• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Logjam - DH and OpenVPN

Scheduled Pinned Locked Moved OpenVPN
6 Posts 5 Posters 2.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • 2 Offline
    2chemlud Banned
    last edited by May 20, 2015, 7:11 PM

    Hi!

    What is the implication of this here for my OpenVPN connections:

    https://weakdh.org/

    …and what to do now? :-o

    kind regards

    chemlud

    1 Reply Last reply Reply Quote 0
    • D Offline
      Darkk
      last edited by May 21, 2015, 3:59 PM

      Since I use both OpenVPN in PfSense and OpenVPN Access Server (commercial version) is that by default it generates 2048 bit DH keys.  I set mine to 4K in PfSense so should be pretty safe from this type of attack.

      Keep in mind the tunnel is still using 256 bit encryption which is still safe.  It's the keys they are after.  If they get that then that 256 bit encryption not gonna offer any kind of protection regardless of bit size.

      1 Reply Last reply Reply Quote 0
      • B Offline
        Blooregard
        last edited by May 26, 2015, 11:35 AM

        More information about the Logjam and OpenVPN:

        http://blog.ayaz.pk/2015/05/25/securing-openvpn-against-logjam/

        1 Reply Last reply Reply Quote 0
        • D Offline
          Dennis1984120
          last edited by May 26, 2015, 9:29 PM

          More interesting is: how are the pfSense DH parameters generated? Are they built-in and equal for each installation or do they get generated while/after installing a new machine? And if I want to replace them, how can I do so? Documentation falls short unfortunately.

          Kind regards,
          Dennis

          1 Reply Last reply Reply Quote 0
          • J Offline
            jimp Rebel Alliance Developer Netgate
            last edited by Jun 18, 2015, 7:09 PM

            The DH parameters are static and included in the repository. It is not difficult to generate new ones, but it can be very time consuming depending on the hardware in use.

            https://doc.pfsense.org/index.php/Importing_OpenVPN_DH_Parameters

            The time it takes to generate the DH parameters makes it highly impractical to generate them "on the fly" especially on older hardware. Even on current hardware it would add significant time to operations to re-generate them dynamically.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • D Offline
              Dennis1984120
              last edited by Jun 27, 2015, 8:30 AM

              Thanks for your answer and your link to the docs. I generated my own already a month ago which I feel is more safe then using the default :).

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received