Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question regarding OpenVPN Config

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 807 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KKIT
      last edited by KKIT

      Hi,

      I am currently using the following setup and it would be great if someone could take a look and make recommendations.

      I built the setup according to various manuals, the netgate performance optimization page as well as the official setup manual.

      Thanks much!

      Edit: I use a 2048-bit long TLS-Key, should I increase it?
      Bildschirmfoto 2022-02-08 um 13.28.34.png Bildschirmfoto 2022-02-08 um 13.28.43.png Bildschirmfoto 2022-02-08 um 13.28.50.png

      1 Reply Last reply Reply Quote 0
      • N
        netblues
        last edited by

        The sky is the limit of how long your keys can be.
        Its always a balance between security/performance and what are you trying to protect.
        For example, tunneling general https traffic from internal sites would have yet another layer of tls encrypted traffic.

        A longer key would make life much more difficult for a mitm attack.. But it will be indifferent protecting things from port scanning, scripts, casual wifi snooping etc.

        Do check your peer connections though.
        Different and rather recent openvpn security parameters aren't always supported by various clients, especially mobile. (if any)
        Its bad to find out half way through deployment, and reverting to redeployment afterwards.

        K 1 Reply Last reply Reply Quote 1
        • K
          KKIT @netblues
          last edited by

          @netblues
          Hello netblues, thanks for the response.
          What do you think about the DH Parameter Length, should I set it to a number or is it okay to be left at "ECDH Only"

          Best
          kkit

          N 1 Reply Last reply Reply Quote 0
          • N
            netblues @KKIT
            last edited by

            @kkit ecdh stands for elliptic curve Diffie-helman
            The ECDH is believed to be one of the most secure versions of the Diffie-Hellman, and is preferable in many cases.

            If it works for you and you need to ask, then probably you don't need to fiddle with it.

            K 1 Reply Last reply Reply Quote 1
            • K
              KKIT @netblues
              last edited by

              @netblues im trying to optimize for performance with a good security balance. But that works for me too, thanks for the input

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.