Asus RT-N66U OpenVPN TUN config

[cezare]

Hi there,

I have 2x RT-N66U routers setup at different cities. Both now are running 378.55.
I am looking for advice to improve security & performance of my OpenVPN setup.

I used an old guide a year ago (which isn't online anymore) to setup one router as OpenVPN server and the other router as OpenVPN client.
I did not generate a certificate, i just setup the server as this:
http://imgur.com/8yYqVFV

Exported these settings and imported on the other router that is acting as a client.
Everything appears to work fine: the client is able to talk to all server's open resources but I am not sure whether i am missing a big security, performance setting.

Any suggestions?
Thank you!

 

[martinr]

Hi there,

.
Everything appears to work fine: the client is able to talk to all server's open resources but I am not sure whether i am missing a big security, performance setting.

Any suggestions?
Thank you!

Would I be right in thinking you have no reason to believe there is any insecurity, but, because it was so quick and simple to set up, you feel you must have overlooked something critical? I had the same feeling.

Other than using a sniffer, like Wireshark, to check that your traffic is indeed encrypted, I don't know of a simple way to reassure oneself that the tunnel is secure. But I'm no expert at all. In my case, I have a server set up on my router so when I remotely set up a connection and run whatsmyip.org and see my router's public IP address, I know I have OpenVPN running. (It doesn't confirm the traffic is encrypted, but I'm assuming it's not possible to connect unless it is encrypted. And, anyway, a look in the logfile shows the sequence of handshaking events.)

 

[martinr]

I now also notice your encryption is set to BF-CBC. I checked mine and it shows "Default" - the default, factory restore setting. So that has started me thinking what exactly is "Default". ( I notice also that "None" is directly underneath "Default", so I'll be especially careful in future. ). That said, I tried switching to AES-256 bit on the assumption that is about as good as it gets, but ran into some problems connecting. I need to spend a bit more time on it, firstly, to see what "Default" encryption is and whether or not it should be altered by non-experts such as myself, and, secondly, if it is changed to, say, AES 256 bit, whether or not new config files need to be exported; my gut feeling is no. Nevertheless, on the subject of "missing a big security" setting, if I were you, I'd look into the reason why your encryption is BF-CBC. If nothing else, I'm sure you'd like to know what the letters stand for and how strong/secure such encryption is.

 

[cezare]

Thanks for your time Martinr.

You are absolutely correct: I did indeed follow a guide posted on another forum. It applied towards a slightly different router but the gist was the same. At the time I needed a quick solution and that was it because it worked flawlessly (speed mostly). I know, it is lazy man's approach. Nevertheless, it worked for me. It is now that I am no longer under pressure and have the time to re-evaluate the situation.
BF-CBC is definitely what i've gazed upon right away. I do need to do some extensive reading on the subject of encryption but from what I remember, BlowFish (BF) is a fairly old cipher. Whether that's a good or bad thing, I am not sure. I will try giving the newer AES cipher a go and see what the difference may be.
Also, I wonder whether "compression" is something that will hinder the speed.
Did you go through the process of Certificate creation? I sure did not.