About openvpn server configuration in last firmware

[Nemesis8]

Hi to all, my question is what is the most secure settings to put in the openvpn server i mean need activate compression? or the method of auth the channel bidirectional etc, and if onoy use to lan is secure or whats diference whern put lan and wan both

 

[RMerlin]

Keep compression disabled. Compression actually reduces security, brings very limited benefit since most traffic is either encrypted (https) or already compressed (images and videos), and OpenVPN will actually deprecate compression support with OpenVPN 2.6 due to these reasons.

For the rest, it depends on your needs, as security will be a balancing act with convenience. Optimal security would require you to learn how to generate your own client certificates, and rely on client certificate authentication, not just username/password.

You can protect yourself against a script kiddy (for this the default settings are fine), or you can try to protect yourself against a state-sponsored hacker (which will require a lot of extra work, including ditching the actual router and going with a business-grade router). Only know what compromises you are willing to make when balancing security vs convenience.

 

[Nemesis8]

Keep compression disabled. Compression actually reduces security, brings very limited benefit since most traffic is either encrypted (https) or already compressed (images and videos), and OpenVPN will actually deprecate compression support with OpenVPN 2.6 due to these reasons.

For the rest, it depends on your needs, as security will be a balancing act with convenience. Optimal security would require you to learn how to generate your own client certificates, and rely on client certificate authentication, not just username/password.

You can protect yourself against a script kiddy (for this the default settings are fine), or you can try to protect yourself against a state-sponsored hacker (which will require a lot of extra work, including ditching the actual router and going with a business-grade router). Only know what compromises you are willing to make when balancing security vs convenience.

Thank you for your answer, my intention is just to leave it with the most optimal configuration, and what you tell me is good, the other question was that when you use only LAN, is the traffic not fully encrypted? What is the difference when you use lan and wan

 

[RMerlin]

the other question was that when you use only LAN, is the traffic not fully encrypted? What is the difference when you use lan and wan

This determine whether remote clients will be able to access the LAN, the Internet (WAN), or both through the tunnel. If you don't want remote client's Internet traffic to be redirected through the VPN, then leave that to LAN.