Is VPN cipher set by VPN provider or user configuration?

wifird · February 8, 2017, 8:09pm

Hi there,

I’m trying to use 128bit rather than 256bit VPN but my VPN provider haven’t been to helpful.

Can I customise the cipher on OpenWRT or by amending the profiles I have or does it have to be done by the provider?

glitch · February 8, 2017, 8:50pm

You cannot amend the cipher in the User Interface because it ithe VPN part is “closed-shop”. In my opinion, it would be better if the firmware were written so that this modification (and any other VPN mod) could be made in Luci.

One way of doing it is to edit your ovpn file before uploading (assuming your provider supports it). It can also probably be done by editing the config file directly using something like WinSCP.

Glitch

wifird · February 8, 2017, 10:59pm

Yes, Luci modification would be good.

Thanks for the help @Glitch. I’m familiar with WinSCP, do you know what modification I would make to the file to make it 128-bit cipher?

I’ve pasted contents from my Ovpn file below.

client


dev tun
proto udp
remote uk1.safervpn.com 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
auth-user-pass
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----

glitch · February 9, 2017, 12:28am

Normally there is something like this in it:

cipher AES-256-CBC

However, in your case looks like your provider only offers one encryption standard, 256 bit

rk47 · April 28, 2018, 5:47am

It is possible to request a cipher but the server must be configured to allow this and the server can override your choice (which would show in the status message)

–cipher alg
Encrypt data channel packets with cipher algorithm alg. When cipher negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server side will automatically upgrade to AES-256-GCM

The following data is always pushed to the server:
IV_NCP=2 – negotiable ciphers, client supports --cipher pushed by the server

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

In order to change the cipher in OpenVPN Access Server you will need to add the following line to both the client and server config directives via the Advanced VPN page:

cipher ciphername

How to correctly secure your OpenVPN connection
https://gist.github.com/pwnsdx/8fc14ee1e9f561a0a5b8

kyson-lok · April 28, 2018, 5:04pm

@wifird It needs both of client and server config the same chiper. How To Change. One line like cipher AES-256-CBC.