Updated Home (markdown)

Home.md

@@ -25,3 +25,29 @@ login=username
 password='password'
 mydyn.domain.com
 ```
+
+## OpenVPN Technical Information
+
+### Info on TLS
+
+'Modern' OpenVPN (2.x, using the TLS mode) basically sets up two connections:
+
+The 'control channel'. This is a low bandwidth channel, over which e.g. network parameters and key material for the 'data channel' is exchanged'. OpenVPN uses TLS to protect control channel packets.
+The 'data channel'. This is the channel over which the actual VPN traffic is sent. This channel is keyed with key material exchanged over the control channel.
+Both these channels are duplexed over a single TCP or UDP port.
+
+--tls-cipher controls the cipher used by the control channel. --cipher together with --auth control the protection of the data channel.
+
+And regarding security, OpenVPN uses encrypt-then-mac for its data channel, rather than mac-then-encrypt like TLS. All the CBC-related issues you hear about are due to the combination mac-then-encrypt + CBC. This means that AES-CBC for the data channel is perfectly fine from a security perspective.
+
+(And there is no GCM support for the data channel yet. That will arrive in OpenVPN 2.4.)
+
+If I wanted to specify ciphers, this is the list I'd use (I think):
+`TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384`
+`TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384`
+`TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384`
+`TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384`
+`TLS-DHE-RSA-WITH-AES-256-GCM-SHA384`
+`TLS-DHE-RSA-WITH-AES-256-CBC-SHA256`
+`TLS-DHE-RSA-WITH-AES-128-GCM-SHA256`
+`TLS-DHE-RSA-WITH-AES-128-CBC-SHA256`