Сети‎ > ‎VPN‎ > ‎Параметры OpenVPN‎ > ‎


Data Channel Encryption Options:
These options are meaningful for both Static & TLS-negotiated key modes (must be compatible between peers).
--secret file [direction]
Enable Static Key encryption mode (non-TLS). Use pre-shared secret file which was generated with --genkey.

The optional direction parameter enables the use of 4 distinct keys (HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt), so that each data flow direction has a different set of HMAC and cipher keys. This has a number of desirable security properties including eliminating certain kinds of DoS and message replay attacks.

When the direction parameter is omitted, 2 keys are used bidirectionally, one for HMAC and the other for encryption/decryption.

The direction parameter should always be complementary on either side of the connection, i.e. one side should use "0" and the other should use "1", or both sides should omit it altogether.

The direction parameter requires that file contains a 2048 bit key. While pre-1.5 versions of OpenVPN generate 1024 bit key files, any version of OpenVPN which supports the direction parameter, will also support 2048 bit key file generation using the --genkey option.

Static key encryption mode has certain advantages, the primary being ease of configuration.

There are no certificates or certificate authorities or complicated negotiation handshakes and protocols. The only requirement is that you have a pre-existing secure channel with your peer (such as ssh ) to initially copy the key. This requirement, along with the fact that your key never changes unless you manually generate a new one, makes it somewhat less secure than TLS mode (see below). If an attacker manages to steal your key, everything that was ever encrypted with it is compromised. Contrast that to the perfect forward secrecy features of TLS mode (using Diffie Hellman key exchange), where even if an attacker was able to steal your private key, he would gain no information to help him decrypt past sessions.

Another advantageous aspect of Static Key encryption mode is that it is a handshake-free protocol without any distinguishing signature or feature (such as a header or protocol handshake sequence) that would mark the ciphertext packets as being generated by OpenVPN. Anyone eavesdropping on the wire would see nothing but random-looking data.

Alternative way of specifying the optional direction parameter for the --tls-auth and --secret options. Useful when using inline files (See section on inline files).
--auth alg
Authenticate packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.

OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC the resulting ciphertext.

In static-key encryption mode, the HMAC key is included in the key file generated by --genkey. In TLS mode, the HMAC key is dynamically generated and shared between peers via the TLS control channel. If OpenVPN receives a packet with a bad HMAC it will drop the packet. HMAC usually adds 16 or 20 bytes per packet. Set alg=none to disable authentication.

For more information on HMAC see http://www.cs.ucsd.edu/users/mihir/papers/hmac.html

--cipher alg
Encrypt packets with cipher algorithm alg. The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. Blowfish has the advantages of being fast, very secure, and allowing key sizes of up to 448 bits. Blowfish is designed to be used in situations where keys are changed infrequently.

For more information on blowfish, see http://www.counterpane.com/blowfish.html

To see other ciphers that are available with OpenVPN, use the --show-ciphers option.

OpenVPN supports the CBC, CFB, and OFB cipher modes, however CBC is recommended and CFB and OFB should be considered advanced modes.

Set alg=none to disable encryption.

--keysize n
Size of cipher key in bits (optional). If unspecified, defaults to cipher-specific default. The --show-ciphers option (see below) shows all available OpenSSL ciphers, their default key sizes, and whether the key size can be changed. Use care in changing a cipher's default key size. Many ciphers have not been extensively cryptanalyzed with non-standard key lengths, and a larger key may offer no real guarantee of greater security, or may even reduce security.
--prng alg [nsl]
(Advanced) For PRNG (Pseudo-random number generator), use digest algorithm alg (default=sha1), and set nsl (default=16) to the size in bytes of the nonce secret length (between 16 and 64).

Set alg=none to disable the PRNG and use the OpenSSL RAND_bytes function instead for all of OpenVPN's pseudo-random number needs.

--engine [engine-name]
Enable OpenSSL hardware-based crypto engine functionality.

If engine-name is specified, use a specific crypto engine. Use the --show-engines standalone option to list the crypto engines which are supported by OpenSSL.

(Advanced) Disable OpenVPN's protection against replay attacks. Don't use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less security.

OpenVPN provides datagram replay protection by default.

Replay protection is accomplished by tagging each outgoing datagram with an identifier that is guaranteed to be unique for the key being used. The peer that receives the datagram will check for the uniqueness of the identifier. If the identifier was already received in a previous datagram, OpenVPN will drop the packet. Replay protection is important to defeat attacks such as a SYN flood attack, where the attacker listens in the wire, intercepts a TCP SYN packet (identifying it by the context in which it occurs in relation to other packets), then floods the receiving peer with copies of this packet.

OpenVPN's replay protection is implemented in slightly different ways, depending on the key management mode you have selected.

In Static Key mode or when using an CFB or OFB mode cipher, OpenVPN uses a 64 bit unique identifier that combines a time stamp with an incrementing sequence number.

When using TLS mode for key exchange and a CBC cipher mode, OpenVPN uses only a 32 bit sequence number without a time stamp, since OpenVPN can guarantee the uniqueness of this value for each key. As in IPSec, if the sequence number is close to wrapping back to zero, OpenVPN will trigger a new key exchange.

To check for replays, OpenVPN uses the sliding window algorithm used by IPSec.

--replay-window n [t]
Use a replay protection sliding-window of size n and a time window of t seconds.

