Freebox Server (Pop V8/ Delta V7 / Revolution V6 / Server Mini 4K)

  • Status Nouveau
  • Percent Complete
    0%
  • Task Type Évolution
  • Category Services locaux → Client VPN
  • Assigned To No-one
  • Operating System Tous
  • Severity Low
  • Priority Very Low
  • Reported Version 3.3.1
  • Due in Version Undecided
  • Due Date Undecided
  • Votes 2
  • Private
Attached to Project: Freebox Server (Pop V8/ Delta V7 / Revolution V6 / Server Mini 4K)
Opened by Rudloff - 30/04/2016
Last edited by mbizon - 03/09/2020

FS#20193 - Tunnel IPv6 openvpn

Bonjour,

Apparemment le client openvpn ne supporte pas IPv6. J’obtiens l’erreur suivante quand j’importe ma configuration :

unknown statement: tun-ipv6

Pareil pour moi.
L'IPV6 est activé pourtant.
Deux questions alors :
- Le module interne de téléchargement de la box fonctionne-t-il en IPV6 ?
- Si oui, y-a-t-il un paramètre supplémentaire de la box à modifier pour combiner L'IPV6 avec le module de téléchargement et la fonctionnalité OpenVPN ?
Merci d'avance.

Avez-vous du nouveau depuis l'ouverture du ticket ?

Des nouvelles à propos de ce ticket ?

Demande de pare-feu manquant en IPv6 : https://dev.freebox.fr/bugs/task/4110

Demande de reverse DNS en IPv6 : https://dev.freebox.fr/bugs/task/12749

16 avril 2019 à 12:57, le changement : IPv6 par défaut.
https://dev.freebox.fr/blog/?p=5382

"Note additionnelle:

L'IPv6 est délivré aujourd'hui sous forme de tunnel (6RD) au dessus l'IPv4 (dit natif). En raison des évolutions internes de notre réseau, le système va progressivement être inversé, et c'est désormais l'IPv6 qui sera natif, et l'IPv4 délivré sous forme de tunnel.

Pour cette raison, désactiver l'IPv6 complètement sur une Freebox revient à potentiellement diminuer les performances réseaux, donc nous enlevons la possibilité de désactiver celui-ci globalement. Cette fonction avait été introduite il y a plus de 10 ans au même moment que la fonction IPv6 de la Freebox, afin d'éviter les problèmes d'interopérabilité avec les systèmes d'exploitation de l'époque.

Notez qu'il est toujours possible de désactiver l'IPv6 sur le périphérique lui-même."

C'est opérationnel dorénavant non ?

@Rudloff, @1000sabords : Du neuf ?

OpenVPN 2.5.0 RC3 (2020-10-15) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases

Voir toutes les améliorations de la 2.5.0 presque finale "RC3" dans l'email d'annonce :
- https://sourceforge.net/p/openvpn/mailman/message/37132033/

OpenVPN 2.5 is a new major release with many new features:
- Client-specific tls-crypt keys (–tls-crypt-v2)
- Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data channel
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration
- Asynchronous (deferred) authentication support for auth-pam plugin
- Deferred client-connect
- Faster connection setup
- Netlink support
- Wintun support
- IPv6-only operation
- Improved Windows 10 detection
- Linux VRF support
- TLS 1.3 support
- Support setting DHCP search domain
- Handle setting of tun/tap interface MTU on Windows
- HMAC based auth-token support
- VLAN support
- Support building of .msi installers for Windows
- Allow unicode search string in –cryptoapicert option (Windows)
- Support IPv4 configs with /31 netmasks now
- New option –block-ipv6 to reject all IPv6 packets (ICMPv6)
- MSI installer (Windows)
- The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA management

Overview of changes in OpenVPN v2.5:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25

Rappel pour la 2.4.x (il manque toujours des options) :
Overview of changes in OpenVPN v2.4:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

@mbizon, ça devrait évoluer avec ça non ?


