What is best secure setup for OpenVPN?

[Illusion4u]

This is my first post but i've been following SNB from the beginning.

I've a few questions regarding the new Encrypt channel.

I've tried to use it, but for example it doesn't elude a fortigate firewall. (I'm testing this inside my company, with openvpn connections blocked in the fortigate)

I've see your twitter post @RMerlin regarding the censored countries. I'll go to china next week, i've a person there now which also will make some testing, but if it doesn't pass the fortigate, i'm quite sure it won't pass the GFW.

These are my configs

Also regarding the new LZ4 compression, is it worth to enable it in our weak router cpu's? (AC56U - R7000)

The new GCM, cypher i could see it's faster, but about the LZ4 i have no idea.

Regards

 

[RMerlin]

Compression depends on your type of transfers. For Remote Desktop it's not worth it. If you transfer a lot of compressible data then it might be.

 

[Illusion4u]

But is it an intelligent compression (if it sees that it can't compress it still tries)?

This was the only info i found regarding performance.

https://www.snbforums.com/threads/b...eta-is-now-available.36868/page-6#post-302895

I'll try to make some tests, unfortunatly on my client side i only have 20/20Mb, and the "server" is 200Mb/200Mb, so i'm afraid i won't saturate the cpu.

 

[RMerlin]

But is it an intelligent compression (if it sees that it can't compress it still tries)?

It does, but it still carries a bit of overhead when encountering traffic that cannot be compressed. So, it really depends on your specific payload.

 

[Illusion4u]

Well tested at 20Mb

Using non compressible material the speed is the same, but with LZ4 the cpu use is generally about 55%, with LZ4 off, the cpu use is about 38% (Netgear R7000)

Using compressible material (eg speedtest) the LZ4 shines, giving an actual output of 30Mb (50% increase).

Ping was the same.

So i would say for Netflix, streaming etc, LZ4 can be disabled, for general page surfing LZ4 gives a good increase in real speed

 

[Illusion4u]

I can confirm that the encrypted tls works in China.

 

[majortom]

Correct me if I'm wrong but I had read that AES-128 is fine for those who are simply looking to protect their browsing from general snooping. AES-256 is secure for governmental type encryption but for staying secure while traveling, etc then the lower grade encryption is fine. Being at 128 will also help throughput on lower end devices.

I hope this is not much of a threadjack but it is about trying to keep secure... While running 2.4.0 on the router as a server and there are clients who are not yet at 2.4.0, does the following line allow the 2.3.x clients to select AES-128-CBC or AES-256-CBC while allowing 2.4.0 clients use -GCM?

Negotiable ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC

Just a question about those negotiable ciphers: I read at https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage that the first cipher from the cipher list will be pushed to clients that support cipher negotiation.
So as I understood with the settings shown above the server will first push AES-128-GCM. If client rejects this the server will secondly push AES-256-GCM and so on. In case of hardening security shouldn't it be the other way around? Like this: AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC ?

 

[RMerlin]

Just a question about those negotiable ciphers: I read at https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage that the first cipher from the cipher list will be pushed to clients that support cipher negotiation.
So as I understood with the settings shown above the server will first push AES-128-GCM. If client rejects this the server will secondly push AES-256-GCM and so on. In case of hardening security shouldn't it be the other way around? Like this: AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC ?

AES-128-GCM is preferred due to performance reasons. For home usage, AES-128-GCM is already quite secure, and there's little point in significantly slowing down performance by using 256-bit.

 

[bayern1975]

what and wher to change settings to get working without warnings? i get this warnings in syslog......

Feb 25 12:28:33 openvpn[923]: 89.142.65.241 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1550'
Feb 25 12:28:33 openvpn[923]: 89.142.65.241 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'
Feb 25 12:28:33 openvpn[923]: 89.142.65.241 WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'

 

[octopus]

Set:
Auth to: SHA1
Cipher to: AES-256-CBC
Must match from both sides, server/client
Look at your PUSH string from log coming from your VPN provider if you use one.

 

[bayern1975]

Set:
Auth to: SHA1
Cipher to: AES-256-CBC
Must match from both sides, server/client
Look at your PUSH string from log coming from your VPN provider if you use one.

i am using openvpn....