What's new

OpenVPN 2.5.0 config recomendation

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

nash16

Occasional Visitor
Hi all,

I have 2 quick questions related with Security + new OpenVPN 2.5.0 (I'm using 386.1a2 on AC86U), I'd like to have the best balance between performance vs. security but I don't mind if some performance must be sacrificed by security (not too much), so the questions are:
  1. Client-specific tls-crypt keys (–tls-crypt-v2) are supported now and I can see the option under "Encrypt Channel v2", should I change this from "Encrypt Channel" to the new one? Should I change something in the server config to work with this new feature?
  2. What is the most secured/efficient/recommended HMAC Auth Digest (I used SHA256)? I can see lot of options for OpenVPN Client (which match with "openvpn --auth-digests" command) but they are different for Server side:
1604487861803.png


Thanks in advance!
 
Last edited:
Client-specific tls-crypt keys (–tls-crypt-v2) are supported now and I can see the option under "Encrypt Channel v2", should I change this from "Encrypt Channel" to the new one? Should I change something in the server config to work with this new feature?

I strongly recommend reading the OpenVPN manual before changing this. Using tls-crypt requires manual configuration on your part. And V2 is only partially supported.

What is the most secured/efficient/recommended HMAC Auth Digest (I used SHA256)? I

Using none at all is the best. If you use a GCM cipher, then the HMAC is no longer necessary, which will improve overall performance.
 
I strongly recommend reading the OpenVPN manual before changing this. Using tls-crypt requires manual configuration on your part. And V2 is only partially supported.



Using none at all is the best. If you use a GCM cipher, then the HMAC is no longer necessary, which will improve overall performance.

Thank you Eric! So, for summarize, please let me know if I'm wrong:
  • Server:
1604597709016.png


  • Client:
1604597827160.png


Btw, do you know if there's any option to push the route from remote to the IPSec VPN Server? If I connect to the IPSec IKEv2 server, I can see the devices in my local network but not the devices connected from the remote network with OpenVPN Server connected.
I mean,
  • OpenVPN: Router1 AC86U acting as server connected successfully to the Router2 AC86U remote location acting as client with push route enabled for remote device discovery, everything works fine with OpenVPN.
  • IPSec: Router1 AC86U with IPSec server enabled successfully connected to my mobile phone and from it, I can see the devices connected to the Router1 but not the same for devices connected to the Router2 (with OpenVPN Client connected successfully to the Router1).
The reasons of using IPSec for mobile are:
  1. I can see better performance when I want to route all traffic through the VPN tunnel
  2. OpenVPN Android App doesn't support CHACHA20-POLY1305 which is my main data-cipher right now with 2.5.0

Thank you so much for this FW and support, much appreciated :)
 
So, for summarize, please let me know if I'm wrong:

You can leave the HMAC to SHA256 if you wish, just for backward compatibility. Make sure you do use a GCM cipher, like AES-128-GCM.

Btw, do you know if there's any option to push the route from remote to the IPSec VPN Server?

No idea, I never really worked with Strongswan, aside from some debugging with the original Asus implementation, and performance tests.
 
I read up a little bit on v2, and see that the latest merlin release has openvpn 2.5.2. I presume to use this would require manually configuring via ssh, since there's no v2 in the drop down box etc. I was hoping to try v2 out, but looks like I should probably stick to plain tls-crypt for now. I don't care much about exotic ciphers, but I would like to have the added flood resistance that v2 brings.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top