Encryption Modes

OpenVPN supports two types of encryption: a static key or Transport Layer Security (TLS). On Windows, the static key is easy to configure. After you install OpenVPN on one of the VPN endpoints, run the OpenVPN key generator and copy the new key (via a secure medium) into the \OpenVPN folder of all other OpenVPN computers that need to connect to this OpenVPN endpoint. In the configuration file for all endpoints, you simply specify the name of this file. By default, OpenVPN uses the Blowfish Cipher Block chaining (BF-CBC) mode to encrypt data, but you can also choose Advanced Encryption Standard (AES), Data Encryption Standard (DES), International Data Encryption Algorithm (IDEA), or others by specifying the cipher parameter in the configuration file. The application uses the encryption, authentication, and certification features of the OpenSSL library, so you'll want to stay on top of OpenSSL updates.

OpenVPN also supports TLS security, which uses Diffie-Hellman key exchange and RSA certificates and keys. Setting up the certificates and keys for this product is similar to that of other public key infrastructure (PKI) configurations that support X.509 PKI for session authentication. If you've never accomplished such a configuration before, you can refer to several Web resources linked from the OpenVPN site for help. OpenVPN's Linux and UNIX installations offer better help and programs for configuring TLS security than the Windows version. In this article's examples, I've used the static key for simplicity's sake so that I could focus on the setup of the OpenVPN tunnels.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.