Differences

This shows you the differences between two versions of the page.

--- doc:appunti:linux:sa:debian_upgrade_11_12 [2025/03/03 16:33] – [pnp4nagios] niccolo
+++ doc:appunti:linux:sa:debian_upgrade_11_12 [2025/06/24 11:53] (current) – [Configuration with TLS] niccolo
@@ Line 125: / Line 125: @@
 ===== OpenVPN BF-CBC not supported =====
-L'opzione **cipher** viene usata quando si usa una configurazione con l'opzione **secret** e pre-shared-key, una situazione che in generale dovrebbe essere rimpiazzata dalle configurazioni TLS (es. EasyRSA).
+==== Configuration with --secret PSK ====
-L'impostazione predefinita per **cipher** è **BF-CBC**, che però non è più presente in **OpenVPN 2.6.3** (controllare con ''%%openvpn --show-ciphers%%''); si deve quindi necessariamente indicare un protocollo diverso, ad esempio:
+In a configuration with PSK (**%%--secret%%** option) the **%%--cipher%%** parameter selects the cipher to use on the data channel. The default setting would be **BF-CBC**, but this is no longer present in **OpenVPN 2.6.3** (check with ''%%openvpn --show-ciphers%%''). You must therefore specify a different protocol, for example with:
+<file>
+# Do not use the default BF-CBC cipher, it was removed because of its 64-bit block size.
+cipher AES-256-CBC
+# Get the PSK from the external file.
+secret my-openvpn-secret.key
+</file>
+Of course, the other end of the VPN must support the same encryption. **WARNING**: Use **AES-256-CBC** because e.g. **AES-256-GCM** is not supported in pre-shared keys mode.
+==== Configuration with TLS ====
+With OpenVPN 2.6.x the **%%--cipher%%** option should not be used any longer in TLS mode (e.g. when using EasyRSA).
+With OpenVPN 2.4.x or lower: The values declared into the %%--cipher%% option were appended to **%%--data-ciphers%%** for compatiblity, this is not longer the case. You have to explicitly declare **%%--data-ciphers%%** and remove ''%%--cipher%%'':
 <code>
-# The --cipher option is used to connect OpenVPN older than 2.6.0 using pre-shared keys.
+# The --cipher option should not be used any longer with OpenVPN 2.6 in TLS mode.
-# Notice that AES-256-GCM is not supported in pre-shared keys mode.
 #cipher AES-256-CBC
-#
+# Use --data-ciphers adding the AES-256-CBC to the default value, e.g. for OpenVPN 2.3 clients.
-# Newer connections using TLS uses the --data-ciphers option.
+data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
-data-ciphers AES-256-GCM:AES-128-GCM
+# Use --data-ciphers-fallback for peers that are old or have negotiation disabled,
+# e.g. peers running OpenVPN 2.3 or older, or some embedded devices.
+data-ciphers-fallback AES-256-CBC
 </code>
 ===== PostgreSQL da 13 a 15 =====
@@ Line 283: / Line 300: @@
 </code>
-infatti la costante **MB_OVERLOAD_STRING** è stata rimossa da PHP 8.0.0.
+infatti la costante ''MB_OVERLOAD_STRING'' è stata rimossa da PHP 8.0.0.
 Si può installare **pnp4nagios-0.6.27-5** che risolve questa incompatibilità. Download da [[https://github.com/pnp4nagios/pnp4nagios/tree/v0.6.27-5|GitHub]] della **tag release 0.6.27-5** e compilazione: