Updated VPN Certificates

Hello there fellow VPN user. As announced we just updated the openvpn certificates configs on all servers. This article will describe the new changes we introducted. If you are just want to know how to get ur vpn working again: Update your certificates

You can find the new version of the certificates inside your dashboard: https://internetz.me/en/dashboard/index

New Cipher

From now on we are using the cipher AES-256-CBC. Before we used openvpn’s default cipher the BF-CBC cipher. Altough it takes up more CPU resources we decided to go for the stronger ciphers. Only the best for our clients!

Use of tls-auth

The tls-auth option uses a static pre-shared key (PSK) that must be generated in advance and shared among all peers. This features adds “extra protection” to the TLS channel by requiring that incoming packets have a valid signature generated using the PSK key. If this key is ever changed, it must be changed on all peers at the same time.

The primary benefit is that an unauthenticated client cannot cause the same CPU/crypto load against a server as the junk traffic can be dropped much sooner. This can aid in mitigating denial-of-service attempts.

This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite or implementation (such as CVE-2014-0160, Heartbleed, where the tls-auth key provided protection against attackers who did not have a copy). So lets better be prepared then sorry.

Comp-lzo adaptive

Adaptive compression tries to optimize the case where you have compression enabled, but you are sending predominantly uncompressible (or pre-compressed) packets over the tunnel, such as an FTP or rsync transfer of a large, compressed file. With adaptive compression, OpenVPN will periodically sample the compression process to measure its efficiency. If the data being sent over the tunnel is already compressed, the compression efficiency will be very low, triggering openvpn to disable compression for a period of time until the next re-sample test.

Inline Certificates

Before we had a zip with a bunch of files, config, key, ca and config. We now changed the configs to a single.ovpn file which includes all the needed other files inline. This makes it easier to get the certificates to phones etc.

Last throughts

If you haven’t tested our “privacy manager” yet take a look at it https://internetz.me/en/tour/vpnsoftware. This program runs on Windows, Linux and Mac and its purpose is to download and unpack certificates. So in case we change the certificate bundles again, or you wish to install openvpn on another computer this application may come in handy.

Leave a Reply

Your email address will not be published.

Powered by themekiller.com