[Guide] Setup pfsense with Strong Encryption (AES-256)
Please reference the pfsense guide for setting up PIA and pfsense. It works perfectly and provides detailed steps I wont repeat but will reference.
I already have a working OpenVPN connection, how do I change it to use the new strong encryption?
- What I did, to be safe, is create a new CA Certificate using 4096bit RSA CA certificate posted here and named it PIA-STRONG. You can call it whatever you like.
- Edit your OpenVPN Client settings and make the following configuration changes:
- Server Port = 1197
- Peer Certificate Authority = PIA-STRONG (or whatever you called your new Cert)
- Encryption algorithm = AES-256-CBC (256-bit)
- Auth Digest Algorithm = SHA256 (256-bit)
I'm setting up pfsense and PIA for the first time
Follow the pfsene guide linked at the top of this post. For reference, here are the OpenVPN client settings:
- Select menu: VPN->OpenVPN
- Select Client tab
- Click Plus symbol to add client
- Configure as follows:
- Disabled = unchecked
- Server Mode = Peer To Peer (SSL/TLS)
- Protocol = UDP
- Device Mode = tun
- Interface = WAN
- Local Port = (leave blank)
- Server host or address = us-texas.privateinternetaccess.com (or any server you choose that PIA offers)
- Server Port = 1197
- Proxy host or address = (leave blank)
- Proxy port = (leave blank)
- Proxy authentication extra options = none
- Server host name resolution = checked, Infinitely resolve server
- Description = PIA OpenVPN (or whatever you desire)
- TLS Authentication = unchecked, Enable authentication of TLS packets
- Peer Certificate Authority = PIAVPN
- Client Certificate = webConfigurator default *In use
- Encryption algorithm = AES-256-CBC (256-bit)
- Auth Digest Algorithm = SHA256 (256-bit)
- Hardware Crypto = No Hardware Crypto Acceleration
- IPv4 Tunnel Network = (leave blank)
- IPv6 Tunnel Network = (leave blank)
- IPv4 Remote Network/s = (leave blank)
- IPv6 Remote Network/s = (leave blank)
- Limit outgoing bandwidth = (leave blank)
- Compression = checked, Compress tunnel packets using the LZO algorithm
- