What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Github snapshot test builds (Updated 30-May-2015)

Status
Not open for further replies.
Question.. Would it be possible to add some sort of page that shows how the QOS engine is sorting and prioritizing the traffic? Similar to what you get with Tomato with the pie charts and ports being used and all that?
 
Gitsum said:
Question.. Would it be possible to add some sort of page that shows how the QOS engine is sorting and prioritizing the traffic? Similar to what you get with Tomato with the pie charts and ports being used and all that?
Click to expand...

Lots of work involved, that would have a very low priority for me.
 
RMerlin said:
The webui itself was already hardened a few release ago. It will only accept the following ciphers (with a few explicit rejections at the end of that list):

Code: 
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-G
CM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-EC
DSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-
SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:
!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

OpenVPN allowed TLS are currently a bit wider, because of the need to inter operate with a variety of clients (for the server) and providers (for the client). I haven't decided yet on a good way to harden it without sacrificing compatibility. One solution I'm currently leaning toward is to have a specific suite of secure ciphers defined, and these would be allowed by default. There would probably be a webui option to enable support for weaker ciphers (which would be disabled by default).

I'm also tempted to make that a generic "Harden security" setting instead, which once enabled, would limit the available ciphers in addition to enforcing the use of TLS 1.0 or higher (currently it defaults to TLS 1.0 only for compatibility reasons - something that OpenVPN 2.3.7+ will be addressing in the future).

I'm still considering the available options there.
Click to expand...
Thanks for your extensive replies :)
 
Locking this thread as the final release is now available - thanks everyone who tested these alpha builds and provided some feedback.
 
Status
Not open for further replies.

Similar threads

R
DomainVPNRouting Domain VPN Routing v3.0.4 ***Release***
2 3
Replies
58
Views
5K
OBENZ
O
RMerlin
  • Locked
Beta Asuswrt-Merlin 3006.102.1 Beta is now available for WIfi 7 devices
3 4 5
Replies
97
Views
15K
RMerlin
RMerlin
G
Killswitch on updated RT-AX56U (V1) works
Replies
4
Views
1K
Viktor Jaep
Viktor Jaep
D
Asus Merlin - OpenVPN Policy Rules to direct Roku to another gateway
Replies
9
Views
2K
ColinTaylor
C
R
DomainVPNRouting Domain VPN Routing
3 4 5
Replies
96
Views
10K
Joyz
J
Similar threads
Thread starter Title Forum Replies Date
RMerlin Github repo stats Asuswrt-Merlin 5
RMerlin Wireguard benchmark test on RT-BE96U Asuswrt-Merlin 41
Z Speed Test Discrepancy Asuswrt-Merlin 5
RMerlin Beta Asuswrt-Merlin 3004.388.6_x test builds (dnsmasq 2.90) Asuswrt-Merlin 102
B Solved Speed test Asuswrt-Merlin 11

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 876 (members: 33, guests: 843)
Back
Top