Updated Home (markdown)

0-kaladin 2016-04-26 10:45:16 -04:00
parent 22002cb515
commit 9c197efd50

26
Home.md

@ -25,3 +25,29 @@ login=username
password='password'
mydyn.domain.com
```
## OpenVPN Technical Information
### Info on TLS
'Modern' OpenVPN (2.x, using the TLS mode) basically sets up two connections:
The 'control channel'. This is a low bandwidth channel, over which e.g. network parameters and key material for the 'data channel' is exchanged'. OpenVPN uses TLS to protect control channel packets.
The 'data channel'. This is the channel over which the actual VPN traffic is sent. This channel is keyed with key material exchanged over the control channel.
Both these channels are duplexed over a single TCP or UDP port.
--tls-cipher controls the cipher used by the control channel. --cipher together with --auth control the protection of the data channel.
And regarding security, OpenVPN uses encrypt-then-mac for its data channel, rather than mac-then-encrypt like TLS. All the CBC-related issues you hear about are due to the combination mac-then-encrypt + CBC. This means that AES-CBC for the data channel is perfectly fine from a security perspective.
(And there is no GCM support for the data channel yet. That will arrive in OpenVPN 2.4.)
If I wanted to specify ciphers, this is the list I'd use (I think):
`TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384`
`TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384`
`TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384`
`TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384`
`TLS-DHE-RSA-WITH-AES-256-GCM-SHA384`
`TLS-DHE-RSA-WITH-AES-256-CBC-SHA256`
`TLS-DHE-RSA-WITH-AES-128-GCM-SHA256`
`TLS-DHE-RSA-WITH-AES-128-CBC-SHA256`