I just installed OpenVPN on my VPS, solely for my use when I am out and about. I'm afraid however that i am not getting this, but instead I am at 128.
The reason I think this is because when I look at the SSL that was generated when openVPN was installed, the cert is 128 bit.
I did add these lines to both the client and server configuration directives in the CP:
cipher AES-256-CBC
keysize 256
and reloaded everything.
Because I am using this primarily on iOS devices, I can't tell what the encryption level is when I connect. Can anyone guide me please? I did some googling and searching through these forums, but didn't see anything relevant. If it is posted elsewhere, forgive me in advance and thanks for the help!
Want full 256 encryption
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Aug 08, 2013 7:31 pm
Re: Want full 256 encryption
If it helps any, these are the logs from my iOS device:
2013-08-08 18:17:58 SSL Handshake: TLSv1.0/SSL-EDH-RSA-AES-256-SHA
2013-08-08 18:17:58 Session is ACTIVE
2013-08-08 18:17:59 EVENT: GET_CONFIG
2013-08-08 18:17:59 Sending PUSH_REQUEST to server...
2013-08-08 18:17:59 OPTIONS:
0 [explicit-exit-notify]
1 [topology] [subnet]
2 [route-delay] [5] [30]
3 [dhcp-pre-release]
4 [dhcp-renew]
5 [dhcp-release]
6 [route-metric] [101]
7 [ping] [12]
8 [ping-restart] [50]
9 [redirect-gateway] [def1]
10 [redirect-gateway] [bypass-dhcp]
11 [redirect-gateway] [autolocal]
12 [route-gateway] [5.5.8.1]
13 [dhcp-option] [DNS] [8.8.8.8]
14 [dhcp-option] [DNS] [8.8.4.4]
15 [register-dns]
16 [auth-token] ...
17 [compress] [snappy]
18 [ifconfig] [5.5.8.2] [255.255.248.0]
2013-08-08 18:17:59 using session token
2013-08-08 18:17:59 SNAPPY init asym=0
2013-08-08 18:17:59 EVENT: ASSIGN_IP
2013-08-08 18:17:59 Connected via tun
2013-08-08 18:17:59 EVENT: CONNECTED vpncert@myipaddress:1194 (myipaddress) via /UDPv4 on tun/5.5.8.2/
I see the handshake is 256 but obviously I'm more concerned about the traffic itself.
2013-08-08 18:17:58 SSL Handshake: TLSv1.0/SSL-EDH-RSA-AES-256-SHA
2013-08-08 18:17:58 Session is ACTIVE
2013-08-08 18:17:59 EVENT: GET_CONFIG
2013-08-08 18:17:59 Sending PUSH_REQUEST to server...
2013-08-08 18:17:59 OPTIONS:
0 [explicit-exit-notify]
1 [topology] [subnet]
2 [route-delay] [5] [30]
3 [dhcp-pre-release]
4 [dhcp-renew]
5 [dhcp-release]
6 [route-metric] [101]
7 [ping] [12]
8 [ping-restart] [50]
9 [redirect-gateway] [def1]
10 [redirect-gateway] [bypass-dhcp]
11 [redirect-gateway] [autolocal]
12 [route-gateway] [5.5.8.1]
13 [dhcp-option] [DNS] [8.8.8.8]
14 [dhcp-option] [DNS] [8.8.4.4]
15 [register-dns]
16 [auth-token] ...
17 [compress] [snappy]
18 [ifconfig] [5.5.8.2] [255.255.248.0]
2013-08-08 18:17:59 using session token
2013-08-08 18:17:59 SNAPPY init asym=0
2013-08-08 18:17:59 EVENT: ASSIGN_IP
2013-08-08 18:17:59 Connected via tun
2013-08-08 18:17:59 EVENT: CONNECTED vpncert@myipaddress:1194 (myipaddress) via /UDPv4 on tun/5.5.8.2/
I see the handshake is 256 but obviously I'm more concerned about the traffic itself.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Aug 08, 2013 7:31 pm
Re: Want full 256 encryption
Any ideas out there?
-
- OpenVPN Super User
- Posts: 219
- Joined: Mon Nov 23, 2009 8:24 pm
Re: Want full 256 encryption
Your current settings:
to even use sha256 for authentication. (HMAC) This way you are building an enforced cryptosetup with high crypto in your entire system, for both data- and control-channel.
The other option is to use the directive in both client and server-config.
Openvpn shows you the available options via
And then ofcourse pick one of the 256 bit options
Should do the trick to use 256 bit encryption. You could addcipher AES-256-CBC
keysize 256
Code: Select all
auth sha256
The other option is to use the directive
Code: Select all
tls-cipher [ciphersuite]
Openvpn shows you the available options via
Code: Select all
openvpn --show-tls