OpenVPN 2.5.0 config recomendation

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

nash16

Occasional Visitor
Hi all,

I have 2 quick questions related with Security + new OpenVPN 2.5.0 (I'm using 386.1a2 on AC86U), I'd like to have the best balance between performance vs. security but I don't mind if some performance must be sacrificed by security (not too much), so the questions are:
  1. Client-specific tls-crypt keys (–tls-crypt-v2) are supported now and I can see the option under "Encrypt Channel v2", should I change this from "Encrypt Channel" to the new one? Should I change something in the server config to work with this new feature?
  2. What is the most secured/efficient/recommended HMAC Auth Digest (I used SHA256)? I can see lot of options for OpenVPN Client (which match with "openvpn --auth-digests" command) but they are different for Server side:
1604487861803.png


Thanks in advance!
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Client-specific tls-crypt keys (–tls-crypt-v2) are supported now and I can see the option under "Encrypt Channel v2", should I change this from "Encrypt Channel" to the new one? Should I change something in the server config to work with this new feature?

I strongly recommend reading the OpenVPN manual before changing this. Using tls-crypt requires manual configuration on your part. And V2 is only partially supported.

What is the most secured/efficient/recommended HMAC Auth Digest (I used SHA256)? I

Using none at all is the best. If you use a GCM cipher, then the HMAC is no longer necessary, which will improve overall performance.
 

nash16

Occasional Visitor
I strongly recommend reading the OpenVPN manual before changing this. Using tls-crypt requires manual configuration on your part. And V2 is only partially supported.



Using none at all is the best. If you use a GCM cipher, then the HMAC is no longer necessary, which will improve overall performance.

Thank you Eric! So, for summarize, please let me know if I'm wrong:
  • Server:
1604597709016.png


  • Client:
1604597827160.png


Btw, do you know if there's any option to push the route from remote to the IPSec VPN Server? If I connect to the IPSec IKEv2 server, I can see the devices in my local network but not the devices connected from the remote network with OpenVPN Server connected.
I mean,
  • OpenVPN: Router1 AC86U acting as server connected successfully to the Router2 AC86U remote location acting as client with push route enabled for remote device discovery, everything works fine with OpenVPN.
  • IPSec: Router1 AC86U with IPSec server enabled successfully connected to my mobile phone and from it, I can see the devices connected to the Router1 but not the same for devices connected to the Router2 (with OpenVPN Client connected successfully to the Router1).
The reasons of using IPSec for mobile are:
  1. I can see better performance when I want to route all traffic through the VPN tunnel
  2. OpenVPN Android App doesn't support CHACHA20-POLY1305 which is my main data-cipher right now with 2.5.0

Thank you so much for this FW and support, much appreciated :)
 

RMerlin

Asuswrt-Merlin dev
So, for summarize, please let me know if I'm wrong:

You can leave the HMAC to SHA256 if you wish, just for backward compatibility. Make sure you do use a GCM cipher, like AES-128-GCM.

Btw, do you know if there's any option to push the route from remote to the IPSec VPN Server?

No idea, I never really worked with Strongswan, aside from some debugging with the original Asus implementation, and performance tests.
 

Similar threads

Top