How to enable AES-256-GCM support with OpenVPN?

Hey all! This is my first post so let me know if I am in the right spot! We’re just getting started with IGEL OS and running into an issue with the OpenVPN custom partition. Our UMS is hosted in Azure and the only inbound access is through an Azure VPN Gateway. Our objective was to image our thin clients with IGEL OS and the OpenVPN profile configured locally so it could connect with our UMS and grab the remainder of the config. The problem we are running into is the OpenVPN profile doesn’t seem to support AES-256-GCM. Is there a way for us to enable this?

Learn more, read the entire thread inside the IGEL Community o Slack

IGEL Method for clients not in same network as UMS is via ICG

Hi, Ron! Once we establish a VPN connection, it’s my understanding that we shouldn’t need an ICG as the clients and UMS will effectively be local to each other. In our deployment specs, the thin clients should only be able to communicate with our Virtual Network Gateway and all inbound communications to the network should only be through that gateway. The problem we’re running into is the built-in OpenVPN implementation doesn’t seem to offer AES-256-GCM, at least, not in the GUI. Once we establish the VPN connection, the thin clients should be able to communicate with the UMS as if they were on the same local network, no?

I wil go with @member that ICG is a much better solution because it can be setup much easier. IGEL OS has a build in OpenVPN client . What version of IGEL OS do you want to use? I only took a look at the profiles in our UMS but for 11.03.100 and later the Cypher is available in the settings (did not check older versions). We do not use OpenVPN but work with ICG and it runs very stable for us (Debian machine on Azure, UMS in local RZ)

@member For this use case (clients not in the same network as UMS), IGEL supported method is via ICG. While you may be able to get this to work, it is not an IGEL supported method.

@member Pardon my confusion; I was not given the impression this would be an issue from the Sales Engineers I have spoken with. If we deployed in an ICG within our Azure Vnet and thin clients communicated with it over our VPN, would that be an IGEL supported method?

@member Hi, Markus! Hmm, we are using IGEL OS 11.04.240. I see up to AES-256-CBC, but no GCM mode. It’s good to know that we should be able to get this option somehow though.

@member For IGEL devices to get their updates / settings from UMS, the IGEL Cloud Gateway (ICG) is required if the UMS and the devices are not in the same network.

@member Thanks, Ron. We’ll have to consider deploying an ICG in our Vnet if that enables compatibility. With or without the ICG, we don’t have connectivity without our VPN being properly configured. From what @member has said, it seems like AES-256-GCM should be available. I don’t see it on IGEL OS 11.04.240. Could you help me figure out why I am unable to see that option?

IGEL device <-> ICG <-> UMS communication is via port 443 or 8443 — There is no VPN. Now IGEL device to your environment should be via Citrix / VMware / etc. stack — again no VPN. If you are not doing via Citrix / VMware / etc. stack — Then yes VPN. Configure IGEL device VPN per your VPN provider requirements.

Try the following on the command line:

openvpn –show-ciphers | grep -i AES-256-GCM

AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only)

Create ICON on Desktop

use pkexec. So the command will be –> pkexec /usr/bin/xfce4-terminal -T “OpenVPN” –geometry=80×10-0+0 -x command_to_run

Here is man page for 11.04.240 version of OpenVPN

And 11.05 is here:

My bad, you are right. In the UMS profile you can only select the CBC ciphers. But the buildin openvpn on IGEL OS supports the AES-256-GCM chipher. OpenVPN since version 2.4 autonegotiates the cipher and uses the best one available on both sides (which should be AES-256-GCM). So normally you only need to set the cipher when connecting to an older OpenVPN server (version 2.3 ord less). I cannot test it myself, as we do not use OpenVPN in my company but I use OpenVPN on my private network and there autonegotiation works fine (but without an IGEL device).

Thank you for your help!

Markus, that’s a good idea! I’ll try not setting that value and see if it will autonegotiate. Thank you!

That value in the GUI defaults to Blowfish-CBC. With no “null” option, it can’t be set to autonegotiate. Looks like custom startup script is the only option here. Regardless, I am going to abandon this do to IGEL not supporting management over VPN. @member & @member, thank you both for your time!

Continue reading and comment on the thread ‘How to enable AES-256-GCM support with OpenVPN?’.  Not a member? Join Here!

Learn more, search the IGEL Knowledge Base

Ask a question or comment on the above message thread?

Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.

Submit a question, or Join Today!

Popular Message Threads

Categories & Tags: