Cryptographic algorithms (site-to-site, client, server)
As previously discussed, whichever security mechanism is used (preshared secret or TLS), after the VPN tunnel is established, the two endpoints apply an encryption algorithm and a hash algorithm on the tunneled VPN data to provide confidentiality and integrity. By default, the encryption and hash algorithms used by OpenVPN are Blowfish (with 128-bit keys) and SHA-1, respectively. This configuration should be reasonable in typical environments: the Blowfish algorithm performs well in software and has no known weakness, and SHA-1 is widely used and is part of the NIST Secure Hash Standard.
When a particular encryption or hash algorithm is required in an environment, the two configuration options shown in the following example can be used to specify the algorithm.
Configuration options related to security
interfaces {
openvpn if_name{
encryption algorithm
hash algorithm
}
}- encryption: This argument is one of the following algorithms:
- des: DES algorithm
- 3des: DES algorithm with triple encryption
- bf128: Blowfish algorithm with 128-bit key
- bf256: Blowfish algorithm with 256-bit key
- aes128: AES algorithm with 128-bit key
- aes192: AES algorithm with 192-bit key
- aes256: AES algorithm with 256-bit key
- hash: This argument is one of the following hash algorithms:
- md5: MD5 algorithm
- sha1: SHA-1 algorithm
- sha256: SHA-256 algorithm
- sha512: SHA-512 algorithm