TLS control channel security

[CF900]

I am running a VPN on an Asus RT-AC86U router with the latest version of Asuswrt-Merlin.

My question is about the “TLS control channel security” and “Auth digest” settings. What should they be for optimum security?

It defaults to Outgoing Auth (1). Is that correct or should it be Encrypt Channel V2 or something else?

Auth digest is currently set to “Default”. Is that correct or should it be SHA512, or something else?

As a supplementary question: with “Accept DNS Configuration” set to “Exclusive” and “Redirect internet traffic through tunnel” set to “Yes (all)” and hopefully TLS control channel security working properly, if I set the WAN DNS to “Get the DNS IP from your ISP automatically”, will the DNS IP come from my actual ISP or will it come from my VPN DNS Server?

Thank you for any guidance that you can provide.

 

[DJones]

I am running a VPN on an Asus RT-AC86U router with the latest version of Asuswrt-Merlin.

My question is about the “TLS control channel security” and “Auth digest” settings. What should they be for optimum security?

It defaults to Outgoing Auth (1). Is that correct or should it be Encrypt Channel V2 or something else?

Auth digest is currently set to “Default”. Is that correct or should it be SHA512, or something else?

As a supplementary question: with “Accept DNS Configuration” set to “Exclusive” and “Redirect internet traffic through tunnel” set to “Yes (all)” and hopefully TLS control channel security working properly, if I set the WAN DNS to “Get the DNS IP from your ISP automatically”, will the DNS IP come from my actual ISP or will it come from my VPN DNS Server?

Thank you for any guidance that you can provide.

Here’s what I use. Edit: I assumed you were talking about your VPN server not VPN client on your router. But some of what I said below pertains to the same things I don’t use a client on the router so I won’t be much help.

HMAC as far as I’m aware of is for older data cyphers, since your using TLS they aren’t really needed unless your on a client that needs a fallback.

As for your supplementary question, yes in most cases your ISP offers dns, you are in no way obligated to use their dns. You can run your own with unbound or use dns from another provider like google which is 8.8.8.8 and 8.8.8.4 or cloudflare which is 1.1.1.1 and 1.0.0.1 their are others as well.

You can also run DoT which encrypts your dns traffic.

Other security features for dns include Rebind protection, and DNSSEC which prevents your website you visit from being redirected to a phishing site under a sites spoofed name.

DoH is dns over https which encrypts dns traffic using TLS, however that’s only supported in browsers so DoT is recommended because it encrypts all devices connected to your router regardless of if the browser supports DoH or not.

I would also suggest setting DNS Filter to router mode so that dns traffic is sent to your router directly and not bypassed. This is important if you want to use DoT and not have your encrypted dns traffic leaked to unencrypted dns.

As for your VPN DNS if you advertise your dns over your tunnel then it will be pulled from your vpn server. In my experience sometimes this can cause issues so I would recommend allowing a fallback to googles dns servers if you have issues however this might/likely will not use DoT even if you have it set.

 

[CF900]

Thanks, DJones.

I was talking about VPN Client on my router but that was helpful.

 

[Gary_Dexter]

Thanks, DJones.

I was talking about VPN Client on my router but that was helpful.

Do you mean Client from a provider the likes of NordVPN or ExpressVPN etc?

Leave it to the defaults imported from the OVPN file.

 

[CF900]

Do you mean Client from a provider the likes of NordVPN or ExpressVPN etc?

Leave it to the defaults imported from the OVPN file.

Correct. Once I had the right TLS-included config file, that sorted out my original question.
I’m still trying to find the optimum WAN DNS settings, as my speed seems to fluctuate quite dramatically, which may or may not be throttling by my ISP.

 

[Gary_Dexter]

Correct. Once I had the right TLS-included config file, that sorted out my original question.
I’m still trying to find the optimum WAN DNS settings, as my speed seems to fluctuate quite dramatically, which may or may not be throttling by my ISP.

Do you mean speeds fluctuating when connected to the VPN?
Depending what model router you have, the max speed you’ll get over the VPN is around 250Mbps.

DNS also doesn’t affect Speedtest results.

 

[DJones]

Correct. Once I had the right TLS-included config file, that sorted out my original question.
I’m still trying to find the optimum WAN DNS settings, as my speed seems to fluctuate quite dramatically, which may or may not be throttling by my ISP.

Maybe try and run CakeQoS it might help with the dramatic speeds. Note CakeQoS does disable hardware accelerated nat so if you have very fast speeds like 900Mbps wan or more it could be quite hard on the cpu. Also if you run udp instead of tcp in vpn if that setting is allowed it won’t be as hard on your upload.

 

[CF900]

Do you mean speeds fluctuating when connected to the VPN?
Depending what model router you have, the max speed you’ll get over the VPN is around 250Mbps.

DNS also doesn’t affect Speedtest results.

Correct. When connected to the VPN, my speed can range from 85% of my ISP max speed, at best, to 5%, at worst.