Great video, really appreciate uploads like this! Keep them coming! I've been running pfsense for a couple years, rarely need to vpn back into my own network but this shows exactly what kind of ciphers to use and speed to expect.
My pfSense box is running on a 4690K, so I use AES-256-GCM simply because I can. Maximum download through PIA on speed test was 839Mbps, upload 915Mbps. These speeds were achieved by configuring a load-balanced gateway to two PIA servers.
Tom, 9:15 The description of the "Use a TLS Key" option says it only affects the Control Channel, not the Data Channel. The data channel is protected by the cipher suites you're testing. This would mean that your comment at 10:08 is inaccurate. You would have no protection at all for the actual data you're moving across the tunnel, just for the control channel. Unless I've misunderstood something myself.
you are not reading the second line: "Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation." I have it set to TLS Encryption and Authentication which means the data is encrypted twice, once by tls-crypt and once by the TLS session.
@@LAWRENCESYSTEMS Doesn't the line "The TLS Key does not have any effect on tunnel data." mean exactly that, no matter which mode "TLS Key Usage Mode" is set to? The line that you have quoted still only applies to the control channel, not the data channel (the tunnel) since "TLS Key Usage Mode" is a sub-setting to "Use a TLS Key". "Authentication Mode" means that the control channel cannot be spoofed, but it is not encrypted at all. "Authentication and Encryption" adds a layer of encryption to the session negotiation. It sounds like this has nothing to do with the data channel/tunnel that the actual VPN traffic moves over. The data channel/tunnel is encrypted by the selection of an encryption algorithm (at 10:08 in this video). Either that or the wording of the setting descriptions just isn't logical to me; I can't say I'm speaking with any authority. Certainly don't mean to question your experience, just trying to understand how OpenVPN config actually works.
Can someone explain me why we got totally different results? We tested site 2 site vpns between 2 sg-3100 (on LAN) an cbc was performing much better here. Tested with notebooks behind each pfsense. Pfsenses connected directly with each other on the wan interface.
The netgate routers at or below sg-3100 have hardware accelerated CBC. The routers at or above sg-5100 have hardware accelerated GCM. GCM is more secure but more computationally expensive.
how about chachapoly?
Great video, really appreciate uploads like this! Keep them coming! I've been running pfsense for a couple years, rarely need to vpn back into my own network but this shows exactly what kind of ciphers to use and speed to expect.
My pfSense box is running on a 4690K, so I use AES-256-GCM simply because I can. Maximum download through PIA on speed test was 839Mbps, upload 915Mbps. These speeds were achieved by configuring a load-balanced gateway to two PIA servers.
Tom, 9:15 The description of the "Use a TLS Key" option says it only affects the Control Channel, not the Data Channel. The data channel is protected by the cipher suites you're testing. This would mean that your comment at 10:08 is inaccurate. You would have no protection at all for the actual data you're moving across the tunnel, just for the control channel.
Unless I've misunderstood something myself.
you are not reading the second line:
"Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation."
I have it set to TLS Encryption and Authentication which means the data is encrypted twice, once by tls-crypt and once by the TLS session.
@@LAWRENCESYSTEMS Doesn't the line "The TLS Key does not have any effect on tunnel data." mean exactly that, no matter which mode "TLS Key Usage Mode" is set to? The line that you have quoted still only applies to the control channel, not the data channel (the tunnel) since "TLS Key Usage Mode" is a sub-setting to "Use a TLS Key".
"Authentication Mode" means that the control channel cannot be spoofed, but it is not encrypted at all.
"Authentication and Encryption" adds a layer of encryption to the session negotiation.
It sounds like this has nothing to do with the data channel/tunnel that the actual VPN traffic moves over. The data channel/tunnel is encrypted by the selection of an encryption algorithm (at 10:08 in this video).
Either that or the wording of the setting descriptions just isn't logical to me; I can't say I'm speaking with any authority. Certainly don't mean to question your experience, just trying to understand how OpenVPN config actually works.
community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
@Lawrence Systems / PC Pickup CBC shouldn't be used anymore. Just CTR...most vendors are removing it by default because it's weakened.
tnx
can you test CAMELLIA-128-CBC vs AES-128-GCM ???
Just updated my pfsense config after watching this, Thanks for all of your helpful videos Tom
Thank you!!
I was literally just trying to figure this out, thank you for the clarification!
I love your videos, thank you! But, I don't understand where is the Pi in this story.
Behind the firewall
Can someone explain me why we got totally different results? We tested site 2 site vpns between 2 sg-3100 (on LAN) an cbc was performing much better here. Tested with notebooks behind each pfsense. Pfsenses connected directly with each other on the wan interface.
The netgate routers at or below sg-3100 have hardware accelerated CBC. The routers at or above sg-5100 have hardware accelerated GCM. GCM is more secure but more computationally expensive.
Does the PI have AES hardware acceleration? Can you also test it with a recent x86 CPU.
I was only using The raspberry pi to use iperf, not the encryption
Lawrence Systems / PC Pickup oh ok, so you used the notebook as the VPN Client, missed that. That makes more sense, sounded ridiculous fast for a pi
You're not a cryptographer? Really? 🤣😂
I can barely even say the word..lol
256 can be a slower but it's hard to understand the speed of connection.