According to a security release by OpenVPN back in August, OpenVPN is vulnerable to attack on 64-bit block ciphers, such as 3DES and Blowfish — the latter being the default cipher enabled by OpenVPN.
Synology users should also pay particular attention here since the service does not allow for choosing a cipher within the UI — users will be forced to turn to SSH to configure the service by command-line.
The gist of the security release is that BF-*, DES* (including 3DES variants), and RC2-* ciphers should no longer be used, and AES-*, CAMELLIA-*, or SEED-* should be used instead. Personally I would recommend AES-192 or AES-256 since they are considered secure enough government information classified “Top Secret”.
On a Synology box the configuration file is here:
/usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf
If you see a line that starts with “cipher” (without quotes), check to see which cipher it is using, and if necessary, swap it out for a more secure one.
Example:
cipher AES-256-CBC
It doesn’t really matter where you put this line.
Remember to also make an identical change to the client-side OpenVPN configuration. In my case I can edit the “Advanced” tab in my VPN settings of Viscosity. In the window there I can just put the same line of code to enable AES-256-CBC encryption/decryption.
Leave a Reply