I’m a newbie Brume user. I’ve tried it out as a WireGuard and OpenVPN client - both are fast, the former impressively so. But looking at the OpenVPN server side, the crypto seems less than impressive: SHA1 for auth when SHA256 is now the accepted standard and the Blowfish BF-CBC cipher specified in the client ovpn file created by the server which is deprecated because it is insecure.
Is there any way of changing these crypto settings or can we expect these will be brought more up-to-date with current security expectations?
Can I suggest AES-128-CBC as the default cipher? It’s good strength for anything but the most secure traffic without the performance hit of moving to AES-256-CBC or AES-256-GCM.
I’ve done some more investigation of the Brume OpenVPN server and despite what it says on the config page of the GUI, it doesn’t actually offer Blowfish. Here’s the list of supported crypto algorithms. May I suggest the client config is updated to reflect what is actually available: AES-128-GCM-SHA256 is available for both TLS 1.2 and 1.3 so seems a good option!
root@GL-MV1000:~# openvpn --show-tls
Available TLS Ciphers, listed in order of preference:
Technically the best cipher for both TLS1.2 and TLS1.3 is TLS_CHACHA20_POLY1305_SHA256 and TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 respectively, as they offer the fastest software based decoding, since the GL routers don’t have a dedicated AES instruction on the processor. This is also why wireguard is much faster than OpenVPN with default config. AES is the best for VPN from PC to PC for example, where Intel and AMD processors have AES instructions.
Ah thanks. Good info. I had actually been trying to find out whether the Armada 3720 had hardware support for AES!
And yes, I’m a great WireGuard fan. On tests I’m getting about 140MBit/s speeds using the Google speed test over a 200Mbit/s home Internet connection. That’s via a Minisforum N40 miniPC as server. The test config is:
Unfortunately OpenVPN doesn’t seem to support “cipher CHACHA20_POLY1305” despite it being listed as one of the TLS ciphers. Only AES variants. Not being an OpenVPN expert I’m not sure why…
root@GL-MV1000:~# openvpn --show-ciphers
AES-128-CBC (128 bit key, 128 bit block)
AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC (192 bit key, 128 bit block)
AES-192-CFB (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1 (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8 (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC (256 bit key, 128 bit block)
AES-256-CFB (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1 (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8 (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB (256 bit key, 128 bit block, TLS client/server mode only)