1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

OpenVPN on iOS: which cipher?

Discussion in 'ASUS Wireless' started by XIII, Jan 21, 2018.

  1. XIII

    XIII Very Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    610
    My OpenVPN setup is from several years ago. I’m probably not using the best/safest cipher.

    Which cipher do you advise for iOS devices?

    OpenVPN server: router with RMerlin 384.3 alpha firmware
    iOS: iOS 11.2.2 & OpenVPN Connect 1.2.6 (build 4)
     
    Last edited: Jan 21, 2018
  2. unsynaps

    unsynaps Senior Member

    Joined:
    Nov 9, 2014
    Messages:
    207
    Location:
    Halethorpe, MD
    From what I have been reading AES-128-CBC is plenty for home use.

    AES-256-CBC if your paranoid but you may take a speed hit.
     
  3. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,690
    Location:
    The Land of Smiles
    What is interesting is the iOS app for my VPN provider only supports IPSEC and and IKEV2. It is much faster compared to OpenVPN. On my iPad, I also installed the official OpenVPN app to give me more options. There are Pros and cons of IPSec vs OpenVPN in terms of performance and security. https://www.howtogeek.com/211329/wh...ocol-pptp-vs.-openvpn-vs.-l2tpipsec-vs.-sstp/
     
  4. XIII

    XIII Very Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    610
    While I do use a commercial provider with IPSEC/IKEV2 on my mobile devices I'm asking here for a safe means to access my router & home network, so the ASUS router is the "provider". I have a working setup (I believe using AES-128-CBC) from several years ago. I wonder whether that is still OK?
     
  5. MichaelCG

    MichaelCG Senior Member

    Joined:
    Jan 4, 2017
    Messages:
    493
    Location:
    Central US
    Keep in mind the actual cipher in use is only one part of the equation. If your keys are weak and/or compromised, it doesn't really matter what cipher you are using.

    For general use, AES-128 is more than enough encryption. If you are overly paranoid and feel you need AES-256, you probably aren't gaining anything unless you have confirmed your authentication key strengths and are rotating those keys on a regular basis.
     
  6. DonnyJohnny

    DonnyJohnny Very Senior Member

    Joined:
    Dec 17, 2017
    Messages:
    649
    I would use gcm instead of cbc to take advantage of the multiple thread.
     
  7. Hunterx

    Hunterx Occasional Visitor

    Joined:
    Feb 17, 2018
    Messages:
    23
    Does GCM work on iOS OpenVPN Connect 1.2.9? I can’t seem to get either 128 or 256 to work.
     
  8. doczenith1

    doczenith1 Senior Member

    Joined:
    Sep 19, 2014
    Messages:
    444
    Location:
    MI
    Does your vpn provider even support GCM? Up until a few days ago PIA was on OpenVPN 2.3 and only supported CBC. The changlog for the Android app updated on 2/14/2018 indicated that OpenVPN was upgraded to 2.4 and that AES-GCM encryption was added. That said, their windows client still doesn't support GCM .
     
  9. Hunterx

    Hunterx Occasional Visitor

    Joined:
    Feb 17, 2018
    Messages:
    23
    I wish GCM support was more wide spread. The reason I want to switch to GCM is because there is a flaw in the way OpenVPN for iOS handles CBC.
    https://nvd.nist.gov/vuln/detail/CVE-2018-0488
     
  10. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,690
    Location:
    The Land of Smiles
    TorGuard supports GCM when using the OpenVPN client on the router. GCM is not yet an option on the Android and iOS apps. It was recently added to the updated Windows client app. I posted some interesting metrics on CBC vs GCM using an Intel i5 CPU with AES-NI enabled in the post here.
     
    Last edited: Mar 8, 2018