Hi, On 06-08-17 10:35, Yevgeny Kosarzhevsky wrote: > OpenVPN without encryption or with weak encryption using '--auth none > --no-iv --no-replay' is still great tool for tunneling traffic over UDP > protocol. IPIP, L2TP or other known tunneling solutions may be blocked > in certain countries. This is the reason I would vote to keep no-iv > option in upcoming 2.5 release.
As of 2.4, OpenVPN supports the lower-overhead AES-GCM crypto modes. Consider using these instead. The average per-packet overhead of this solution is 20 (IP) + 8 (UDP) + 4 (average CBC padding for BF-CBC) or 8 (average CBC padding for AES) = 32 or 36 bytes. The average per-packet overhead of the AES-128-GCM/AES-256-GCM is 20 (IP) + 8 (UDP) + 4 (GCM IV) + 16 (GCM tag) = 48 bytes. So the difference is just 12 or 16 bytes, but gives you a huge gain in security. On top of that, GCM gives you a very nice hardware speedup on modern CPUs. (The old AES-CBC + HMAC-SHA1 would add up to 20 (IP) + 8 (UDP) + 16 (IV) + 4 (packet id) + 8 (avg. CBC padding) + 20 (HMAC-SHA1) = 76 bytes. Or 64 bytes for BF-CBC + HMAC-SHA1.) -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users