Authentication Algorithm and Encryption Cipher Algorithm

[lodgnewt]

I want to configure a connection to the server with a router (firmware Andy Padavan rt-n56u)
What types "Authentication Algorithm" and "Encryption Cipher Algorithm:" is used in this openvpn configuration?

[buchdag]

Defaults are:

OpenVPN 2.3 - SHA1 HMAC authentication and BF-CBC cipher
OpenVPN 2.4 - SHA1 HMAC authentication and AES-256-GCM cipher

[MatthewVance]

Defaults @buchdag mentioned are correct. OpenVPN 2.3 defaults are not secure. OpenVPN 2.4 defaults are reasonable, but can be strengthened if both client and server support the stronger options.

To see supported options for your environment, use the following commands:

• Run openvpn --show-ciphers to show all cipher algorithms available for use.
• Run openvpn --show-digests to show all message digest algorithms available for use.
• Run openvpn --show-tls to show all TLS ciphers (sorted from highest to lowest preference).

For Docker, you'll want to launch an interactive terminal within the container: docker exec -i -t kylemanna/openvpn:latest bin/bash.

If you want more secure defaults (assuming router is fast enough to support strong crypto), you can specify the options you want to be included in the config file. For example:

docker run \
--network=none \
-v $PWD:/etc/openvpn \
--rm -t -i kylemanna/openvpn ovpn_genconfig \
-u udp://your-vpn-address.com \
-C 'AES-256-CBC' \
-a 'SHA512' \
-T 'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384'

Leave off the -T line if your not familiar with how TLS ciphersuite negotiations work and which suites are better than others. Also see https://github.com/kylemanna/docker-openvpn/blob/master/docs/paranoid.md.