What's new

OpenVPN Key Length

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hello World

Occasional Visitor
OpenVPN on Asuswrt-Merlin: Anyone know how to check or change the key length. OpenVPN recommends we use an RSA key size of 2048 bits or more, but no less. That said, I don't see how to check it or change it. Asus-WRT will automatically generate a .ovpn file with the Certification Authority key when you drop down the advanced settings. I don't see the key length anywhere.

Update: Ok, I see the key length in the log file when connecting to VPN. It's 1024,
I think. It shows up in the log file as: "Apr 28 19:10:41 openvpn[1024]: 189.128.56.47:62127 TLS: Username/Password authentication succeeded for username 'VPNMan'

How do we change it to 2048? I'm currently running 378.56 if that makes a difference.
 
You will have to generate your own keys and certificates. The router's auto-generated keys are set to 1024-bit for performance reasons.
 
You will have to generate your own keys and certificates. The router's auto-generated keys are set to 1024-bit for performance reasons.

yep - and if geo-locking only, might consider just not doing encryption all together - we know where and who you are (Big Communications/Media Corp) - it's all logged in any event...
 
yep - and if geo-locking only, might consider just not doing encryption all together - we know where and who you are (Big Communications/Media Corp) - it's all logged in any event...

He's talking about his router's server. That's typically for remote access.
 
I wish I could make my OpenVPN server work on my router :-(
ever since I've upgraded my N66U to firmware 380.58, my server isn't working...getting "openVPN core error : PolarSSL:error parsing ca certificate : x509 - The CRT/CRL/CSR format is invalid, e.g. diffrent type expected
Can someone please point me to an easy openvpn on RMerlin firmware guide?
 
Even then - most traffic these days is TLS driven, so it's encryption on top of encryption...
I use VPN when I'm on a Public WiFi. I'm not trying to mask my location. In fact, when I'm on my VPN, the IP becomes my home address. I'm trying to prevent little hackers from seeing my traffic when I'm on a public hotspot.
 
The RSA key in this context is just for authentication if I remember correctly :)
 
He's talking about his router's server. That's typically for remote access.
Hi Merlin, I know this is more of an OpenVPN question than a Merlin-WRT question. You mentioned the default on Merlin-WRT is 1028 for performance. Do you have any idea how to change the key length to 2048? I've tried to download OpenVPN and create a CA, but the file "init-config" is no longer included in OpenVPN 2.0 and higher. I'm at a loss on how to create the 2048 bit keys. Is there a way to make the Merlin FW spit out a 2048 key?
 
Hi Merlin, I know this is more of an OpenVPN question than a Merlin-WRT question. You mentioned the default on Merlin-WRT is 1028 for performance. Do you have any idea how to change the key length to 2048? I've tried to download OpenVPN and create a CA, but the file "init-config" is no longer included in OpenVPN 2.0 and higher. I'm at a loss on how to create the 2048 bit keys. Is there a way to make the Merlin FW spit out a 2048 key?

https://github.com/RMerl/asuswrt-merlin/wiki/Generating-OpenVPN-keys-using-Easy-RSA
 
Hmmmm, I followed the directions on your link but it doesn't work. My USB disk mounted under /mnt/sda1 (using a USB 3.0 disk and drive). It never creates a directory easy-rsa. Any thoughts on what I'm doing wrong?

Works for me. Post the output of your commands.
 
Works for me. Post the output of your commands.
Ok,
please dont laugh. Here's what I tried to do in the run command on the router. But nothing happens.

upload_2016-5-1_16-53-0.png
 
Ok,
please dont laugh. Here's what I tried to do in the run command on the router. But nothing happens.

View attachment 6190

This must be done over SSH. You cannot do it on this page.

What firmware are you running BTW? That page was removed years ago...
 
See, I told you not to laugh :( I'm running 378.56_2 I'll try with SSH (if I can figure it out). Thanks.

Update: Ha! It worked. Thanks Merlin.
 
Last edited:
Key length >=zero and <= ?
I followed the github URL referenced above, but don't see where it explains how to set a minimum size of key. Is it reasonable to use a minimal key size with OpenVPN to ameliorate performance (or encryption off entirely) and just rely on authentication and HMAC for security? This server is running Merlin (378.50) in USA and accessed from Canda for netflix, so I don't really care if people peek at my traffic. Thnks in advance, and kudos (@RMerlin) on the excellent Merlin environment.
 
I would say that using a key length of 1024 bit is sufficient for home users. AES-128-CBC with SHA1 will give you the best performance there.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top