PFS on OpenVPN?



  • Sorry, but is Perfect Forward Secrecy Enabled by default when using the Wizard to setup the OpenVPN Server ?

    How can I check if Perfect Forward Secrecy is enabled on my Server ?



  • bump, im curious, and this was the second hit on google



  • Set verb 4 in server restart and search for

    dh_file =
    

    and

    Diffie-Hellman initialized with XXXX bit key
    

    in the log.



  • Verbosity 4 and In the log I see

    
    Diffie-Hellman initialized with 1024 bit key
    
    

    But does this mean anything to you:

    "Any Diffie-Hellman key exchange will provide you with Forward Secrecy, but you should only select Ephemeral key exchange to obtain Perfect Forward Secrecy (a brand new session key for every session). This is usually displayed in the cipher suite in the form of DHE or EDH. You should also include Elliptic Curve DHE suites as they are faster than their DHE counterparts and should be prioritised above them where possible. You can opt to exclude DHE suites and just stick with ECDHE suites. See my Qualys SSL Test for details on which suites I'm running on my blog. Also, ensure you enforce the ordering of your ciphers by using 'ssl_prefer_server_ciphers on;' in nginx and 'SSLHonorCipherOrder on' in Apache."

    src: https://scotthelme.co.uk/perfect-forward-secrecy/



  • It`s advised to use minimum 2048 bits DH…..



  • @Pippin:

    It`s advised to use minimum 2048 bits DH…..

    How do I enforce that or set that up? I believe when I set it up, all my key lengths were set to 2048



  • @Pippin:

    It`s advised to use minimum 2048 bits DH…..

    Also I was reading this

    "For branch office VPN tunnels and BOVPN virtual interfaces, the default DH group for both Phase 1 and Phase 2 is Diffie-Hellman Group 2. This group provides basic security and good performance. If the speed for tunnel initialization and rekey is not a concern, use a higher DH group. Actual initialization and rekey speed depends on a number of factors. You might want to try one of the higher DH groups and decide whether the slower performance time is a problem for your network. If the performance is unacceptable, change to a lower DH group."

    src: http://www.watchguard.com/help/docs/wsm/xtm_11/en-us/content/en-us/bovpn/manual/diffie_hellman_c.html

    Seems 1024 may be fine for my basic needs connecting to home from work/phone



  • In OpenVPN Server config you can select it under:
    DH Parameter length (bits)



  • @Pippin:

    In OpenVPN Server config you can select it under:
    DH Parameter length (bits)

    Oh ok I see it. Do you still feel that 2048 is necessary ? I'm worried about a performance hit


Log in to reply