1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN and TLS v1.3

Discussion in 'Asuswrt-Merlin' started by Mutzli, Jun 19, 2019.

  1. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    291
    Does anyone know how to enable TLS v1.3 instead of TLS v1.2 in OpenVPN?

    Right now the control channels in my system log shows:
    Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
    when opening a connection from a client.

    Question 1:
    Do I have to choose a different cipher?
    The OpenVPN wiki says (https://wiki.openssl.org/index.php/TLS1.3) that the following control channel should be available TLS13-AES-256-GCM-SHA384 to enable TLS v1.3, which is not an option in the router config. Does that mean the current OpenVPN implementation in 384.12_beta2 doesn't support TLS v1.3 yet?

    Question 2:
    Is the problem client side?
    Do I have to change the *.ovpn configuration to establish a TLSv1.3 connection?
     
  2. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    287
    I would say that it is the server you connect to..
    Your openvpn client supports openvpn 2.4.7 and openssl 1.1.1c and tls 1.3
    The server you connect to probably is openvpn 2.4.6 (tls 1.2 is considered safe)
     
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,166
    Location:
    Canada
    You simply need to have BOTH ends support TLS 1.3, and it will be automatically used. Right now, very few servers support 1.3, as it requires a bleeding edge version of OpenSSL.
     
    Quoc Huynh and Xentrk like this.
  4. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    291
    The server is 2.4.7 with OpenSSL 1.1.1c:
    OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 16 2019
    library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.08

    This should support TLS v1.3
     
  5. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,693
    Maybe just try re-creating the OPVN file again?
     
  6. SMS786

    SMS786 Regular Contributor

    Joined:
    Nov 29, 2017
    Messages:
    179
    This should answer the issues you're having: https://forums.openvpn.net/viewtopic.php?t=27987
     
  7. Mutzli

    Mutzli Senior Member

    Joined:
    Dec 22, 2014
    Messages:
    291
    That might explain why it worked with 2.4.6. But using OpenSSL 1.1.1c and the latest 2.4.7 should include the patches to make it work again since they talk about 1.1.1a and 1.1.1b.
     
  8. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Senior Member

    Joined:
    Jun 4, 2019
    Messages:
    223
    by the time tls1.3 fully takes over 100%, they will already be having to make a stronger protocol, and tls1.2 will be considered the black sheep.