Open lodgnewt opened 7 years ago
Defaults are:
OpenVPN 2.3 - SHA1 HMAC authentication and BF-CBC cipher OpenVPN 2.4 - SHA1 HMAC authentication and AES-256-GCM cipher
Defaults @buchdag mentioned are correct. OpenVPN 2.3 defaults are not secure. OpenVPN 2.4 defaults are reasonable, but can be strengthened if both client and server support the stronger options.
To see supported options for your environment, use the following commands:
openvpn --show-ciphers
to show all cipher algorithms available for use.openvpn --show-digests
to show all message digest algorithms available for use.openvpn --show-tls
to show all TLS ciphers (sorted from highest to lowest preference).For Docker, you'll want to launch an interactive terminal within the container: docker exec -i -t kylemanna/openvpn:latest bin/bash
.
If you want more secure defaults (assuming router is fast enough to support strong crypto), you can specify the options you want to be included in the config file. For example:
docker run \
--network=none \
-v $PWD:/etc/openvpn \
--rm -t -i kylemanna/openvpn ovpn_genconfig \
-u udp://your-vpn-address.com \
-C 'AES-256-CBC' \
-a 'SHA512' \
-T 'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384'
Leave off the -T line if your not familiar with how TLS ciphersuite negotiations work and which suites are better than others. Also see https://github.com/kylemanna/docker-openvpn/blob/master/docs/paranoid.md.
I want to configure a connection to the server with a router (firmware Andy Padavan rt-n56u) What types "Authentication Algorithm" and "Encryption Cipher Algorithm:" is used in this openvpn configuration?