Hi, On Thu, Apr 09, 2020 at 11:27:10AM +0200, Johannes Bauer wrote: > > Regarding the various comments I have seen about openvpn being big and > > bloated compared to wireguard: that's comparing apples and oranges. > > Wireguard is little more than a Linux kernel module that only does > > encryption using some form of preshared keys (TLS is a no-no). > > Preshared *public* keys, correct. In contrast to the PSK setup that > OpenVPN offers, which is just symmetric keys. That's a world of a > difference, mind you.
OpenVPN with pre-shared secret is not the recommended way of operation
since quite an number of years now (because it has no DH or equivalent).
TLS with public/private crypto is what you should be using.
> > OpenVPN
> > is a user-space application that does way more than that, all based on
> > TLS.
>
> Is it all based on TLS? As far as I recall, OpenVPN rolled their own
> protocol, loosely based on some TLS parts, but their own thing
> regardless. With different crypto settings for the comms and bulk data
> channel, if I recall correctly. Am I misremembering or has this been
> aligned by now? You're saying OpenVPN uses just plain old DTLS when run
> over UDP?
There is a control channel, which is mostly "TLS over UDP", though not
DTLS (because when the control channel protocol was defined, there was
no DTLS). On that channel, handshaking is done, and based on key material
from the TLS control channel, a symmetric session key for the data channel
is negotiated.
The data channel is, basically, "data packets wrapped in a layer of
crypto + HMAC hash" (or, in case, of AEAD "of AEAD combined crypto+hash").
Some of the confusion regarding ciphers and hash algorithms comes from
that - whether or not a given cipher algorithm is supported depends on
"will the TLS library do it for the control channel" and "after a key
has been negotiated, will the openvpn data layer support using it for
data packets". Some of the ciphers need different API calls into the
SSL libraries, so "just add a new data channel cipher" required actual
code changes (like, AEAD, and as far as I understand, CHACHA-POLY as
well).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
