Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PFS on OpenVPN?

    OpenVPN
    3
    9
    3305
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Satras last edited by

      Sorry, but is Perfect Forward Secrecy Enabled by default when using the Wizard to setup the OpenVPN Server ?

      How can I check if Perfect Forward Secrecy is enabled on my Server ?

      1 Reply Last reply Reply Quote 0
      • M
        meruem last edited by

        bump, im curious, and this was the second hit on google

        1 Reply Last reply Reply Quote 0
        • Pippin
          Pippin last edited by

          Set verb 4 in server restart and search for

          dh_file =
          

          and

          Diffie-Hellman initialized with XXXX bit key
          

          in the log.

          1 Reply Last reply Reply Quote 0
          • M
            meruem last edited by

            Verbosity 4 and In the log I see

            
            Diffie-Hellman initialized with 1024 bit key
            
            

            But does this mean anything to you:

            "Any Diffie-Hellman key exchange will provide you with Forward Secrecy, but you should only select Ephemeral key exchange to obtain Perfect Forward Secrecy (a brand new session key for every session). This is usually displayed in the cipher suite in the form of DHE or EDH. You should also include Elliptic Curve DHE suites as they are faster than their DHE counterparts and should be prioritised above them where possible. You can opt to exclude DHE suites and just stick with ECDHE suites. See my Qualys SSL Test for details on which suites I'm running on my blog. Also, ensure you enforce the ordering of your ciphers by using 'ssl_prefer_server_ciphers on;' in nginx and 'SSLHonorCipherOrder on' in Apache."

            src: https://scotthelme.co.uk/perfect-forward-secrecy/

            1 Reply Last reply Reply Quote 0
            • Pippin
              Pippin last edited by

              It`s advised to use minimum 2048 bits DH…..

              1 Reply Last reply Reply Quote 0
              • M
                meruem last edited by

                @Pippin:

                It`s advised to use minimum 2048 bits DH…..

                How do I enforce that or set that up? I believe when I set it up, all my key lengths were set to 2048

                1 Reply Last reply Reply Quote 0
                • M
                  meruem last edited by

                  @Pippin:

                  It`s advised to use minimum 2048 bits DH…..

                  Also I was reading this

                  "For branch office VPN tunnels and BOVPN virtual interfaces, the default DH group for both Phase 1 and Phase 2 is Diffie-Hellman Group 2. This group provides basic security and good performance. If the speed for tunnel initialization and rekey is not a concern, use a higher DH group. Actual initialization and rekey speed depends on a number of factors. You might want to try one of the higher DH groups and decide whether the slower performance time is a problem for your network. If the performance is unacceptable, change to a lower DH group."

                  src: http://www.watchguard.com/help/docs/wsm/xtm_11/en-us/content/en-us/bovpn/manual/diffie_hellman_c.html

                  Seems 1024 may be fine for my basic needs connecting to home from work/phone

                  1 Reply Last reply Reply Quote 0
                  • Pippin
                    Pippin last edited by

                    In OpenVPN Server config you can select it under:
                    DH Parameter length (bits)

                    1 Reply Last reply Reply Quote 0
                    • M
                      meruem last edited by

                      @Pippin:

                      In OpenVPN Server config you can select it under:
                      DH Parameter length (bits)

                      Oh ok I see it. Do you still feel that 2048 is necessary ? I'm worried about a performance hit

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy