Hello Everyone,

Can anyone tell me if it is possible and if so how to change the encryption from cipher AES-128-CBC to cipher BF-CBC in the OpenVPN conf file that Untangle generates? I am trying to connect to Untangle Server using a router running tomato 1.11.1219 VPN Mod firmware on and apparently AES doesn't work with that.

Thanks

Any word on this?

Not sure. You could be the first to try and let everyone know though. I would imagine that it would need to be done in server.conf.

Not sure. You could be the first to try and let everyone know though. I would imagine that it would need to be done in server.conf.

I have tried changing it to cipher BF-CBC in the server.conf before but the OpenVPN erases my changes.

It would be good if the administrator is able to select which encryption to use. Maybe there could be a drop down box in the setup under

SETUP >> ADVANCED SETTINGS

You can change your Server Port, Site Name and DNS settings there so I maybe wrong but I think it shouldn't be a big deal to allow the administrator to select the encryption.

Not sure. You could be the first to try and let everyone know though. I would imagine that it would need to be done in server.conf.

Hello SilverBullet,

I spoke to Untangle support today and they have advised me to submit an enhancement reuest at bugzilla.untangle.com which I have done. The title of the request is "Ability for Administrator to select VPN encryption" and the Bug number is 3469.


Maybe all of you that require this feature should submit your votes ASAP.

BF-CBC works in UT 5.2.1 but you do have to manually edit /etc/openvpn/server.conf with vi:

;cipher AES-128-CBC
cipher BF-CBC

Then look for the openvpn PID, kill it, and restart openvpn from shell/SSH with this:

/usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf &

OpenVPN will start back up in UT using Blowfish.

I had to do this because I'm planning on having several remote VPN sites using wireless routers loaded with DD-WRT and OpenVPN and wanted to get the maximum transfer speeds I could get with the limited amount of CPU power to do encryption on the Broadcom's. Blowfish is best for those.

I'd really wish the DD-WRT and OpenWRT teams would figure out how to make OpenVPN tap the AES crypto accelerators in those Broadcom's and not using it just for WPA/WPA2. Still a WiP from both teams...

Cheers,
Kermee

You will also have to put in an override for server.conf to keep the UVM from replacing the file.

You will also have to put in an override for server.conf to keep the UVM from replacing the file.

Aye! Good point!

--I wanted to make a quick point how easy it is to get UT 5.2.x working with DD-WRT v24 enabled routers with firmwares containing OpenVPN.

1. Setup a "VPN Site" in the OpenVPN rack. Make sure "is Untangle Server" is unchecked.
2. Distribute the key to yourself via e-mail.
3. Grab the configuration files off UT via web (not the Windows Installer).
4. Unzip the config.zip to a place easily accessible.
5. Log into your DD-WRT router, go under the "Services" tab and enable OpenVPN.
6. Enter in your UT's external IP address under "Server IP/Name".
7. Leave Port (1194), TUN MTU Setting (1500), TUN MTU Extra (32) and TCP MSS (1450) at defaults.
8. Click "Enable" for "Use LZO Compression".
9. Leave "Tunnel Protocol" at UDP. Checkmark "nsCertType".
10. Public Server Cert -- This is the cert in your config.zip in the untangle-vpn folder which is named yourserver-ca.crt. Open it up with a text editor and copy and paste the entire text into the box in DD-WRT.
11. Public Client Cert -- This is the cert in your config.zip in the untangle-vpn folder which is named yourserver-yourclient.crt. Open it up with a text editor and copy and paste only the part between BEGIN CERTIFICATE and END CERTIFICATE, inclusive of the lines BEGIN and END in the box in DD-WRT.
12. Private Client Key -- This is the key in your config.zip in the untangle-vpn folder which is named yourserver-yourclient.key. Open it up with a text editor and copy and paste the entire file into the box in DD-WRT.
13. Hit "Apply Settings" in DD-WRT and your tunnel should come up! Check the "Event Logs" in the OpenVPN rack in UT. You should see it connect!

Cheers,
Kermee

P.S. If you're using the router to NAT, don't forget to disable NAT'ing on tun0:

http://www.dd-wrt.com/wiki/index.php/OpenVPN#Disabling_NAT

I should also point out that if you change the encryption type in server.conf and you set the override... any changes you make in the OpenVPN module won't impact the server.conf file. That being said you'll have to make your configuration changes without the override, then resetting it and going back into the file to adjust the appropriate settings. Then restart the service again. It is a giant pain but at least you can make it work while the enhancement request is pending.