vpn-issue: Add email quote and gitub issue after fix

1 files changed, 35 insertions, 0 deletions

diff --git a/content/posts/openvpn-issues-openbsd/index.org b/content/posts/openvpn-issues-openbsd/index.org
index a683f73..f320f22 100644
--- a/content/posts/openvpn-issues-openbsd/index.org
+++ b/content/posts/openvpn-issues-openbsd/index.org
@@ -12,6 +12,41 @@
 #+ATTR_HTML: :title No connection to ProtonVPN from OpenBSD
 [[file:cover.png]]
 
+*EDIT:* (August 22, 2020) Theo Buehler has kindly reached out to me and informed me that
+this issue has just been fixed in a syspatch, and that OpenVPN now
+works correctly.
+
+#+begin_quote
+Hi.
+
+Regarding https://blog.lambda.cx/posts/openvpn-issues-openbsd/,
+the issue you describe in this post should be fixed in 6.7-stable.
+
+It boils down to this:
+
+1. ProtonVPN appears to require clients to use P-521 for the TLSv1.3
+   key exchange.
+
+2. Released versions of OpenVPN do not permit customizing the curve
+   to use for the key exchange (they added a --tls-groups option in
+   their dev branch).
+
+3. LibreSSL defaulted to enabling X25519, P-256, P-384, but not P-521,
+   (same defaults as BoringSSL) while OpenSSL additionally enables P-521.
+
+4. Another issue people ran into is that we did not support EC client
+   certificates in the released version.
+
+In the latest syspatches 019 and 020, we enabled P-521 by default client
+side and also added support for EC client certificates.
+
+Long story short: after running syspatch, your OpenVPN setup should work
+with LibreSSL.
+#+end_quote
+
+This fix is also discussed on the associated =libressl-portable= github issue [[https://github.com/libressl-portable/portable/issues/601#issuecomment-667222456][here]].
+
+@@html: <hr> @@
 I have an OpenBSD VPN gateway I use to send all traffic it receives
 over a VPN connection, and I noticed that no traffic was going through.