11

From both a performance and security standpoint, which cipher should I use with openvpn?

According to http://openvpn.net/index.php/open-source/documentation/howto.html#security , the default is Blowfish, and the recommendation/example is to use AES-256-CBC, for its larger key size. Is 256-bit AES the best practice?

Mike Pennington
  • 8,305
  • 9
  • 44
  • 87
Daniel S. Sterling
  • 1,584
  • 2
  • 11
  • 13

2 Answers2

14

AES-256-CBC is probably "the best". AES-128-CBC is roughly 2x the speed however, at least according to openssl, and is perfectly fine for all but the highest security traffic. OpenVPN is pretty efficient and so my experience has been that either works very well.

Moose Mouse
  • 156
  • 1
  • 2
  • I came to the same conclusion when I needed to choose a non-default cipher when it turned out out that the Blowfish cipher was vulnerable: https://community.openvpn.net/openvpn/wiki/SWEET32 – Anthony Geoghegan Oct 24 '16 at 09:27
2

For the TLS cipher you can choose a good 256 bit cipher and it will not slow things much because the TLS channel is only the control channel and doesn't carry much data compared to the main channel.

Brian Gregory
  • 21
  • 2