OpenVPN Support Forum

Hello,

I'm setting up my OpenVPN server and I was wondering: what's the purpose of the Diffie-Hellman parameters? I understand it's used to exchange cryptographic keys secretly but why is it needed since OpenVPN already uses asymmetric encryption (RSA)?

While writing this post, I ultimately found this thread from the mailing lists: http://openvpn.net/archive/openvpn-user ... 00532.html
It says that RSA is only used for authentication and that D-H is then used to make the keys with which data is encrypted/decrypted. For two reasons:

• D-H is subject to MITM attacks, so it can't be used for authentication
• D-H is much faster than RSA to generate cryptographic keys, so it's better to use D-H to generate session keys

So the server and clients certificates are indeed only used for authentication?

Sorry for necroposting, but I am wat to ask the same questions!

If I right remember that i was reached before about VPN:
- PKI and asymmetric keys (private & public) are used for authentication which very safe but not very fast.
- after authentication process is finished and was created a tunnel (VPN) for transportation data will used one symmetric key which very fast, but not very safe. Therefore it will used the unique parameters (a secret value) for every session, which generated for both point after authentication process.
Updated link to some post about it https://security.stackexchange.com/a/65877