Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 32
  1. #21
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,958

    Default

    Off topic a bit, but I need to correct an earlier post of mine.

    I'm sad to report, there doesn't appear to be WireGuard support in the native VPN client of Windows 10 2004.

    The insider news I was reading lied to me! LIED! *shakes fists at the heavens*

    Oh well, 3rd party client it is... may it be configured with nothing but push and pixie dust.
    f1assistance likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #22
    Master Untangler bluechris's Avatar
    Join Date
    May 2016
    Location
    Athens, Greece
    Posts
    161

    Default

    Guys my home updated to 15.1, ok i lost connection to work becase i am with md5. I rolled back the yesterday backup and im back in business and i had disabled the updates to all my company installations.

    Now .. i need to do something extra in config when i will remove Openvpn from everywhere and reinstall? all my clients are with openvpn below the 3 version, or i need to have something extra to cover any client that will be with 3+ version of openvpn client software? i a bit confused and sorry for asking.

  3. #23
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,013

    Default

    MD5 certificates are not secure since about 2016. Security is always an ongoing upgrade battle. It gets more difficult on 15.1 since Debian 10 no longer supports MD5 encryption. It is a pain to redistribute new certificates but having MD5 tunnel is just about the same as no encryption in this point.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #24
    Master Untangler bluechris's Avatar
    Join Date
    May 2016
    Location
    Athens, Greece
    Posts
    161

    Default

    Quote Originally Posted by jcoffin View Post
    MD5 certificates are not secure since about 2016. Security is always an ongoing upgrade battle. It gets more difficult on 15.1 since Debian 10 no longer supports MD5 encryption. It is a pain to redistribute new certificates but having MD5 tunnel is just about the same as no encryption in this point.
    Yeap i knew that and it was a deliberate decision to hold as long as i can till the thing explode like now.
    So i just delete and reinstall the openvpn module and thats it? i dont need to do something extra? and recreate all my clients offcourse.

  5. #25
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,013

    Default

    That is it. Just reinstall the OpenVPN app and and new certificate is generated. The remote clients list can be exported and imported so they don't need to be re-entered manually. Same with groups and exported networks. Once saved, redistribute the new OpenVPn configurations.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #26
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,284

    Default

    Quote Originally Posted by bluechris View Post
    Yeap i knew that and it was a deliberate decision to hold as long as i can till the thing explode like now.
    So i just delete and reinstall the openvpn module and thats it? i dont need to do something extra? and recreate all my clients offcourse.
    to add to what jcoffin said, the default settings you'll get with a fresh OpenVPN install/re-install are good for both the OpenVPN v2.x Community client series and the v3 Connect client.

    Sky-knight and I were discussing the presence of the "Compress" directive in the new default settings, and the fact that using compression is potentially insecure and no longer recommended (though the potential insecurity is FAR less than MD5); the v3 client explicitly disallows compression in it's default settings. I thought it might be best to get rid of the "Compress" directive as a default altogether. This may have confused matters for you; the "Compress" directive sets up the packet framing to *allow* compression, but does not actually enable any compression; a further directive has to be set on the server and pushed to the client to actually turn it on. This would work fine on a current v2.4.x client, but would not be allowed by a v3 client without changing a client-side setting (ominously named "Allow Compression (insecure)"). But in either case, the "Compress" directive itself is fine and is accepted without complaint by both clients.
    I have a v3 VPN connection active as I type, connected to a 15.1 server using 100% stock settings, and the log confirms:
    Code:
    PROTOCOL OPTIONS:
      cipher: AES-256-GCM
      digest: SHA1
      compress: COMP_STUB

  7. #27
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,284

    Default

    on the topic of the v3 client, so far I've got a like/dislike attitude towards it, as I suppose is inevitable:

    Likes:
    - useful client-side settings in the UI, you don't have to hand-edit or send out a new profile to change every little thing
    - easy to set an always-on VPN connection (one of those aforementioned settings in the UI)
    - all settings/options/functions seem to be available from the App and the right-click menu
    - happily co-exists with the v2.x client

    Dislikes:
    - small log window, can't be re-sized
    - can't select/copy text from log window, must save log and then open in text editor
    - mouse-wheel works backwards in log window
    - can't access log from right-click menu, must open App
    - the method of selecting/working with multiple VPN profiles in the menu is awkward
    - it's different than the old client, no one likes change

    Overall though, I'm probably going to work towards moving all my connections over to the v3 client. Most of my dislikes seem to center on the log, and I don't normally spend all that much time in the log.

  8. #28
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,284

    Default

    for those following along and want clarity on where these different clients are to be had:

    OpenVPN Connect client v3: https://openvpn.net/download-open-vpn/
    OpenVPN community client v2.4.x: https://openvpn.net/community-downloads/

    (the 2.4.7 client was the last included with Untangle; the latest is now v2.4.9)

  9. #29
    Master Untangler bluechris's Avatar
    Join Date
    May 2016
    Location
    Athens, Greece
    Posts
    161

    Default

    Quote Originally Posted by johnsonx42 View Post
    to add to what jcoffin said, the default settings you'll get with a fresh OpenVPN install/re-install are good for both the OpenVPN v2.x Community client series and the v3 Connect client.

    Sky-knight and I were discussing the presence of the "Compress" directive in the new default settings, and the fact that using compression is potentially insecure and no longer recommended (though the potential insecurity is FAR less than MD5); the v3 client explicitly disallows compression in it's default settings. I thought it might be best to get rid of the "Compress" directive as a default altogether. This may have confused matters for you; the "Compress" directive sets up the packet framing to *allow* compression, but does not actually enable any compression; a further directive has to be set on the server and pushed to the client to actually turn it on. This would work fine on a current v2.4.x client, but would not be allowed by a v3 client without changing a client-side setting (ominously named "Allow Compression (insecure)"). But in either case, the "Compress" directive itself is fine and is accepted without complaint by both clients.
    I have a v3 VPN connection active as I type, connected to a 15.1 server using 100% stock settings, and the log confirms:
    Code:
    PROTOCOL OPTIONS:
      cipher: AES-256-GCM
      digest: SHA1
      compress: COMP_STUB
    The point is, we really gain anything from compression? Isn't better since i will redo everything to disable compression for future? If the gains with compression are something like 5% i think i will disable it overall.

  10. #30
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,958

    Default

    Quote Originally Posted by bluechris View Post
    The point is, we really gain anything from compression? Isn't better since i will redo everything to disable compression for future? If the gains with compression are something like 5% i think i will disable it overall.
    It's disabled with only the compress verb in place, the framing for compression being active isn't the same as actual compression being active. But yeah, if you're doing a nuke there's no harm that I'm aware of by excluding the compress verbs from client and server configs entirely.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 3 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2