Question regarding OpenVPN Config
-
Hi,
I am currently using the following setup and it would be great if someone could take a look and make recommendations.
I built the setup according to various manuals, the netgate performance optimization page as well as the official setup manual.
Thanks much!
Edit: I use a 2048-bit long TLS-Key, should I increase it?
-
The sky is the limit of how long your keys can be.
Its always a balance between security/performance and what are you trying to protect.
For example, tunneling general https traffic from internal sites would have yet another layer of tls encrypted traffic.A longer key would make life much more difficult for a mitm attack.. But it will be indifferent protecting things from port scanning, scripts, casual wifi snooping etc.
Do check your peer connections though.
Different and rather recent openvpn security parameters aren't always supported by various clients, especially mobile. (if any)
Its bad to find out half way through deployment, and reverting to redeployment afterwards. -
@netblues
Hello netblues, thanks for the response.
What do you think about the DH Parameter Length, should I set it to a number or is it okay to be left at "ECDH Only"Best
kkit -
@kkit ecdh stands for elliptic curve Diffie-helman
The ECDH is believed to be one of the most secure versions of the Diffie-Hellman, and is preferable in many cases.If it works for you and you need to ask, then probably you don't need to fiddle with it.
-
@netblues im trying to optimize for performance with a good security balance. But that works for me too, thanks for the input