openvpn: renamed the ncp-cipher to data-cipher as per the latest chan…

…ges (#1528)
vyos · Aug 22, 2024 · 78c7e67 · 78c7e67
1 parent 7600f55
commit 78c7e67
Showing 1 changed file with 31 additions and 13 deletions.
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
@@ -147,8 +147,8 @@ Local Configuration:
   set interfaces openvpn vtun1 local-address '10.255.1.1'                         # Local IP of vtun interface
   set interfaces openvpn vtun1 remote-address '10.255.1.2'                        # Remote IP of vtun interface
   set interfaces openvpn vtun1 tls certificate 'openvpn-local'                    # The self-signed certificate
-  set interfaces openvpn vtun1 tls peer-fingerprint <remote cert fingerprint>     # The output of 'run show pki certificate <name> fingerprint sha256
-                                                                                    on the remote rout
+  set interfaces openvpn vtun1 tls peer-fingerprint <remote cert fingerprint>     # The output of 'run show pki certificate <name> fingerprint sha256 on the remote router
+  set interfaces openvpn vtun1 tls role active
 
 Remote Configuration:
 
@@ -163,8 +163,8 @@ Remote Configuration:
   set interfaces openvpn vtun1 local-address '10.255.1.2'                          # Local IP of vtun interface
   set interfaces openvpn vtun1 remote-address '10.255.1.1'                         # Remote IP of vtun interface
   set interfaces openvpn vtun1 tls certificate 'openvpn-remote'                    # The self-signed certificate
-  set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint>       # The output of 'run show pki certificate <name> fingerprint sha256
-                                                                                    on the local router
+  set interfaces openvpn vtun1 tls peer-fingerprint <local cert fingerprint>       # The output of 'run show pki certificate <name> fingerprint sha256 on the local router
+  set interfaces openvpn vtun1 tls role active
 
 Pre-shared keys
 ===============
@@ -253,14 +253,15 @@ Remote Configuration:
   set protocols static route 10.0.0.0/16 interface vtun1
 
 The configurations above will default to using 256-bit AES in GCM mode
-for encryption (if both sides support NCP) and SHA-1 for HMAC authentication.
+for encryption (if both sides support data cipher negotiation) and SHA-1 for HMAC authentication.
 SHA-1 is considered weak, but other hashing algorithms are available, as are
 encryption algorithms:
 
 For Encryption:
 
 This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or
-OpenVPN version < 2.4.0.
+OpenVPN version < 2.4.0. This option should not be used any longer in TLS
+mode and still exists for compatibility with old configurations. 
 
 .. code-block:: none
 
@@ -277,15 +278,16 @@ OpenVPN version < 2.4.0.
     aes256       AES algorithm with 256-bit key CBC
     aes256gcm    AES algorithm with 256-bit key GCM
 
-This sets the accepted ciphers to use when version => 2.4.0 and NCP is
-enabled (which is the default). Default NCP cipher for versions >= 2.4.0 is
-aes256gcm. The first cipher in this list is what server pushes to clients.
+This option was called --ncp-ciphers in OpenVPN 2.4 but has been renamed 
+to --data-ciphers in OpenVPN 2.5 to more accurately reflect its meaning.
+The first cipher in that list that is also in the client's --data-ciphers list
+is chosen. If no common cipher is found the client is rejected.
 
 .. code-block:: none
 
-  vyos@vyos# set int open vtun0 encryption ncp-ciphers
+  vyos@vyos# set int open vtun0 encryption data-ciphers
   Possible completions:
-    des          DES algorithm
+    none         Disable encryption
     3des         DES algorithm with triple encryption
     aes128       AES algorithm with 128-bit key CBC
     aes128gcm    AES algorithm with 128-bit key GCM
@@ -591,7 +593,7 @@ Server Side
 
 .. code-block:: none
 
-  set interfaces openvpn vtun10 encryption cipher 'aes256'
+  set interfaces openvpn vtun10 encryption data-ciphers 'aes256'
   set interfaces openvpn vtun10 hash 'sha512'
   set interfaces openvpn vtun10 local-host '172.18.201.10'
   set interfaces openvpn vtun10 local-port '1194'
@@ -617,7 +619,7 @@ Client Side
 
 .. code-block:: none
 
-  set interfaces openvpn vtun10 encryption cipher 'aes256'
+  set interfaces openvpn vtun10 encryption data-ciphers 'aes256'
   set interfaces openvpn vtun10 hash 'sha512'
   set interfaces openvpn vtun10 mode 'client'
   set interfaces openvpn vtun10 persistent-tunnel
@@ -629,6 +631,10 @@ Client Side
   set interfaces openvpn vtun10 tls crypt-key client-1
   set interfaces openvpn vtun10 use-lzo-compression
 
+.. note:: Compression is generally not recommended. VPN tunnels which use
+   compression are susceptible to the VORALCE attack vector. Enable compression
+   if needed.
+
 Options
 =======
 
@@ -855,6 +861,18 @@ The following commands let you check tunnel status.
    Use this command to check the tunnel status for OpenVPN site-to-site
    interfaces.
 
+OpenVPN Logs
+------------
+
+.. opcmd:: show log openvpn
+
+   Use this command to check log messages which include entries for successful
+   connections as well as failures and errors related to all OpenVPN interfaces.
+
+.. opcmd:: show log openvpn interface <name>
+
+   Use this command to check log messages specific to an interface.
+
 
 Reset OpenVPN
 -------------