My OpenVPN works, but I can’t change crypto method…
Since I run VPN on router there performance make sense and i wan’t to use BW or 128-bit AES (wanna test performance)
Unfortunately in spite of options cipher in cfg connection starts with AES-256-GCM encryption
Please advise how to change the data encryption
Server runs LEDE 17.01.3
Client runs LEDE 17.01.4
Server config
config openvpn 'myvpn'
option enabled '1'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/LEDE825srv.crt'
option key '/etc/openvpn/LEDE825srv.key'
option dh '/etc/openvpn/dh2048.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
list push 'route 192.168.13.0 255.255.255.0'
option client_config_dir '/etc/openvpn/ccd'
list route '192.168.16.0 255.255.255.0'
list route '192.168.24.0 255.255.255.0'
list route '192.168.26.0 255.255.255.0'
option client_to_client '1'
option keepalive '10 120'
option status '/tmp/openvpn-status.log'
option log '/tmp/openvpn.log'
option verb '4'
**option cipher 'BF-CBC'**
Client config at client_config_dir '/etc/openvpn/ccd'
iroute 192.168.26.0 255.255.255.0
ifconfig-push 10.8.0.26 10.8.0.1
push "route 192.168.16.0 255.255.255.0"
push "route 192.168.24.0 255.255.255.0"
Client config
config openvpn 'myvpn'
option enabled '1'
option dev 'tun'
option proto 'udp'
option verb '3'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/miLEDE.crt'
option key '/etc/openvpn/miLEDE.key'
**option cipher BF-CBC**
option client '1'
option remote_cert_tls 'server'
option remote '89.213.25.162 1194'
option log /tmp/openvpn.log
Client log
Fri Nov 10 00:02:57 2017 OpenVPN 2.4.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Nov 10 00:02:57 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Fri Nov 10 00:02:57 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]89.213.25.162:1194
Fri Nov 10 00:02:57 2017 Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Nov 10 00:02:57 2017 UDP link local (bound): [AF_INET][undef]:1194
Fri Nov 10 00:02:57 2017 UDP link remote: [AF_INET]89.213.25.162:1194
Fri Nov 10 00:02:57 2017 TLS: Initial packet from [AF_INET]89.213.25.162:1194, sid=2ee612280
Fri Nov 10 00:02:58 2017 VERIFY OK: depth=1, C=RU, ST=MSK, L=Moscow, O=MAG, OU=MAGadmin, CN=LEDE825, name=OpenVPN-CA, emailAddress=admin@mag.ru
Fri Nov 10 00:02:58 2017 VERIFY KU OK
Fri Nov 10 00:02:58 2017 Validating certificate extended key usage
Fri Nov 10 00:02:58 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Nov 10 00:02:58 2017 VERIFY EKU OK
Fri Nov 10 00:02:58 2017 VERIFY OK: depth=0, C=RU, ST=MSK, L=Moscow, O=MAG, OU=MAGadmin, CN=LEDE825srv, name=LEDE825srvkey, emailAddress=admin@mag.ru
Fri Nov 10 00:02:58 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Nov 10 00:02:58 2017 [LEDE825srv] Peer Connection Initiated with [AF_INET]89.213.25.162:1194
Fri Nov 10 00:02:59 2017 SENT CONTROL [LEDE825srv]: 'PUSH_REQUEST' (status=1)
Fri Nov 10 00:02:59 2017 PUSH: Received control message: 'PUSH_REPLY,route 192.168.13.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,route 192.168.16.0 255.255.255.0,route 192.168.24.0 255.255.255.0,ifconfig 10.8.0.26 10.8.0.1,peer-id 0,**cipher AES-256-GCM**'
Fri Nov 10 00:02:59 2017 OPTIONS IMPORT: timers and/or timeouts modified
Fri Nov 10 00:02:59 2017 OPTIONS IMPORT: --ifconfig/up options modified
Fri Nov 10 00:02:59 2017 OPTIONS IMPORT: route options modified
Fri Nov 10 00:02:59 2017 OPTIONS IMPORT: peer-id set
Fri Nov 10 00:02:59 2017 OPTIONS IMPORT: adjusting link_mtu to 1624
Fri Nov 10 00:02:59 2017 OPTIONS IMPORT: data channel crypto options modified
Fri Nov 10 00:02:59 2017 Data Channel: using negotiated cipher 'AES-256-GCM'
**Fri Nov 10 00:02:59 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key**
**Fri Nov 10 00:02:59 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key**
Fri Nov 10 00:02:59 2017 TUN/TAP device tun0 opened
Fri Nov 10 00:02:59 2017 TUN/TAP TX queue length set to 100
Fri Nov 10 00:02:59 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Nov 10 00:02:59 2017 /sbin/ifconfig tun0 10.8.0.26 pointopoint 10.8.0.1 mtu 1500
Fri Nov 10 00:02:59 2017 /sbin/route add -net 192.168.13.0 netmask 255.255.255.0 gw 10.8.0.1
Fri Nov 10 00:02:59 2017 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.1
Fri Nov 10 00:02:59 2017 /sbin/route add -net 192.168.16.0 netmask 255.255.255.0 gw 10.8.0.1
Fri Nov 10 00:02:59 2017 /sbin/route add -net 192.168.24.0 netmask 255.255.255.0 gw 10.8.0.1
Fri Nov 10 00:03:00 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Nov 10 00:03:00 2017 Initialization Sequence Completed