OpenVPN 2.5.0 (2020-10-27) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases

Email d'annonce de la sortie d'OpenVPN 2.5.0 :
- https://sourceforge.net/p/openvpn/mailman/message/37138737/

OpenVPN 2.5 is a new major release with many new features:
- Client-specific tls-crypt keys (–tls-crypt-v2)
- Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data channel
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration
- Asynchronous (deferred) authentication support for auth-pam plugin
- Deferred client-connect
- Faster connection setup
- Netlink support
- Wintun support
- IPv6-only operation
- Improved Windows 10 detection
- Linux VRF support
- TLS 1.3 support
- Support setting DHCP search domain
- Handle setting of tun/tap interface MTU on Windows
- HMAC based auth-token support
- VLAN support
- Support building of .msi installers for Windows
- Allow unicode search string in –cryptoapicert option (Windows)
- Support IPv4 configs with /31 netmasks now
- New option –block-ipv6 to reject all IPv6 packets (ICMPv6)
- MSI installer (Windows)
- The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA management

Overview of changes in OpenVPN v2.5:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25

Rappel pour la 2.4.x (il manque toujours des options dans Freebox OS) :
Overview of changes in OpenVPN v2.4:
- https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

OpenVPN 2.5.1 (2021-02-24) :
- https://openvpn.net/
- https://github.com/OpenVPN/openvpn/releases
- https://sourceforge.net/p/openvpn/mailman/message/37226597/

[Openvpn-announce] OpenVPN 2.5.1 released
From: Samuli Seppänen <samuli@op...> - 2021-02-24 13:50:33

The OpenVPN community project team is proud to release OpenVPN 2.5.1. It
includes several bug fixes and improvements as well as updated OpenSSL
and OpenVPN GUI for Windows.

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>;

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>;

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/>;

---

Overview of changes since OpenVPN 2.4

  Faster connections

    Connections setup is now much faster

  Crypto specific changes

    ChaCha20-Poly1305 cipher in the OpenVPN data channel
      Requires OpenSSL 1.1.0 or newer)
    Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
    Client-specific tls-crypt keys (--tls-crypt-v2)
    Improved Data channel cipher negotiation
    Removal of BF-CBC support in default configuration (see below for
possible incompatibilities)

  Server-side improvements

    HMAC based auth-token support for seamless reconnects to standalone
      servers or a group of servers.
    Asynchronous (deferred) authentication support for auth-pam plugin
    Asynchronous (deferred) support for client-connect scripts and
      plugins

  Network-related changes

    Support IPv4 configs with /31 netmasks now
    802.1q VLAN support on TAP servers
    IPv6-only tunnels
    New option --block-ipv6 to reject all IPv6 packets (ICMPv6)

  Linux-specific features

    VRF support
    Netlink integration (OpenVPN no longer needs to execute
      ifconfig/route or ip commands)

Windows-specific features

    Wintun driver support, a faster alternative to tap-windows6
    Setting tun/tap interface MTU
    Setting DHCP search domain
    Allow unicode search string in --cryptoapicert option
    EasyRSA3, a modern take on OpenVPN CA management
    MSI installer

---

Important notices

BF-CBC cipher is no longer the default

Cipher handling for the data channel cipher has been significantly
changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no
"default cipher BF-CBC" anymore because it is no longer considered a
reasonable default. BF-CBC is still available, but it needs to be
explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both
ends will be able  to negotiate a better cipher than BF-CBC. By default
they will select one of the AES-GCM ciphers, but this can be influenced
using the --data-ciphers setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting
in the config (= defaulting to BF-CBC and not being negotiation-capable)
must be updated. Unless BF-CBC is included in --data-ciphers or there is
a "--cipher BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server
will refuse to talk to a v2.3 server or client, because it has no common
data channel cipher and negotiating a cipher is not possible. Generally,
we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading
is not possible we recommend adding data-ciphers
AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC
(v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older)
release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5
based client will need a config file change to re-enable BF-CBC.  But be
warned that BF-CBC and other related weak ciphers will be removed in
coming OpenVPN major releases.

For full details see the Data channel cipher negotiation section on the
man page.

Connectivity to some VPN service provider may break

Connecting with an OpenVPN 2.5 client to at least one commercial VPN
service that
implemented their own cipher negotiation method that always reports back
that it is using BF-CBC to the client is broken in v2.5. This has always
caused warning about mismatch ciphers. We have been in contact with some
service providers and they are looking into it.  This is not something
the OpenVPN community can fix. If your commercial VPN does not work with
a v2.5 client, complain to the VPN service provider.

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:

<https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>;

---

Freebox OS 4.3.1 a OpenVPN 2.5.0, est-ce qu'il y a une amélioration ?

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing