Want full 256 encryption

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
deekin
OpenVpn Newbie
Posts: 3
Joined: Thu Aug 08, 2013 7:31 pm

Want full 256 encryption

Post by deekin » Thu Aug 08, 2013 7:37 pm

I just installed OpenVPN on my VPS, solely for my use when I am out and about. I'm afraid however that i am not getting this, but instead I am at 128.

The reason I think this is because when I look at the SSL that was generated when openVPN was installed, the cert is 128 bit.

I did add these lines to both the client and server configuration directives in the CP:

cipher AES-256-CBC
keysize 256

and reloaded everything.

Because I am using this primarily on iOS devices, I can't tell what the encryption level is when I connect. Can anyone guide me please? I did some googling and searching through these forums, but didn't see anything relevant. If it is posted elsewhere, forgive me in advance and thanks for the help!
Top
deekin
OpenVpn Newbie
Posts: 3
Joined: Thu Aug 08, 2013 7:31 pm

Re: Want full 256 encryption

Post by deekin » Thu Aug 08, 2013 11:04 pm

If it helps any, these are the logs from my iOS device:

2013-08-08 18:17:58 SSL Handshake: TLSv1.0/SSL-EDH-RSA-AES-256-SHA
2013-08-08 18:17:58 Session is ACTIVE
2013-08-08 18:17:59 EVENT: GET_CONFIG
2013-08-08 18:17:59 Sending PUSH_REQUEST to server...
2013-08-08 18:17:59 OPTIONS:
0 [explicit-exit-notify]
1 [topology] [subnet]
2 [route-delay] [5] [30]
3 [dhcp-pre-release]
4 [dhcp-renew]
5 [dhcp-release]
6 [route-metric] [101]
7 [ping] [12]
8 [ping-restart] [50]
9 [redirect-gateway] [def1]
10 [redirect-gateway] [bypass-dhcp]
11 [redirect-gateway] [autolocal]
12 [route-gateway] [5.5.8.1]
13 [dhcp-option] [DNS] [8.8.8.8]
14 [dhcp-option] [DNS] [8.8.4.4]
15 [register-dns]
16 [auth-token] ...
17 [compress] [snappy]
18 [ifconfig] [5.5.8.2] [255.255.248.0]

2013-08-08 18:17:59 using session token
2013-08-08 18:17:59 SNAPPY init asym=0
2013-08-08 18:17:59 EVENT: ASSIGN_IP
2013-08-08 18:17:59 Connected via tun
2013-08-08 18:17:59 EVENT: CONNECTED vpncert@myipaddress:1194 (myipaddress) via /UDPv4 on tun/5.5.8.2/

I see the handshake is 256 but obviously I'm more concerned about the traffic itself.
Top
deekin
OpenVpn Newbie
Posts: 3
Joined: Thu Aug 08, 2013 7:31 pm

Re: Want full 256 encryption

Post by deekin » Wed Aug 14, 2013 1:55 am

Any ideas out there?
Top
mwandelaar
OpenVPN Super User
Posts: 219
Joined: Mon Nov 23, 2009 8:24 pm

Re: Want full 256 encryption

Post by mwandelaar » Wed Aug 14, 2013 5:24 am

Your current settings:
cipher AES-256-CBC
keysize 256
Should do the trick to use 256 bit encryption. You could add

Code: Select all

auth sha256
to even use sha256 for authentication. (HMAC) This way you are building an enforced cryptosetup with high crypto in your entire system, for both data- and control-channel.

The other option is to use the directive

Code: Select all

tls-cipher [ciphersuite]
in both client and server-config.
Openvpn shows you the available options via

Code: Select all

openvpn --show-tls
And then ofcourse pick one of the 256 bit options ;)
Top
Post Reply

Return to “Server Administration”