OpenVPN 2.5.0 config recomendation

[nash16]

Hi all,

I have 2 quick questions related with Security + new OpenVPN 2.5.0 (I'm using 386.1a2 on AC86U), I'd like to have the best balance between performance vs. security but I don't mind if some performance must be sacrificed by security (not too much), so the questions are:

1. Client-specific tls-crypt keys (–tls-crypt-v2) are supported now and I can see the option under "Encrypt Channel v2", should I change this from "Encrypt Channel" to the new one? Should I change something in the server config to work with this new feature?
2. What is the most secured/efficient/recommended HMAC Auth Digest (I used SHA256)? I can see lot of options for OpenVPN Client (which match with "openvpn --auth-digests" command) but they are different for Server side:

Thanks in advance!

 

[RMerlin]

Client-specific tls-crypt keys (–tls-crypt-v2) are supported now and I can see the option under "Encrypt Channel v2", should I change this from "Encrypt Channel" to the new one? Should I change something in the server config to work with this new feature?

I strongly recommend reading the OpenVPN manual before changing this. Using tls-crypt requires manual configuration on your part. And V2 is only partially supported.

What is the most secured/efficient/recommended HMAC Auth Digest (I used SHA256)? I

Using none at all is the best. If you use a GCM cipher, then the HMAC is no longer necessary, which will improve overall performance.

 

[nash16]

I strongly recommend reading the OpenVPN manual before changing this. Using tls-crypt requires manual configuration on your part. And V2 is only partially supported.



Using none at all is the best. If you use a GCM cipher, then the HMAC is no longer necessary, which will improve overall performance.

Thank you Eric! So, for summarize, please let me know if I'm wrong:

• Server:

• Client:

Btw, do you know if there's any option to push the route from remote to the IPSec VPN Server? If I connect to the IPSec IKEv2 server, I can see the devices in my local network but not the devices connected from the remote network with OpenVPN Server connected.
I mean,

• OpenVPN: Router1 AC86U acting as server connected successfully to the Router2 AC86U remote location acting as client with push route enabled for remote device discovery, everything works fine with OpenVPN.
• IPSec: Router1 AC86U with IPSec server enabled successfully connected to my mobile phone and from it, I can see the devices connected to the Router1 but not the same for devices connected to the Router2 (with OpenVPN Client connected successfully to the Router1).

The reasons of using IPSec for mobile are:

1. I can see better performance when I want to route all traffic through the VPN tunnel
2. OpenVPN Android App doesn't support CHACHA20-POLY1305 which is my main data-cipher right now with 2.5.0

Thank you so much for this FW and support, much appreciated

 

[RMerlin]

So, for summarize, please let me know if I'm wrong:

You can leave the HMAC to SHA256 if you wish, just for backward compatibility. Make sure you do use a GCM cipher, like AES-128-GCM.

Btw, do you know if there's any option to push the route from remote to the IPSec VPN Server?

No idea, I never really worked with Strongswan, aside from some debugging with the original Asus implementation, and performance tests.

 

[truglodite]

I read up a little bit on v2, and see that the latest merlin release has openvpn 2.5.2. I presume to use this would require manually configuring via ssh, since there's no v2 in the drop down box etc. I was hoping to try v2 out, but looks like I should probably stick to plain tls-crypt for now. I don't care much about exotic ciphers, but I would like to have the added flood resistance that v2 brings.

 

[RMerlin]

I read up a little bit on v2, and see that the latest merlin release has openvpn 2.5.2

2.5.7.

And this is a 2 years old thread.