# Cryptographic algorithms (site-to-site, client, server)

As previously discussed, whichever security mechanism is used (preshared secret or TLS), after the VPN tunnel is established, the two endpoints apply an encryption algorithm and a hash algorithm on the tunneled VPN data to provide confidentiality and integrity. By default, the encryption and hash algorithms used by OpenVPN are Blowfish (with 128-bit keys) and SHA-1, respectively. This configuration should be reasonable in typical environments: the Blowfish algorithm performs well in software and has no known weakness, and SHA-1 is widely used and is part of the NIST Secure Hash Standard.

When a particular encryption or hash algorithm is required in an environment, the two configuration options shown in the following example can be used to specify the algorithm.

## Configuration options related to security

```
interfaces {
openvpn if_name{
encryption algorithm
hash algorithm
}
}
```

- encryption: This argument is one of the following algorithms:
- des: DES algorithm
- 3des: DES algorithm with triple encryption
- bf128: Blowfish algorithm with 128-bit key
- bf256: Blowfish algorithm with 256-bit key
- aes128: AES algorithm with 128-bit key
- aes192: AES algorithm with 192-bit key
- aes256: AES algorithm with 256-bit key

- hash: This argument is one of the following hash algorithms:
- md5: MD5 algorithm
- sha1: SHA-1 algorithm
- sha256: SHA-256 algorithm
- sha512: SHA-512 algorithm