Hello! We are implementing changes to the Heroes OpenVPN. There are three changes - two are already implemented, and you likely did not notice - the other is breaking and requires changes in your client configuration after the 12th of April (one week from now)! SHORT version: On April 12th, please visit the Admin Wiki and update your OpenVPN client configuration with the latest examples: Native OpenVPN: https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/VPN#OpenVPN-... NetworkManager: https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/VPN#NetworkM... Afterwards, delete any files containing Heroes credentials in plain text. VERBOSE version: 1. BREAKING: Removal of compression On April 5th, LZO compression will be disabled on the OpenVPN server. If you want to connect on or after this day, you will have to remove the respective option from your OpenVPN client configuration: With native OpenVPN: ``` comp-lzo ``` With NetworkManager: ``` compress=lzo ``` If you do not remove this option after it has been disabled on the server, you will receive error messages like "Bad LZO decompression header byte: xxx" blocking you from working in the Heroes network! This change is implemented due to inherent security issues with compression in OpenVPN: https://community.openvpn.net/openvpn/wiki/Compression. 2. Non-breaking: Removal of user/password authentication and change of ciphers Previously we used two layers of authentication for OpenVPN: - LDAP username/password - client certificates The LDAP layer is removed as it often encourages users to store sensitive data (i.e. the same passphrase also used for sudo elevation to root on our systems!) in plain text and does not yield a security benefit given the existing use of client certificates. Additionally, we adjust the ciphers to make use of hardware acceleration and to decrease CPU load as well as latency for users in remote locations far away from our data center. These changes have already been implemented and are compatible with existing clients - however we still ask you to remove the following lines from your client configuration: With native OpenVPN: ``` auth-user-pass.* cipher AES-256-CBC data-ciphers AES-256-CBC ``` With NetworkManager: ``` username=.* password-flags=.* cipher=AES-256-CBC [vpn-secrets] password=.* ``` Make sure to also delete any files containing the plain text credentials, such as the file previously passed as an argument to "auth-user-pass". You can already implement the changes mentioned in point 2 now, or you do it together with the mandatory change mentioned in point 1 on April 12th. All these changes are tracked and explained in https://progress.opensuse.org/issues/151492. Thanks for collaborating! If you have any questions, please let me know. Georg
Hello! All changes have now been implemented, and the examples in https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/VPN have been updated. If you have not changed your client configuration yet, your setup should now be successfully broken! :-) Best, Georg On 4/4/24 23:09, Georg Pfuetzenreuter wrote:
Hello!
We are implementing changes to the Heroes OpenVPN. There are three changes - two are already implemented, and you likely did not notice - the other is breaking and requires changes in your client configuration after the 12th of April (one week from now)!
SHORT version:
On April 12th, please visit the Admin Wiki and update your OpenVPN client configuration with the latest examples:
Native OpenVPN: https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/VPN#OpenVPN-...
NetworkManager: https://progress.opensuse.org/projects/opensuse-admin-wiki/wiki/VPN#NetworkM...
Afterwards, delete any files containing Heroes credentials in plain text.
VERBOSE version:
1. BREAKING: Removal of compression
On April 5th, LZO compression will be disabled on the OpenVPN server. If you want to connect on or after this day, you will have to remove the respective option from your OpenVPN client configuration:
With native OpenVPN: ``` comp-lzo ```
With NetworkManager: ``` compress=lzo ```
If you do not remove this option after it has been disabled on the server, you will receive error messages like "Bad LZO decompression header byte: xxx" blocking you from working in the Heroes network!
This change is implemented due to inherent security issues with compression in OpenVPN: https://community.openvpn.net/openvpn/wiki/Compression.
2. Non-breaking: Removal of user/password authentication and change of ciphers
Previously we used two layers of authentication for OpenVPN: - LDAP username/password - client certificates
The LDAP layer is removed as it often encourages users to store sensitive data (i.e. the same passphrase also used for sudo elevation to root on our systems!) in plain text and does not yield a security benefit given the existing use of client certificates.
Additionally, we adjust the ciphers to make use of hardware acceleration and to decrease CPU load as well as latency for users in remote locations far away from our data center.
These changes have already been implemented and are compatible with existing clients - however we still ask you to remove the following lines from your client configuration:
With native OpenVPN: ``` auth-user-pass.* cipher AES-256-CBC data-ciphers AES-256-CBC ```
With NetworkManager: ``` username=.* password-flags=.* cipher=AES-256-CBC [vpn-secrets] password=.* ```
Make sure to also delete any files containing the plain text credentials, such as the file previously passed as an argument to "auth-user-pass".
