OpenVPN Key Length

[Hello World]

OpenVPN on Asuswrt-Merlin: Anyone know how to check or change the key length. OpenVPN recommends we use an RSA key size of 2048 bits or more, but no less. That said, I don't see how to check it or change it. Asus-WRT will automatically generate a .ovpn file with the Certification Authority key when you drop down the advanced settings. I don't see the key length anywhere.

Update: Ok, I see the key length in the log file when connecting to VPN. It's 1024,
I think. It shows up in the log file as: "Apr 28 19:10:41 openvpn[1024]: 189.128.56.47:62127 TLS: Username/Password authentication succeeded for username 'VPNMan'

How do we change it to 2048? I'm currently running 378.56 if that makes a difference.

 

[RMerlin]

You will have to generate your own keys and certificates. The router's auto-generated keys are set to 1024-bit for performance reasons.

 

[sfx2000]

You will have to generate your own keys and certificates. The router's auto-generated keys are set to 1024-bit for performance reasons.

yep - and if geo-locking only, might consider just not doing encryption all together - we know where and who you are (Big Communications/Media Corp) - it's all logged in any event...

 

[RMerlin]

yep - and if geo-locking only, might consider just not doing encryption all together - we know where and who you are (Big Communications/Media Corp) - it's all logged in any event...

He's talking about his router's server. That's typically for remote access.

 

[sfx2000]

He's talking about his router's server. That's typically for remote access.

Even then - most traffic these days is TLS driven, so it's encryption on top of encryption...

 

[manub]

I wish I could make my OpenVPN server work on my router :-(
ever since I've upgraded my N66U to firmware 380.58, my server isn't working...getting "openVPN core error : PolarSSL:error parsing ca certificate : x509 - The CRT/CRL/CSR format is invalid, e.g. diffrent type expected
Can someone please point me to an easy openvpn on RMerlin firmware guide?

 

[Hello World]

Even then - most traffic these days is TLS driven, so it's encryption on top of encryption...

I use VPN when I'm on a Public WiFi. I'm not trying to mask my location. In fact, when I'm on my VPN, the IP becomes my home address. I'm trying to prevent little hackers from seeing my traffic when I'm on a public hotspot.

 

[Hello World]

You will have to generate your own keys and certificates. The router's auto-generated keys are set to 1024-bit for performance reasons.

Thanks Merlin. Disregard the same question on linksysinfo.org forum.

 

[kvic]

The RSA key in this context is just for authentication if I remember correctly

 

[Hello World]

He's talking about his router's server. That's typically for remote access.

Hi Merlin, I know this is more of an OpenVPN question than a Merlin-WRT question. You mentioned the default on Merlin-WRT is 1028 for performance. Do you have any idea how to change the key length to 2048? I've tried to download OpenVPN and create a CA, but the file "init-config" is no longer included in OpenVPN 2.0 and higher. I'm at a loss on how to create the 2048 bit keys. Is there a way to make the Merlin FW spit out a 2048 key?

 

[RMerlin]

Hi Merlin, I know this is more of an OpenVPN question than a Merlin-WRT question. You mentioned the default on Merlin-WRT is 1028 for performance. Do you have any idea how to change the key length to 2048? I've tried to download OpenVPN and create a CA, but the file "init-config" is no longer included in OpenVPN 2.0 and higher. I'm at a loss on how to create the 2048 bit keys. Is there a way to make the Merlin FW spit out a 2048 key?

https://github.com/RMerl/asuswrt-merlin/wiki/Generating-OpenVPN-keys-using-Easy-RSA

 

[Hello World]

https://github.com/RMerl/asuswrt-merlin/wiki/Generating-OpenVPN-keys-using-Easy-RSA

Thanks Merlin.

 

[Hello World]

https://github.com/RMerl/asuswrt-merlin/wiki/Generating-OpenVPN-keys-using-Easy-RSA

Hmmmm, I followed the directions on your link but it doesn't work. My USB disk mounted under /mnt/sda1 (using a USB 3.0 disk and drive). It never creates a directory easy-rsa. Any thoughts on what I'm doing wrong?

 

[RMerlin]

Hmmmm, I followed the directions on your link but it doesn't work. My USB disk mounted under /mnt/sda1 (using a USB 3.0 disk and drive). It never creates a directory easy-rsa. Any thoughts on what I'm doing wrong?

Works for me. Post the output of your commands.

 

[Hello World]

Works for me. Post the output of your commands.

Ok,
please dont laugh. Here's what I tried to do in the run command on the router. But nothing happens.

 

[RMerlin]

Ok,
please dont laugh. Here's what I tried to do in the run command on the router. But nothing happens.

View attachment 6190

This must be done over SSH. You cannot do it on this page.

What firmware are you running BTW? That page was removed years ago...

 

[Hello World]

See, I told you not to laugh I'm running 378.56_2 I'll try with SSH (if I can figure it out). Thanks.

Update: Ha! It worked. Thanks Merlin.

 

[franc]

Key length >=zero and <= ?
I followed the github URL referenced above, but don't see where it explains how to set a minimum size of key. Is it reasonable to use a minimal key size with OpenVPN to ameliorate performance (or encryption off entirely) and just rely on authentication and HMAC for security? This server is running Merlin (378.50) in USA and accessed from Canda for netflix, so I don't really care if people peek at my traffic. Thnks in advance, and kudos (@RMerlin) on the excellent Merlin environment.

 

[RMerlin]

I would say that using a key length of 1024 bit is sufficient for home users. AES-128-CBC with SHA1 will give you the best performance there.