprints of trusted certificates to make site-to-site configurations secure and easy to set up . That allows using self-signed certificates that are quick to create but still authenticate the peer.
In recent nightly builds, we have all the commands to do it from the VyOS CLI.
vyos@vyos# run generate pki certificate self-signed install openvpn-local
Enter private key type: [rsa, dsa, ec] (Default: rsa) ec
Enter private key bits: (Default: 256)
Enter country code: (Default: GB)
Enter state: (Default: Some-State)
Enter locality: (Default: Some-City)
Enter organization name: (Default: VyOS)
Enter common name: (Default: vyos.io)
Do you want to configure Subject Alternative Names? [y/N]
Enter how many days certificate will be valid: (Default: 365)
Enter certificate type: (client, server) (Default: server)
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N]
2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
[edit]
vyos@local# compare
[pki]
+ certificate openvpn-local {
+ certificate "MIICJTCCAcugAwIBAgIUMXLfRNJ5iOjk/ uAZqUe4phW8MdgwCgYIKoZIzj0EAwIwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yMzA5MDcyMTQzMTNaFw0yNDA5MDYyMTQzMTNaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMWo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUBrAxRdFppdG/UBRdo7qNyHutaTQwHwYDVR0jBBgwFoAUBrAxRdFppdG/UBRdo7qNyHutaTQwCgYIKoZIzj0EAwIDSAAwRQIhAI2+8C92z9wTcTWkQ/goRxs10EBC+h78O+vgo9k97z5iAiBSeqfaVr5taQTS31+McGTAK3cYWNTg0DlOBI8aKO2oRg=="
+ private {
+ key "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgtOeEb0dMb5P/2Exi09WWvk6Cvz0oOBoDuP68ZimS2LShRANCAASp7D0vE3SKSAWAzr/lw9Eq9Q89r247AJR6ec/GT26AIcVA1bsongV1YaWvRwzTPC/yi5pkzV/PcT/WU7JQIyMW"
+ }
+ }
vyos@local# commit
Then you can view its fingerprint. At the moment, OpenVPN only supports SHA-256 fingerprints.
vyos@local# run show pki certificate openvpn-local fingerprint sha256
5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79
Finally, you can specify that fingerprint on the remote side.
vyos@remote# set interfaces openvpn vtun1 tls peer-fingerprint 5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79
Deprecation of the site-to-site mode with pre-shared keys
The improved security of TLS is already an important reason to migrate from pre-shared keys to certificate fingerprint verification. But there's one more reason: OpenVPN developers plan to remove support for pre-shared keys in OpenVPN 2.7 release. While there is no timeline for that release yet, it's almost certain that VyOS 1.5 will be unable to support that mode, so we encourage everyone to migrate as soon as possible. We hope that we can maintain support for that mode throughout the lifespan of VyOS 1.4/Sagitta, but it's difficult to predict.
Removal of the Blowfish cipher
Blowfish was the default cipher of OpenVPN from the start. In the early 2000s, it was secure, fast, and, most importantly, unencumbered by any patents or other limitations since Bruce Schneider developed it single-handedly and dedicated it to the public domain. However, it was proven vulnerable to a birthday attack that makes breaking it practical.
In VyOS, we try to maintain compatibility with older configurations and provide an option to keep using older, less secure options to people who cannot easily upgrade their systems or have to interface with networks whose operators are unwilling to upgrade. We made an effort to re-enable Blowfish when OpenVPN disabled it by default. But there are limits, and the security risk is very real, so both bf128 and bf256 options will be removed before the 1.4 release, and clients configured only to use those ciphers will be unable to connect until they are reconfigured or upgraded.
We hope that all these improvements will help everyone create fast, secure, and easy-to-manage VPN setups for years to come!
OpenVPN in 1.3.x
One especially interesting question is Blowfish cipher support in VyOS 1.3.5. For VyOS 1.3.4 which will be released within a week, we decided to maintain compatibility with old configs and allow Blowfish by default.
However, here's where it gets complicated:
- OpenVPN 2.5.x (currently used in VyOS 1.3.x) supports Blowfish 128 and 256, but does not support peer fingerprint verification.
- OpenVPN 2.6.x supports peer fingerprint verification but removes the key size option, making it impossible to use Blowfish 256.
Thus, to create a migration path for VyOS 1.3.x users and allow them to start using site-to-site OpenVPN with peer fingerprint verification, we must sacrifice compatibility and remove at least Blowfish 256 support.
We'd like to hear from all VyOS users what cipher you use for OpenVPN. If you do rely on Blowfish support, please let us know!
Comments