Trying to use AES-128-GCM OpenVPN but failing

I have been using openvpn witht CBC for years and was curious to test out GCM since the AES-NI is available. I havent touched my config in years but just updated the cipher to AES-128-GCM and added ncp-disable but I cant get it to connect.
I am running the following
CHAOS CALMER (15.05, r46767)
openvpn-openssl 2.3.6-5
and I added kmod-crypto-gcm in case it was needed.

When I updated /etc/config/openvpn and restarted LUCI was not happy...

/usr/lib/lua/luci/dispatcher.lua:433: Failed to execute cbi dispatcher target for entry '/admin/services/openvpn'.
The called action terminated with an exception:
/usr/lib/lua/luci/cbi.lua:311: Unable to read UCI data: openvpn
stack traceback:
	[C]: in function 'assert'
	/usr/lib/lua/luci/dispatcher.lua:433: in function 'dispatch'
	/usr/lib/lua/luci/dispatcher.lua:168: in function </usr/lib/lua/luci/dispatcher.lua:167>

When I run the following I do not see and option for GCM

openvpn --show-ciphers
DES-CFB 64 bit default key (fixed) (TLS client/server mode)
DES-CBC 64 bit default key (fixed)
RC2-CBC 128 bit default key (variable)
RC2-CFB 128 bit default key (variable) (TLS client/server mode)
RC2-OFB 128 bit default key (variable) (TLS client/server mode)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DES-OFB 64 bit default key (fixed) (TLS client/server mode)
DES-EDE-CFB 128 bit default key (fixed) (TLS client/server mode)
DES-EDE3-CFB 192 bit default key (fixed) (TLS client/server mode)
DES-EDE-OFB 128 bit default key (fixed) (TLS client/server mode)
DES-EDE3-OFB 192 bit default key (fixed) (TLS client/server mode)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
BF-CFB 128 bit default key (variable) (TLS client/server mode)
BF-OFB 128 bit default key (variable) (TLS client/server mode)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
CAST5-CFB 128 bit default key (variable) (TLS client/server mode)
CAST5-OFB 128 bit default key (variable) (TLS client/server mode)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-128-OFB 128 bit default key (fixed) (TLS client/server mode)
AES-128-CFB 128 bit default key (fixed) (TLS client/server mode)
AES-192-CBC 192 bit default key (fixed)
AES-192-OFB 192 bit default key (fixed) (TLS client/server mode)
AES-192-CFB 192 bit default key (fixed) (TLS client/server mode)
AES-256-CBC 256 bit default key (fixed)
AES-256-OFB 256 bit default key (fixed) (TLS client/server mode)
AES-256-CFB 256 bit default key (fixed) (TLS client/server mode)
AES-128-CFB1 128 bit default key (fixed) (TLS client/server mode)
AES-192-CFB1 192 bit default key (fixed) (TLS client/server mode)
AES-256-CFB1 256 bit default key (fixed) (TLS client/server mode)
AES-128-CFB8 128 bit default key (fixed) (TLS client/server mode)
AES-192-CFB8 192 bit default key (fixed) (TLS client/server mode)
AES-256-CFB8 256 bit default key (fixed) (TLS client/server mode)
DES-CFB1 64 bit default key (fixed) (TLS client/server mode)
DES-CFB8 64 bit default key (fixed) (TLS client/server mode)
DES-EDE3-CFB1 192 bit default key (fixed) (TLS client/server mode)
DES-EDE3-CFB8 192 bit default key (fixed) (TLS client/server mode)
SEED-CBC 128 bit default key (fixed)
SEED-OFB 128 bit default key (fixed) (TLS client/server mode)
SEED-CFB 128 bit default key (fixed) (TLS client/server mode)

Any idea what I am missing?

First step would be to update to a current release, v18 or later (v19 is coming in the next month or so, which will effectively EOL support for v17).

It doesn't surprise me that a four-year-old release doesn't support newer OpenSSL/OpenVPN features in more ways than one. (Not to mention that "security" and a release long out of support are incongruous.)

In fact, with the recent Linux CVEs, anything older than yesterday should be considered insecure and remotely exploitable (which includes from "infected" hosts within your own network).

1 Like

@jeff Thanks, I am using an x86 VM so not the easiest to upgrade. Will try starting with clean v18 install

1 Like