OpenVPN and TLS v1.3

[Mutzli]

Does anyone know how to enable TLS v1.3 instead of TLS v1.2 in OpenVPN?

Right now the control channels in my system log shows:
Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
when opening a connection from a client.

Question 1:
Do I have to choose a different cipher?
The OpenVPN wiki says (https://wiki.openssl.org/index.php/TLS1.3) that the following control channel should be available TLS13-AES-256-GCM-SHA384 to enable TLS v1.3, which is not an option in the router config. Does that mean the current OpenVPN implementation in 384.12_beta2 doesn't support TLS v1.3 yet?

Question 2:
Is the problem client side?
Do I have to change the *.ovpn configuration to establish a TLSv1.3 connection?

 

[Zastoff]

I would say that it is the server you connect to..
Your openvpn client supports openvpn 2.4.7 and openssl 1.1.1c and tls 1.3
The server you connect to probably is openvpn 2.4.6 (tls 1.2 is considered safe)

 

[RMerlin]

You simply need to have BOTH ends support TLS 1.3, and it will be automatically used. Right now, very few servers support 1.3, as it requires a bleeding edge version of OpenSSL.

 

[Mutzli]

I would say that it is the server you connect to..
Your openvpn client supports openvpn 2.4.7 and openssl 1.1.1c and tls 1.3
The server you connect to probably is openvpn 2.4.6 (tls 1.2 is considered safe)

The server is 2.4.7 with OpenSSL 1.1.1c:
OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 16 2019
library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.08

This should support TLS v1.3

 

[L&LD]

The server is 2.4.7 with OpenSSL 1.1.1c:
OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 16 2019
library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.08

This should support TLS v1.3

Maybe just try re-creating the OPVN file again?

 

[SMS786]

Does anyone know how to enable TLS v1.3 instead of TLS v1.2 in OpenVPN?

Right now the control channels in my system log shows:
Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
when opening a connection from a client.

Question 1:
Do I have to choose a different cipher?
The OpenVPN wiki says (https://wiki.openssl.org/index.php/TLS1.3) that the following control channel should be available TLS13-AES-256-GCM-SHA384 to enable TLS v1.3, which is not an option in the router config. Does that mean the current OpenVPN implementation in 384.12_beta2 doesn't support TLS v1.3 yet?

Question 2:
Is the problem client side?
Do I have to change the *.ovpn configuration to establish a TLSv1.3 connection?

This should answer the issues you're having: https://forums.openvpn.net/viewtopic.php?t=27987

 

[Mutzli]

This should answer the issues you're having: https://forums.openvpn.net/viewtopic.php?t=27987

That might explain why it worked with 2.4.6. But using OpenSSL 1.1.1c and the latest 2.4.7 should include the patches to make it work again since they talk about 1.1.1a and 1.1.1b.

 

[SomeWhereOverTheRainBow]

That might explain why it worked with 2.4.6. But using OpenSSL 1.1.1c and the latest 2.4.7 should include the patches to make it work again since they talk about 1.1.1a and 1.1.1b.

by the time tls1.3 fully takes over 100%, they will already be having to make a stronger protocol, and tls1.2 will be considered the black sheep.

 

[SMS786]

Does anyone know how to enable TLS v1.3 instead of TLS v1.2 in OpenVPN?

Right now the control channels in my system log shows:
Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
when opening a connection from a client.

Question 1:
Do I have to choose a different cipher?
The OpenVPN wiki says (https://wiki.openssl.org/index.php/TLS1.3) that the following control channel should be available TLS13-AES-256-GCM-SHA384 to enable TLS v1.3, which is not an option in the router config. Does that mean the current OpenVPN implementation in 384.12_beta2 doesn't support TLS v1.3 yet?

Question 2:
Is the problem client side?
Do I have to change the *.ovpn configuration to establish a TLSv1.3 connection?

Yes, depends on your client. As of now, the latest Windows OVPN client (2.4.8) only supports OpenSSL 1.1.0, whereas TLS 1.3 connections require 1.1.1.

Wed Nov 06 14:18:19 2019 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Wed Nov 06 14:18:19 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Nov 06 14:18:19 2019 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10

 

[Makaveli]

I'm using Express VPN through the router.

Nov 7 18:12:47 ovpn-client1[18475]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA

I didn't have to change anything.

 

[SMS786]

I'm using Express VPN through the router.

Nov 7 18:12:47 ovpn-client1[18475]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA

I didn't have to change anything.

If I'm not mistaken, I believe the OP was trying to connect to the router's OPVN server and has a client that doesn't support the latest OpenSSL package.

Great to know that there are no issues on the router's built-in client side though!