In this recipe, we will change the cryptographic ciphers that OpenVPN uses. Initially, we will change the cipher only on the client side, which will cause the initialization of the VPN connection to fail. The primary purpose of this recipe is to show the error messages that appear, not to explore the different types of ciphers that OpenVPN supports.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11, and the client was running Windows 7 64 bit and OpenVPN 2.3.10. Keep the configuration file, basic-udp-server.conf
, from the Server-side routing recipe from Chapter 2, Client-server IP-only Networks, as well as the client configuration file, basic-udp-client.conf
.
basic-udp-server.conf
: [root@server]# openvpn --config basic-udp-server.conf
basic-udp-client.conf
file:cipher CAST5-CBC
Save it as example6-1-client.conf
.
[root@client]# openvpn --config example6-1-client.conf
... WARNING: 'cipher' is used inconsistently, local='cipher
CAST5-CBC'', remote='cipher BF-CBC''
... [openvpnserver] Peer Connection Initiated with server-
ip:1194
... TUN/TAP device tun0 opened
... /sbin/ip link set dev tun0 up mtu 1500
... /sbin/ip addr add dev tun0 10.200.0.2/24 broadcast
10.200.0.255
... Initialization Sequence Completed
... Authenticate/Decrypt packet error: cipher final failed
And, similarly, on the server side:
... client-ip:52461 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC'', remote='cipher CAST5-CBC'' ... client-ip:52461 [client1] Peer Connection Initiated with client1:52461 ... client1/client-ip:52461 Authenticate/Decrypt packet error: cipher final failed ... client1/client-ip:52461 Authenticate/Decrypt packet error: cipher final failed
The connection will not be successfully established, but it will also not be disconnected immediately.
During the connection phase, the client and the server negotiate several parameters needed to secure the connection. One of the most important parameters in this phase is the encryption cipher, which is used to encrypt and decrypt all the messages. If the client and server are using different ciphers, then they are simply not capable of talking to each other.
By adding the following configuration directive to the server configuration file, the client and the server can communicate again:
cipher CAST5-CBC
OpenVPN supports quite a few ciphers, although support for some of the ciphers is still experimental. To view the list of supported ciphers, type:
$ openvpn --show-ciphers
This will list all ciphers with both variables and fixed cipher length. The ciphers with variable cipher length are very well supported by OpenVPN, the others can sometimes lead to unpredictable results.
18.216.197.92