Hello!
I just installed the OpenVPN Bridge & PHPki contribs. I thought I had followed all instructions to the letter, and the system does work, but I am concerned that something has gone wrong. ONE contributing factor in this is that my mouse had been starting to go south (random double clicks, unexpected jumps while viewing etc.) and is now in the bin.
While generating the keys / certificates all seemed well until I generated the DH parameters. While following the examples with values shown in the wiki, the DH parameter output looked very different from the screen shot in the wiki - it had only 7 or 8 lines rather than the thirty or forty shown in the example. At this time, I started suspecting that something was amiss and looked for a way to regenerate the root and start over (suspecting that maybe the mouse had changed the key size or something). I also decided to use that static key while in the test mode to presumable make the impaired setup a little harder to break into (is this a correct assumption?).
Not finding this, just for laughs I tried it out with the OpenVPN client for Win7 and it does connect successfully. Looking at the client log, I see the following line:
"WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC)."
Now I know that this setup is imperfect, and I wish to replace it. Am I correct in believing that the cipher used during communications is weak, as well as the initial handshaking?
I intend to redo the installation. Does anyone know what may have gone wrong during the initial setup? Is there any way to repair / redo what is in place or do I have to completely remove the contribution to start again with a new root? Will this also remove all of the certificates so that there is no interaction with the previous values if I reinstall and recreate? Please advise. If you need any log output, etc., let me know which / what / how.
As an aside, the openvpn client referred to in the wiki is no longer being developed by the person in the wiki. I downloaded a client from the openvpn.net from:
"
https://openvpn.net/index.php/open-source/downloads.html". I trust that this was a valid choice!?
Thank you in advance for any help!
2 Replies
2242 Views