Using AES-GCM encryption algorithm for OpenVPN site-to-site shared key
-
AES-GCM isn’t available for OpenVPN site-to-site shared key type VPN connections in pfSense 2.4.4.
Is this something that just isn’t possible (maybe due to the omission of a TLS key) in shared key VPN setups? Or is it possible this encryption type be added in later versions of OpenVPN on pfSense? -
You need Negotiable Cryptographic Parameters to get AES-GCM which are only available in SSL/TLS connections.
Generate some certs and do SSL/TLS.
-
@Derelict Hi, thanks for the reply. SSL/TLS is what I’m currently using at the moment only I have NEP turned off and AES-GCM is still a selectable option?
-
@Jimbo123 Is there a specific question hidden in there somewhere?
-
@Derelict Well what I was getting at was that I have NCP turned off and I’m still able to select AES-GCM as an option so wouldn’t this suggest that you don’t need NCP for this encryption type? Could there be another reason why I can’t use AES-GCM with a shared key configuration?
-
Everything you might want to know about it is here:
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-
@Derelict Thanks
-
It looks like you need SSL/TLS but not necessarily NCP enabled. As to why, that would be a better question for the OpenVPN developers since they are the ones disallowing GCM modes in Shared-Key. Probably requires the ability of the server to push information to the client, which is unavailable in Shared-Key mode.
Everyone should be using SSL/TLS anyway.
-
@Derelict Ah ok, thanks for investigating, I was just reading through that link you sent me. There are a lot of useful command line options in there