mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-19 03:10:16 +00:00
Updated Home (markdown)
parent
22002cb515
commit
9c197efd50
1 changed files with 27 additions and 1 deletions
28
Home.md
28
Home.md
|
@ -24,4 +24,30 @@ server=members.dyndns.org
|
|||
login=username
|
||||
password='password'
|
||||
mydyn.domain.com
|
||||
```
|
||||
```
|
||||
|
||||
## OpenVPN Technical Information
|
||||
|
||||
### Info on TLS
|
||||
|
||||
'Modern' OpenVPN (2.x, using the TLS mode) basically sets up two connections:
|
||||
|
||||
The 'control channel'. This is a low bandwidth channel, over which e.g. network parameters and key material for the 'data channel' is exchanged'. OpenVPN uses TLS to protect control channel packets.
|
||||
The 'data channel'. This is the channel over which the actual VPN traffic is sent. This channel is keyed with key material exchanged over the control channel.
|
||||
Both these channels are duplexed over a single TCP or UDP port.
|
||||
|
||||
--tls-cipher controls the cipher used by the control channel. --cipher together with --auth control the protection of the data channel.
|
||||
|
||||
And regarding security, OpenVPN uses encrypt-then-mac for its data channel, rather than mac-then-encrypt like TLS. All the CBC-related issues you hear about are due to the combination mac-then-encrypt + CBC. This means that AES-CBC for the data channel is perfectly fine from a security perspective.
|
||||
|
||||
(And there is no GCM support for the data channel yet. That will arrive in OpenVPN 2.4.)
|
||||
|
||||
If I wanted to specify ciphers, this is the list I'd use (I think):
|
||||
`TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384`
|
||||
`TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384`
|
||||
`TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384`
|
||||
`TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384`
|
||||
`TLS-DHE-RSA-WITH-AES-256-GCM-SHA384`
|
||||
`TLS-DHE-RSA-WITH-AES-256-CBC-SHA256`
|
||||
`TLS-DHE-RSA-WITH-AES-128-GCM-SHA256`
|
||||
`TLS-DHE-RSA-WITH-AES-128-CBC-SHA256`
|
Loading…
Reference in a new issue