You can already implement the changes mentioned in point 2 now, or you do it together with the mandatory change mentioned in point 1 on April 12th.
All these changes are tracked and explained in https://progress.opensuse.org/issues/151492.
Thanks for collaborating! If you have any questions, please let me know.
Georg
On Fri, 12 Apr 2024 17:42:29 +0200, Georg Pfuetzenreuter wrote:
If you have not changed your client configuration yet, your setup should now be successfully broken! :-)
I can confirm that (just haven't had a chance to change it yet, will do so later today). :) -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On Fri, 12 Apr 2024 17:42:29 +0200, Georg Pfuetzenreuter wrote:
You can already implement the changes mentioned in point 2 now, or you do it together with the mandatory change mentioned in point 1 on April 12th.
All these changes are tracked and explained in https://progress.opensuse.org/issues/151492.
Thanks for collaborating! If you have any questions, please let me know.
Seeing some weird behaviour here - I put the changes in place, and I can connect, but I get prompted for a password by NetworkManager (TW/GNOME). I can enter any string for the password (just tested with a value that I have never used anywhere as a password), and it's accepted and the connection starts up. If I then disconnect, I cannot reconnect. systemctl status NetworkManager reports: --- snip --- Apr 23 11:46:06 TheEarth nm-openvpn[33438]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. Apr 23 11:46:06 TheEarth nm-openvpn[33438]: OpenVPN 2.6.10 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] Apr 23 11:46:06 TheEarth nm-openvpn[33438]: library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10 Apr 23 11:46:07 TheEarth NetworkManager[29868]: <warn> [1713897967.0501] vpn[0x5587d4bd3890,37972c34-4e21-4bc6-8e94-aa4eee316ef4,"Heroes"]: secrets: failed to request VPN secrets #4: No agents were available for this request. Apr 23 11:46:07 TheEarth nm-openvpn[33438]: ERROR: could not read Auth username/password/ok/string from management interface Apr 23 11:46:07 TheEarth nm-openvpn[33438]: Exiting due to fatal error --- snip -- If I look in the /etc/NetworkManager/system-connections/Heroes.nmconnection, I see the value that I entered as a password in the [vpn-secrets] section as a password= value. If I delete that section and the password= value, I can log in again. Very strange. -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On 4/23/24 20:48, Jim Henderson wrote:
On Fri, 12 Apr 2024 17:42:29 +0200, Georg Pfuetzenreuter wrote:
If I look in the /etc/NetworkManager/system-connections/Heroes.nmconnection, I see the value that I entered as a password in the [vpn-secrets] section as a password= value.
If I delete that section and the password= value, I can log in again.
Very strange.
Hi Jim, sorry you're having issues with it. In my testing, the passphrase was silently ignored. But since providing the passphrase using the "[vpn-secrets]" section is not needed anymore anyways, you might as well delete it and avoid storing the passphrase in plain text. Best, Georg
On Tue, 23 Apr 2024 20:59:17 +0200, Georg Pfuetzenreuter wrote:
sorry you're having issues with it. In my testing, the passphrase was silently ignored. But since providing the passphrase using the "[vpn-secrets]" section is not needed anymore anyways, you might as well delete it and avoid storing the passphrase in plain text.
No worries - I did remove that section, and it just added it back in after prompting me. -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
On 23.04.24 21:51 Jim Henderson wrote:
On Tue, 23 Apr 2024 20:59:17 +0200, Georg Pfuetzenreuter wrote:
In my testing, the passphrase was silently ignored. But since providing the passphrase using the "[vpn-secrets]" section is not needed anymore anyways, you might as well delete it and avoid storing the passphrase in plain text.
No worries - I did remove that section, and it just added it back in after prompting me.
I have not used OpenVPN and NetworkManager in a long time, but wasn't there an option to skip asking for a passphrase? Kind Regards, Johannes
On Tue, 23 Apr 2024 21:56:04 +0200, Johannes Kastl wrote:
I have not used OpenVPN and NetworkManager in a long time, but wasn't there an option to skip asking for a passphrase?
Ah, that helped. I don't see what got changed in the configuration file, but I changed the config in the NetworkManager GUI to use Certificates only rather than Certificates + Password, and that seems to have resolved it. Thanks for the pointer! -- Jim Henderson Please keep on-topic replies on the list so everyone benefits
participants (3)
-
Georg Pfuetzenreuter -
Jim Henderson -
Johannes Kastl