atulsian89
commented
7 years ago Apologies oriold for hijacking your post. Just curious to know re the openvpn 2.4 support on Streisand? I think the script requires some changes to make it work.
Closed oriold closed 7 years ago
atulsian89
commented
7 years ago Apologies oriold for hijacking your post. Just curious to know re the openvpn 2.4 support on Streisand? I think the script requires some changes to make it work.
alimakki
commented
7 years ago @atulsian89 I want to work on OpenVPN 2.4 support but mobile clients need to be updated to support the new specifications.
atulsian89
commented
7 years ago @alimakki the official android version supports 2.4. I'm not sure about the other platforms. May be someone can check them and report it. All the other platforms (windows, linux) supports 2.4. Just curios to see the gain in speed and security with 2.4.
alimakki
commented
7 years ago @atulsian89 unfortunately iOS seems to be lagging behind.
edit: tunnelblick hasn't been updated to 2.4 either.
jlund
commented
7 years ago I'm really excited about the new --tls-crypt feature. Hopefully the OS X and iOS clients will get their act together soon :)
atulsian89
commented
7 years ago I tried it on a openvpz VPS by just setting up the openvpn only on it. This is what the logs read and it is quite simple to enable it with the existing --tls-auth key setup.
Thu Jan 12 12:06:23 2017 us=95841 MANAGEMENT: CMD 'state on' Thu Jan 12 12:06:23 2017 us=95841 MANAGEMENT: CMD 'log all on' Thu Jan 12 12:06:25 2017 us=674055 MANAGEMENT: CMD 'hold off' Thu Jan 12 12:06:25 2017 us=705351 MANAGEMENT: CMD 'hold release' Thu Jan 12 12:06:25 2017 us=814729 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Thu Jan 12 12:06:25 2017 us=814729 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Thu Jan 12 12:06:25 2017 us=814729 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Thu Jan 12 12:06:25 2017 us=814729 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
jlund
commented
7 years ago Main Thread The keepalive values have been adjusted. Thanks for the suggestion, @oriold!
Hijacked Thread :) Streisand now installs OpenVPN 2.4. We'll need to wait for wider client support before we can enable some of the new features by default, but I have verified that an OpenVPN 2.4 server still works perfectly with 2.3-based clients on Linux, iOS (OpenVPN Connect), and OS X (Tunnelblick and Viscosity).
In order of having OpenVPN always on a smartphone, keepalive values have to grow, right now the default value 10 120 will drain the battery quickly:
https://github.com/schwabe/ics-openvpn/issues/100
I suggest setting 1800 3600 for keepalive in OpenVPN.
Please close this issue if there is a reason against this setting.
Regards,