mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-19 03:10:16 +00:00
Updated Home (markdown)
parent
22002cb515
commit
9c197efd50
1 changed files with 27 additions and 1 deletions
26
Home.md
26
Home.md
|
@ -25,3 +25,29 @@ login=username
|
||||||
password='password'
|
password='password'
|
||||||
mydyn.domain.com
|
mydyn.domain.com
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## OpenVPN Technical Information
|
||||||
|
|
||||||
|
### Info on TLS
|
||||||
|
|
||||||
|
'Modern' OpenVPN (2.x, using the TLS mode) basically sets up two connections:
|
||||||
|
|
||||||
|
The 'control channel'. This is a low bandwidth channel, over which e.g. network parameters and key material for the 'data channel' is exchanged'. OpenVPN uses TLS to protect control channel packets.
|
||||||
|
The 'data channel'. This is the channel over which the actual VPN traffic is sent. This channel is keyed with key material exchanged over the control channel.
|
||||||
|
Both these channels are duplexed over a single TCP or UDP port.
|
||||||
|
|
||||||
|
--tls-cipher controls the cipher used by the control channel. --cipher together with --auth control the protection of the data channel.
|
||||||
|
|
||||||
|
And regarding security, OpenVPN uses encrypt-then-mac for its data channel, rather than mac-then-encrypt like TLS. All the CBC-related issues you hear about are due to the combination mac-then-encrypt + CBC. This means that AES-CBC for the data channel is perfectly fine from a security perspective.
|
||||||
|
|
||||||
|
(And there is no GCM support for the data channel yet. That will arrive in OpenVPN 2.4.)
|
||||||
|
|
||||||
|
If I wanted to specify ciphers, this is the list I'd use (I think):
|
||||||
|
`TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384`
|
||||||
|
`TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384`
|
||||||
|
`TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384`
|
||||||
|
`TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384`
|
||||||
|
`TLS-DHE-RSA-WITH-AES-256-GCM-SHA384`
|
||||||
|
`TLS-DHE-RSA-WITH-AES-256-CBC-SHA256`
|
||||||
|
`TLS-DHE-RSA-WITH-AES-128-GCM-SHA256`
|
||||||
|
`TLS-DHE-RSA-WITH-AES-128-CBC-SHA256`
|
Loading…
Reference in a new issue