What's pfsense OpenVPN Speed difference between AES-CBC and AES-GCM? 128 VS 256?
HTML-код
- Опубликовано: 20 авг 2024
- Amazon Affiliate Store
➡️ www.amazon.com...
Gear we used on Kit (affiliate Links)
➡️ kit.co/lawrenc...
Try ITProTV free of charge and get 30% off!
➡️ go.itpro.tv/lts
Use OfferCode LTSERVICES to get 5% off your order at
➡️ lawrence.video...
Tesla Referral Program Offer
🚘 www.tesla.com/...
Lawrence Systems Shirts and Swag
👕 teespring.com/...
Digital Ocean Offer Code
➡️ m.do.co/c/85de...
HostiFi UniFi Cloud Hosting Service
➡️ hostifi.net/?v...
Protect you privacy with a VPN from Private Internet Access
➡️ www.privateint...
Google Fi Service Referral Code
📱g.co/fi/r/TA02XR
More Of Our Affiliates that help us out and can get you discounts!
➡️ www.lawrencesy...
Twitter
🐦 / tomlawrencetech
Patreon
🔗 / lawrencesystems
Our Forums
🔗 forums.lawrenc...
GitHub
🔗 github.com/law...
Discord
🔗 / discord
Our Web Site
🔗 www.lawrencesy...
Optimizing performance on gigabit networks
community.open...
What's the difference between AES-CBC and AES-GCM?
www.privateint...
#pfsense #Firewalls 
Наука
Great video, really appreciate uploads like this! Keep them coming! I've been running pfsense for a couple years, rarely need to vpn back into my own network but this shows exactly what kind of ciphers to use and speed to expect.
My pfSense box is running on a 4690K, so I use AES-256-GCM simply because I can. Maximum download through PIA on speed test was 839Mbps, upload 915Mbps. These speeds were achieved by configuring a load-balanced gateway to two PIA servers.
Just updated my pfsense config after watching this, Thanks for all of your helpful videos Tom
how about chachapoly?
@Lawrence Systems / PC Pickup CBC shouldn't be used anymore. Just CTR...most vendors are removing it by default because it's weakened.
I was literally just trying to figure this out, thank you for the clarification!
Thank you!!
tnx
can you test CAMELLIA-128-CBC vs AES-128-GCM ???
I love your videos, thank you! But, I don't understand where is the Pi in this story.
Behind the firewall
Tom, 9:15 The description of the "Use a TLS Key" option says it only affects the Control Channel, not the Data Channel. The data channel is protected by the cipher suites you're testing. This would mean that your comment at 10:08 is inaccurate. You would have no protection at all for the actual data you're moving across the tunnel, just for the control channel.
Unless I've misunderstood something myself.
you are not reading the second line:
"Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation."
I have it set to TLS Encryption and Authentication which means the data is encrypted twice, once by tls-crypt and once by the TLS session.
@@LAWRENCESYSTEMS Doesn't the line "The TLS Key does not have any effect on tunnel data." mean exactly that, no matter which mode "TLS Key Usage Mode" is set to? The line that you have quoted still only applies to the control channel, not the data channel (the tunnel) since "TLS Key Usage Mode" is a sub-setting to "Use a TLS Key".
"Authentication Mode" means that the control channel cannot be spoofed, but it is not encrypted at all.
"Authentication and Encryption" adds a layer of encryption to the session negotiation.
It sounds like this has nothing to do with the data channel/tunnel that the actual VPN traffic moves over. The data channel/tunnel is encrypted by the selection of an encryption algorithm (at 10:08 in this video).
Either that or the wording of the setting descriptions just isn't logical to me; I can't say I'm speaking with any authority. Certainly don't mean to question your experience, just trying to understand how OpenVPN config actually works.
community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN
Can someone explain me why we got totally different results? We tested site 2 site vpns between 2 sg-3100 (on LAN) an cbc was performing much better here. Tested with notebooks behind each pfsense. Pfsenses connected directly with each other on the wan interface.
The netgate routers at or below sg-3100 have hardware accelerated CBC. The routers at or above sg-5100 have hardware accelerated GCM. GCM is more secure but more computationally expensive.
Does the PI have AES hardware acceleration? Can you also test it with a recent x86 CPU.
I was only using The raspberry pi to use iperf, not the encryption
Lawrence Systems / PC Pickup oh ok, so you used the notebook as the VPN Client, missed that. That makes more sense, sounded ridiculous fast for a pi
256 can be a slower but it's hard to understand the speed of connection.
You're not a cryptographer? Really? 🤣😂
I can barely even say the word..lol