AES256-GCM-SHA384 for openVPN

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
ratin3
Posts: 9
Joined: Mon Feb 24, 2020 5:14 am

AES256-GCM-SHA384 for openVPN

Post by ratin3 » Fri Mar 06, 2020 11:01 pm

Hi,
It looks like the SoftEtherVPN can't support AES256-GCM-SHA384 for OpenVPN client. It defaults to AES-128-CBC. Does anybody have any luck enabling the AES256-GCM-SHA384? I built the SoftEther binaries from scratch using the latest openSSL and other libraries. I enabled and verified but the OpenVPN client says the server site is set to AES-128-CBC cipher.

VPN Server/beta1> ServerCipherSet AES256-GCM-SHA384
VPN Server/beta1> ServerCipherGet
Encrypted Algorithm Currently Used by VPN Server:
AES256-GCM-SHA384

However if I create a client config using the server manager, it putst AES-128-CBC / SHA1 in the config file. And if I use this from client, it works. So basically that tells me I have to enable something else on the server side to be able to utilize the new ciphers that are supported.

Client:
Fri Mar 6 02:49:34 2020 UDP link local: (not bound)
Fri Mar 6 02:49:34 2020 UDP link remote: [AF_INET]192.168.0.20:1194
Fri Mar 6 02:49:34 2020 TLS: Initial packet from [AF_INET]192.168.0.20:1194, sid=88a41471 efdbb74f
Fri Mar 6 02:49:34 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Mar 6 02:49:34 2020 VERIFY KU OK
Fri Mar 6 02:49:34 2020 Validating certificate extended key usage
Fri Mar 6 02:49:34 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Mar 6 02:49:34 2020 VERIFY EKU OK
Fri Mar 6 02:49:34 2020 VERIFY OK: depth=0, CN=commsmgr-3847, O=commsmgr-3847, OU=commsmgr-3847, C=US
Fri Mar 6 02:49:34 2020 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-128-CBC'
Fri Mar 6 02:49:34 2020 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Fri Mar 6 02:49:34 2020 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

Fri Mar 6 02:49:34 2020 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Mar 6 02:49:34 2020 [commsmgr-3847] Peer Connection Initiated with [AF_INET]192.168.0.20:1194
Fri Mar 6 02:49:35 2020 SENT CONTROL [commsmgr-3847]: 'PUSH_REQUEST' (status=1)
Fri Mar 6 02:49:36 2020 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 192.168.30.13 192.168.30.14,dhcp-option DNS 192.168.30.1,route-gateway 192.168.30.14,redirect-gateway def1'
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: timers and/or timeouts modified
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: --ifconfig/up options modified
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: route options modified
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: route-related options modified
Fri Mar 6 02:49:36 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Mar 6 02:49:36 2020 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Mar 6 02:49:36 2020 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Mar 6 02:49:36 2020 ROUTE: default_gateway=UNDEF
Fri Mar 6 02:49:36 2020 TUN/TAP device tun0 opened
Fri Mar 6 02:49:36 2020 TUN/TAP TX queue length set to 100
Fri Mar 6 02:49:36 2020 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Mar 6 02:49:36 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Mar 6 02:49:36 2020 /sbin/ip addr add dev tun0 local 192.168.30.13 peer 192.168.30.14
Fri Mar 6 02:49:36 2020 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Fri Mar 6 02:49:36 2020 Initialization Sequence Completed
Fri Mar 6 02:49:36 2020 AEAD Decrypt error: cipher final failed
Fri Mar 6 02:49:39 2020 AEAD Decrypt error: cipher final failed
Fri Mar 6 02:49:41 2020 AEAD Decrypt error: cipher final failed
Fri Mar 6 02:49:42 2020 AEAD Decrypt error: cipher final failed
^CFri Mar 6 02:49:45 2020 event_wait : Interrupted system call (code=4)

Thanks,
Ratin

givemesam
Posts: 4
Joined: Mon Mar 09, 2020 7:48 pm

Re: AES256-GCM-SHA384 for openVPN

Post by givemesam » Tue Mar 10, 2020 5:04 pm

I'm new to this, but here is what i know:

You need to change the encryption in 2 places:

1- In the softether app under (middle of main window) Encryption+Network / Encryption Algorithm name.

2 - And your client.ovpn file needs to have this line changed:

#change this to match whatever you selected above in the application

#cipher AES-128-CBC
#auth SHA1

So you would use

cipher AES-256-GCM
auth SHA384

ratin3
Posts: 9
Joined: Mon Feb 24, 2020 5:14 am

Re: AES256-GCM-SHA384 for openVPN

Post by ratin3 » Wed Mar 11, 2020 7:39 pm

Hi Givemesam, Ofcourse I tried those settings in both on the server and the client side. It didn't work.

givemesam
Posts: 4
Joined: Mon Mar 09, 2020 7:48 pm

Re: AES256-GCM-SHA384 for openVPN

Post by givemesam » Wed Mar 11, 2020 10:02 pm

Try setting both sides to:

cipher AES-256-CBC
auth SHA1


then post a small snippet of your logs too

motomotes
Posts: 1
Joined: Thu Dec 30, 2021 11:13 pm

Re: AES256-GCM-SHA384 for openVPN

Post by motomotes » Thu Dec 30, 2021 11:37 pm

https://www.softether.org/3-spec
SoftEther VPN Protocol Specification
Supported Payload Protocols: Any Protocols in Ethernet
Upper Underlying Protocol: TLS (Transport Layer Security) 1.0, 1.1, 1.2
Lower Underlying Protocol: TCP/IP and UDP/IP Hybrid (on IPv4 and IPv6)
Ciphers:
RC4-MD5, RC4-SHA, AES128-SHA, AES256-SHA, DES-CBC-SHA and DES-CBC3-SHA

xyvhu123f
Posts: 1
Joined: Tue Jun 13, 2023 2:34 am

Re: AES256-GCM-SHA384 for openVPN

Post by xyvhu123f » Tue Jun 13, 2023 2:43 am

GCM is not supported, use CBC instead
2 things your should do:
## 1. server
find following line in your SoftetherVpn configuration file
```
string OpenVPNDefaultClientOption ......
```
change it into
```
string OpenVPNDefaultClientOption dev-type$20tun,link-mtu$201500,tun-mtu$201500,cipher$20AES-256-CBC,auth$20SHA384,keysize$20128,key-method$202,tls-client
```
I use AES-256-CBC SHA384 as example
## 2. client
add the following line to your .ovpn file
```
data-cipher AES-256-CBC
auth SHA384
```
attention: use data-cipher instead of cipher

Post Reply