7

I'm currently using the -tls-cipher command on server to only allow the cipher I want (TLS-DHE-RSA-WITH-AES-256-GCM-SHA384) but there is the command -cipher too, and OpenVPN's man page is not really clear with the differences between them. Googling also returned no useful information. Many websites also tell me I should use the two too but don't say why, I wanted to check here first.

Do I need to use -tls-cipher + -cipher to make sure I only use AES-256-GCM to encrypt the connection?

I'm on OpenVPN 2.3.

Community
  • 1
Freedo
  • 2,253
  • 5
  • 18
  • 28
  • 2
    I think one is for the TLS tunnel and the other for data channel. If you want to use the TLS mode, use the two to be sure. – r00t Jun 29 '15 at 08:41
  • What's the difference? And won't that just add more overhead to my server? `-cipher´ only accepts AES with CBC not exactly top security. – Freedo Jun 29 '15 at 16:41

1 Answers1

13

'Modern' OpenVPN (2.x, using the TLS mode) basically sets up two connections:

  1. The 'control channel'. This is a low bandwidth channel, over which e.g. network parameters and key material for the 'data channel' is exchanged'. OpenVPN uses TLS to protect control channel packets.

  2. The 'data channel'. This is the channel over which the actual VPN traffic is sent. This channel is keyed with key material exchanged over the control channel.

Both these channels are duplexed over a single TCP or UDP port.

--tls-cipher controls the cipher used by the control channel. --cipher together with --auth control the protection of the data channel.

And regarding security, OpenVPN uses encrypt-then-mac for its data channel, rather than mac-then-encrypt like TLS. All the CBC-related issues you hear about are due to the combination mac-then-encrypt + CBC. This means that AES-CBC for the data channel is perfectly fine from a security perspective.

(And there is no GCM support for the data channel yet. That will arrive in OpenVPN 2.4.)

Steffan Karger
  • 395
  • 2
  • 4
  • I see...so --tls-auth is for TLS control channel only too? Do you recommend using --use-prediction-resistance to complement CBC or do you think it's not necessary ? – Freedo Jun 30 '15 at 20:58
  • 1
    No, I do not think that is neccessary. The RNGs used by OpenVPN without --use-prediction-resistance are perfectly fine to use. IMHO, this option is for the paranoid only ;) But while I'm giving recommendations: if you control both server and client, you should really consider using --tls-verion-min 1.2 at both ends. – Steffan Karger Jul 01 '15 at 19:15
  • One more addition : using `--tls-cipher` and `--cipher` **MUST** be with proper OpenSSL config for CA to make a client and server cert. – Alexey Vesnin Feb 11 '16 at 19:47
  • @stefan-karger, what does mean `auth` and `tls-auth` for OpenVPN? Similarly with `chipher`, I can suggest that the first one is HMAC for data channel and second one is HMAC key for control(TLS) channel. Is it correct? Why then second one is generated manually via OpenVPN and second one is not? Thanks. – ipeacocks Feb 19 '17 at 06:19
  • 1
    @ipeacocks: see the OpenVPN man page for `--tls-auth`: "Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack." In TLS mode, OpenVPN generates a fresh `auth` key for every connection (just like for `cipher`. But `--tls-auth` protects the control channel, and therefore needs a pre-shared key. – Steffan Karger Feb 21 '17 at 22:08
  • @stefan-karger, So if I use only TLS mode I don't need to use `--tls-auth` option? `auth ` option will do all HMAC work. Right? – ipeacocks Feb 22 '17 at 22:39
  • 1
    @ipeacocks: no, `auth` is just for the data channel. `tls-auth` is not *required*, but definitely recommended to, as I quoted from the man page, "to mitigate DoS attacks and attacks on the TLS stack". Really, go read the man page. – Steffan Karger Feb 24 '17 at 22:49