Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is there any way at all to get Private Internet Access with AES 256?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lar
      last edited by

      I have been at this a week now and the moment I change from BF128CBC to AES256CBC if completely refuses to connect.
      Is there and way in Heaven or on Earth to get this to work with AES 256 bit?
      Thank you

      1 Reply Last reply Reply Quote 0
      • L
        lar
        last edited by

        I don't see why it does openVPN but not pfSense.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          If the server is set to only allow BF128 then that's what you have to use unless you get them to change it.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            get what to work???

            Tue Nov 03 12:16:25 2015 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
            <snipped>Tue Nov 03 12:16:26 2015 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
            Tue Nov 03 12:16:26 2015 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
            <snipped>Tue Nov 03 12:16:34 2015 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
            Tue Nov 03 12:16:34 2015 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
            Tue Nov 03 12:16:34 2015 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
            Tue Nov 03 12:16:34 2015 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
            <snipped>Tue Nov 03 12:16:44 2015 Initialization Sequence Completed
            Tue Nov 03 12:16:44 2015 MANAGEMENT: >STATE:1446574604,CONNECTED,SUCCESS,10.0.8.6,snipped

            Works fine here..

            I changed the cipher to AES-256-CBC which what your asking for, even changed the auth to sha256 vs sha1

            I then edited client config

            cipher AES-256-CBC
            auth SHA256

            And as you can see bing bang zoom connected using that cipher and auth..

            edit:  You can not just change the client side.. Client has to match server - are you using openvpn-as, can show you how to change the default cipher if that is what your asking??

            cipherandauthdigest.png
            cipherandauthdigest.png_thumb</snipped></snipped></snipped>

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              I think he's referring to connecting to the PIA service.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Well yeah if some service you have to match what they are using, or get them to change it on the instance your connecting too..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • L
                  lar
                  last edited by

                  how do I do the edited client config

                  cipher AES-256-CBC
                  auth SHA256
                  thing?
                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.