Hello! All changes have now been implemented, and the examples in https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/VPN have been updated. If you have not changed your client configuration yet, your setup should now be successfully broken! :-) Best, Georg On 4/4/24 23:09, Georg Pfuetzenreuter wrote:
Hello!
We are implementing changes to the Heroes OpenVPN. There are three changes - two are already implemented, and you likely did not notice - the other is breaking and requires changes in your client configuration after the 12th of April (one week from now)!
SHORT version:
On April 12th, please visit the Admin Wiki and update your OpenVPN client configuration with the latest examples:
Native OpenVPN: https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/VPN#OpenVPN-...
NetworkManager: https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/VPN#NetworkM...
Afterwards, delete any files containing Heroes credentials in plain text.
VERBOSE version:
1. BREAKING: Removal of compression
On April 5th, LZO compression will be disabled on the OpenVPN server. If you want to connect on or after this day, you will have to remove the respective option from your OpenVPN client configuration:
With native OpenVPN: ``` comp-lzo ```
With NetworkManager: ``` compress=lzo ```
If you do not remove this option after it has been disabled on the server, you will receive error messages like "Bad LZO decompression header byte: xxx" blocking you from working in the Heroes network!
This change is implemented due to inherent security issues with compression in OpenVPN: https://community.openvpn.net/openvpn/wiki/Compression.
2. Non-breaking: Removal of user/password authentication and change of ciphers
Previously we used two layers of authentication for OpenVPN: - LDAP username/password - client certificates
The LDAP layer is removed as it often encourages users to store sensitive data (i.e. the same passphrase also used for sudo elevation to root on our systems!) in plain text and does not yield a security benefit given the existing use of client certificates.
Additionally, we adjust the ciphers to make use of hardware acceleration and to decrease CPU load as well as latency for users in remote locations far away from our data center.
These changes have already been implemented and are compatible with existing clients - however we still ask you to remove the following lines from your client configuration:
With native OpenVPN: ``` auth-user-pass.* cipher AES-256-CBC data-ciphers AES-256-CBC ```
With NetworkManager: ``` username=.* password-flags=.* cipher=AES-256-CBC [vpn-secrets] password=.* ```
Make sure to also delete any files containing the plain text credentials, such as the file previously passed as an argument to "auth-user-pass".
You can already implement the changes mentioned in point 2 now, or you do it together with the mandatory change mentioned in point 1 on April 12th.
All these changes are tracked and explained in https://progress.opensuse.org/issues/151492.
Thanks for collaborating! If you have any questions, please let me know.
Georg