OpenVPN on iOS: which cipher?

[XIII]

My OpenVPN setup is from several years ago. I’m probably not using the best/safest cipher.

Which cipher do you advise for iOS devices?

OpenVPN server: router with RMerlin 384.3 alpha firmware
iOS: iOS 11.2.2 & OpenVPN Connect 1.2.6 (build 4)

 

[unsynaps]

From what I have been reading AES-128-CBC is plenty for home use.

AES-256-CBC if your paranoid but you may take a speed hit.

 

[Xentrk]

My OpenVPN setup is from several years ago. I’m probably not using the best/safest cipher.

Which cipher do you advise for iOS devices?

OpenVPN server: router with RMerlin 384.3 alpha firmware
iOS: iOS 11.2.2 & OpenVPN Connect 1.2.6 (build 4)

What is interesting is the iOS app for my VPN provider only supports IPSEC and and IKEV2. It is much faster compared to OpenVPN. On my iPad, I also installed the official OpenVPN app to give me more options. There are Pros and cons of IPSec vs OpenVPN in terms of performance and security. https://www.howtogeek.com/211329/wh...ocol-pptp-vs.-openvpn-vs.-l2tpipsec-vs.-sstp/

 

[XIII]

While I do use a commercial provider with IPSEC/IKEV2 on my mobile devices I'm asking here for a safe means to access my router & home network, so the ASUS router is the "provider". I have a working setup (I believe using AES-128-CBC) from several years ago. I wonder whether that is still OK?

 

[MichaelCG]

Keep in mind the actual cipher in use is only one part of the equation. If your keys are weak and/or compromised, it doesn't really matter what cipher you are using.

For general use, AES-128 is more than enough encryption. If you are overly paranoid and feel you need AES-256, you probably aren't gaining anything unless you have confirmed your authentication key strengths and are rotating those keys on a regular basis.

 

[DonnyJohnny]

I would use gcm instead of cbc to take advantage of the multiple thread.

 

[Hunterx]

Does GCM work on iOS OpenVPN Connect 1.2.9? I can’t seem to get either 128 or 256 to work.

 

[doczenith1]

Does your vpn provider even support GCM? Up until a few days ago PIA was on OpenVPN 2.3 and only supported CBC. The changlog for the Android app updated on 2/14/2018 indicated that OpenVPN was upgraded to 2.4 and that AES-GCM encryption was added. That said, their windows client still doesn't support GCM .

 

[Hunterx]

Does your vpn provider even support GCM? Up until a few days ago PIA was on OpenVPN 2.3 and only supported CBC. The changlog for the Android app updated on 2/14/2018 indicated that OpenVPN was upgraded to 2.4 and that AES-GCM encryption was added. That said, their windows client still doesn't support GCM .

I wish GCM support was more wide spread. The reason I want to switch to GCM is because there is a flaw in the way OpenVPN for iOS handles CBC.
https://nvd.nist.gov/vuln/detail/CVE-2018-0488

 

[Xentrk]

TorGuard supports GCM when using the OpenVPN client on the router. GCM is not yet an option on the Android and iOS apps. It was recently added to the updated Windows client app. I posted some interesting metrics on CBC vs GCM using an Intel i5 CPU with AES-NI enabled in the post here.