By default n is 64 (the IPSec default) and t is 15 seconds.

This option is only relevant in UDP mode, i.e. when either --proto udp is specifed, or no --proto option is specified.

When OpenVPN tunnels IP packets over UDP, there is the possibility that packets might be dropped or delivered out of order. Because OpenVPN, like IPSec, is emulating the physical network layer, it will accept an out-of-order packet sequence, and will deliver such packets in the same order they were received to the TCP/IP protocol stack, provided they satisfy several constraints.

(a) The packet cannot be a replay (unless --no-replay is specified, which disables replay protection altogether).

(b) If a packet arrives out of order, it will only be accepted if the difference between its sequence number and the highest sequence number received so far is less than n.

(c) If a packet arrives out of order, it will only be accepted if it arrives no later than t seconds after any packet containing a higher sequence number.

If you are using a network link with a large pipeline (meaning that the product of bandwidth and latency is high), you may want to use a larger value for n. Satellite links in particular often require this.

If you run OpenVPN at --verb 4, you will see the message "Replay-window backtrack occurred [x]" every time the maximum sequence number backtrack seen thus far increases. This can be used to calibrate n.

There is some controversy on the appropriate method of handling packet reordering at the security layer.

Namely, to what extent should the security layer protect the encapsulated protocol from attacks which masquerade as the kinds of normal packet loss and reordering that occur over IP networks?

The IPSec and OpenVPN approach is to allow packet reordering within a certain fixed sequence number window.

OpenVPN adds to the IPSec model by limiting the window size in time as well as sequence space.

OpenVPN also adds TCP transport as an option (not offered by IPSec) in which case OpenVPN can adopt a very strict attitude towards message deletion and reordering: Don't allow it. Since TCP guarantees reliability, any packet loss or reordering event can be assumed to be an attack.

In this sense, it could be argued that TCP tunnel transport is preferred when tunneling non-IP or UDP application protocols which might be vulnerable to a message deletion or reordering attack which falls within the normal operational parameters of IP networks.

So I would make the statement that one should never tunnel a non-IP protocol or UDP application protocol over UDP, if the protocol might be vulnerable to a message deletion or reordering attack that falls within the normal operating parameters of what is to be expected from the physical IP layer. The problem is easily fixed by simply using TCP as the VPN transport layer.

Silence the output of replay warnings, which are a common false alarm on WiFi networks. This option preserves the security of the replay protection code without the verbosity associated with warnings about duplicate packets.
--replay-persist file
Persist replay-protection state across sessions using file to save and reload the state.

This option will strengthen protection against replay attacks, especially when you are using OpenVPN in a dynamic context (such as with --inetd) when OpenVPN sessions are frequently started and stopped.

This option will keep a disk copy of the current replay protection state (i.e. the most recent packet timestamp and sequence number received from the remote peer), so that if an OpenVPN session is stopped and restarted, it will reject any replays of packets which were already received by the prior session.

This option only makes sense when replay protection is enabled (the default) and you are using either --secret (shared-secret key mode) or TLS mode with --tls-auth.

(Advanced) Disable OpenVPN's use of IV (cipher initialization vector). Don't use this option unless you are prepared to make a tradeoff of greater efficiency in exchange for less security.

OpenVPN uses an IV by default, and requires it for CFB and OFB cipher modes (which are totally insecure without it). Using an IV is important for security when multiple messages are being encrypted/decrypted with the same key.

IV is implemented differently depending on the cipher mode used.

In CBC mode, OpenVPN uses a pseudo-random IV for each packet.

In CFB/OFB mode, OpenVPN uses a unique sequence number and time stamp as the IV. In fact, in CFB/OFB mode, OpenVPN uses a datagram space-saving optimization that uses the unique identifier for datagram replay protection as the IV.

Enable prediction resistance on PolarSSL's RNG.

Enabling prediction resistance causes the RNG to reseed in each call for random. Reseeding this often can quickly deplete the kernel entropy pool.

If you need this option, please consider running a daemon that adds entropy to the kernel pool.

Note that this option only works with PolarSSL versions greater than 1.1.

Do a self-test of OpenVPN's crypto options by encrypting and decrypting test packets using the data channel encryption options specified above. This option does not require a peer to function, and therefore can be specified without --dev or --remote.

The typical usage of --test-crypto would be something like this:

openvpn --test-crypto --secret key


openvpn --test-crypto --secret key --verb 9

This option is very useful to test OpenVPN after it has been ported to a new platform, or to isolate problems in the compiler, OpenSSL crypto library, or OpenVPN's crypto code. Since it is a self-test mode, problems with encryption and authentication can be debugged independently of network and tunnel issues.

SSL Library information:
(Standalone) Show all cipher algorithms to use with the --cipher option.
(Standalone) Show all message digest algorithms to use with the --auth option.
(Standalone) Show all TLS ciphers (TLS used only as a control channel). The TLS ciphers will be sorted from highest preference (most secure) to lowest.
(Standalone) Show currently available hardware-based crypto acceleration engines supported by the OpenSSL library.

  Generate a random key:
Used only for non-TLS static key encryption mode.
(Standalone) Generate a random key to be used as a shared secret, for use with the --secret option. This file must be shared with the peer over a pre-existing secure channel such as scp(1)
--secret file
Write key to file.