Good Evening all.
ive succesfully installed openvpn on ubuntu and have a few clients connecing, all is good.
i decided to enable cipher AES-256-CBC encryption in the server and client config files.
everyhting works fine but.
i need to know if using the 256 aes encryption uses more processing/bandwidth than the default 128bit blowfish encryption? its just i noticed that ping times seem to fluctaute slightly.
also i noticed that clients disconnect/reconnect every hour (re-negotiate tls session), and on the openvpn site it says it is set to default of 1 hour, but gives no details on how to change this. is there a way to increase this?
any info appreciated!!
thanks
cipher AES-256-CBC
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
mwandelaar
- OpenVPN Super User
- Posts: 219
- Joined: Mon Nov 23, 2009 8:24 pm
Re: cipher AES-256-CBC
Ofcourse is AES-256-CBC more compute-intensive than the "default" crypto-scheme, BF-128-CBC.
On the other hand, on a normal CPU you won't notify the difference. And on linux-systems you can speed-up the AES cycles by loading the AES kernel module. Even better: openssl (the crypto-suite used by openvpn) supports the VIA Padlock engine. By using a via processor with this extension, you could accelerate all the crypto-calculations using the hardware.
You allso mentioned a slight variable RTT for ICMP-packets. I don't think this has anything to do with the crypto, but more on the local network, unless the client or server has a significant cpu-load. So can you explain more on your setup and the values of ping-times?
Hint: be aware: only using "tls-cipher AES-256-CBC" isn't enough to totally encrypt your traffic 256 bits. This TLS cipher encrypts the control-channel. The datachannel is still BF-160. If you want EAS-256 for all the traffic, both server and client need the directive "keysize 256" in there configfile.
The "disconnect-reconnect" is not really disconnecting. The server and client are re-negotiating the symmetric key for the data-channel. The directive "reneg-sec <nr of seconds>" changes the default. Depending of the content you're protecting, i think 1 hour should still be fine.
On the other hand, on a normal CPU you won't notify the difference. And on linux-systems you can speed-up the AES cycles by loading the AES kernel module. Even better: openssl (the crypto-suite used by openvpn) supports the VIA Padlock engine. By using a via processor with this extension, you could accelerate all the crypto-calculations using the hardware.
You allso mentioned a slight variable RTT for ICMP-packets. I don't think this has anything to do with the crypto, but more on the local network, unless the client or server has a significant cpu-load. So can you explain more on your setup and the values of ping-times?
Hint: be aware: only using "tls-cipher AES-256-CBC" isn't enough to totally encrypt your traffic 256 bits. This TLS cipher encrypts the control-channel. The datachannel is still BF-160. If you want EAS-256 for all the traffic, both server and client need the directive "keysize 256" in there configfile.
The "disconnect-reconnect" is not really disconnecting. The server and client are re-negotiating the symmetric key for the data-channel. The directive "reneg-sec <nr of seconds>" changes the default. Depending of the content you're protecting, i think 1 hour should still be fine.