Hi, On 18-03-2020 14:27, Ralf Hildebrandt wrote: >>> cipher AES-256-CBC >>> auth SHA256 >> >> AES-256-GCM is what you want, because it's less overhead than -CBC+SHA >> (AEAD, crypt-and-hash in one go) > > tls-version-min 1.2 > tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 > ncp-cipher AES-256-GCM:AES-256-CBC > auth SHA256 > dh none > ecdh-curve secp384r1 > > like on https://www.privacy-handbuch.de/handbuch_97a.htm ?
This seems good advise, yes. If you can update all configs: consider also adding "cipher AES-256-GCM" (or CBC if you have 2.3 peers around) to prevent any corner cases where OpenVPN might fall back to BF-CBC. If performance is an issue, you might consider using AES-128, which is slightly faster and good enough for most purposes, though possibly not secure against future quantum computers. Further: in order or preference, use --tls-crypt-v2 (not released yet, new in OpenVPN 2.5), --tls-crypt (2.4+) or --tls-auth. -Steffan _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
