summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2019-11-11 17:00:35 +0100
committerChristian Poessinger <christian@poessinger.com>2019-11-11 17:00:35 +0100
commit48dcac677525e823b25717947d21129f3e27a961 (patch)
tree553135d615e9d02d09ec8feab3743604a91639a7
parent0e33d4179aefd53435c143b2ad125a8c3fba90e4 (diff)
downloadvyos-documentation-48dcac677525e823b25717947d21129f3e27a961.tar.gz
vyos-documentation-48dcac677525e823b25717947d21129f3e27a961.zip
OpenVPN: add new CLI levels for NCP ciphers
-rw-r--r--docs/vpn/openvpn.rst42
1 files changed, 33 insertions, 9 deletions
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst
index d0bc279b..19c6160e 100644
--- a/docs/vpn/openvpn.rst
+++ b/docs/vpn/openvpn.rst
@@ -93,23 +93,47 @@ Remote Configuration:
set interfaces openvpn vtun1 local-address '10.255.1.2'
set interfaces openvpn vtun1 remote-address '10.255.1.1'
-The configurations above will default to using 128-bit Blowfish in CBC mode
-for encryption and SHA-1 for HMAC authentication. These are both considered
-weak, but a number of other encryption and hashing algorithms are available:
+The configurations above will default to using 256-bit AES in GCM mode
+for encryption (if both sides supports NCP) and SHA-1 for HMAC authentication.
+SHA-1 is considered weak, but other hashing algorithms are available, as are
+encryption algorithms:
For Encryption:
+This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or
+OpenVPN version < 2.4.0.
+
.. code-block:: sh
- vyos@vyos# set interfaces openvpn vtun1 encryption
+ vyos@vyos# set interfaces openvpn vtun1 encryption cipher
Possible completions:
des DES algorithm
3des DES algorithm with triple encryption
bf128 Blowfish algorithm with 128-bit key
bf256 Blowfish algorithm with 256-bit key
- aes128 AES algorithm with 128-bit key
- aes192 AES algorithm with 192-bit key
- aes256 AES algorithm with 256-bit key
+ aes128 AES algorithm with 128-bit key CBC
+ aes128gcm AES algorithm with 128-bit key GCM
+ aes192 AES algorithm with 192-bit key CBC
+ aes192gcm AES algorithm with 192-bit key GCM
+ aes256 AES algorithm with 256-bit key CBC
+ aes256gcm AES algorithm with 256-bit key GCM
+
+This sets the accepted ciphers to use when version => 2.4.0 and NCP is
+enabled (which is default). Default NCP cipher for versions >= 2.4.0 is
+aes256gcm. The first cipher in this list is what server pushes to clients.
+
+.. code-block:: sh
+
+ vyos@vyos# set int open vtun0 encryption ncp-ciphers
+ Possible completions:
+ des DES algorithm
+ 3des DES algorithm with triple encryption
+ aes128 AES algorithm with 128-bit key CBC
+ aes128gcm AES algorithm with 128-bit key GCM
+ aes192 AES algorithm with 192-bit key CBC
+ aes192gcm AES algorithm with 192-bit key GCM
+ aes256 AES algorithm with 256-bit key CBC
+ aes256gcm AES algorithm with 256-bit key GCM
For Hashing:
@@ -374,7 +398,7 @@ Server
.. code-block:: sh
- set interfaces openvpn vtun10 encryption 'aes256'
+ set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '172.18.201.10'
set interfaces openvpn vtun10 local-port '1194'
@@ -398,7 +422,7 @@ Client
.. code-block:: sh
- set interfaces openvpn vtun10 encryption 'aes256'
+ set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 mode 'client'
set interfaces openvpn vtun10 persistent-tunnel