JamesDean 10 Posted ... The newest article on the US NSA features a presentation that mentions VPN. I figured Air Staff may want to quell the panic The presentation is from 2008, so they could have been talking about decrypting PPTP for all we know, but I found it interesting. I'm attaching the relevant slide as a screen grab. Quote Share this post Link to post
Staff 9973 Posted ... Hello, the unsolvable problem for NSA in this case is that our customers client keys for OpenVPN Data Channel encryption are re-negotiated at each new connection AND every 60 minutes (essentially the core of Perfect Forward Secrecy). Customers can also lower the TLS re-keying interval on the client side. Kind regards Quote Share this post Link to post
JamesDean 10 Posted ... How can I lower the re-keying interval? I just did a search and your reply above was the only result. I just looked at the config and didn't see where to change it. Thanks, JD Quote Share this post Link to post
JamesDean 10 Posted ... P.S. I'm using OpenVPN proper and embedded certs in the .ovpn config file. JD Quote Share this post Link to post
zhang888 1066 Posted ... I'm all for a new Russia based server named "Snowden" To your question,That can not be used in a deterministic way in most countries, since VPNs are also very popular in corporate networks. I guess that the NSA meaning here was to see all VPN communications in countries like Afghanistan or Iraq, where the internet is not very popularand the usage of VPN can actually help detecting a source of communication. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
NaDre 157 Posted ... How can I lower the re-keying interval? I just did a search and your reply above was the only result. I just looked at the config and didn't see where to change it. Thanks, JD https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage I guess it would be "--reneg-sec n"? But the explanation says "set it to 0 on one side of the connection (to disable), and to your chosen value on the other side". Is it zero on the server side? Quote Share this post Link to post
JamesDean 10 Posted ... whichever uses the lower value will be the one to trigger the renegotiation. Nice find. The server should be set to 3600, so anything lower on our end, should take precedent. I'll wait for staff to confirm, but I'm going to try it now. Thanks mate. Quote Share this post Link to post
JamesDean 10 Posted ... That was it. In windows, get rid of the two dashes. I set 15 minutes, and it re-keyed: Wed Jul 31 18:48:53 2013 TLS: soft reset sec=0 bytes=2401419/0 pkts=3939/0Wed Jul 31 18:48:54 2013 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.orgWed Jul 31 18:48:54 2013 VERIFY OK: nsCertType=SERVERWed Jul 31 18:48:54 2013 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.orgWed Jul 31 18:48:56 2013 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyWed Jul 31 18:48:56 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationWed Jul 31 18:48:56 2013 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit keyWed Jul 31 18:48:56 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationWed Jul 31 18:48:56 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA reneg-sec 900 Quote Share this post Link to post
Staff 9973 Posted ... @johndough Yes. Just to explain more to the readers, the client, without any server co-operation, can either disable TLS renegotiation (NOT recommended at all) or set any TLS re-keying period NOT HIGHER than the server setting. It's not possible that the client set a TLS re-negotiation (if active) to more than the time value set on the server. Our servers are set to 60 minutes, so you can't have TLS re-negotiations higher than 60 minutes. Kind regards Quote Share this post Link to post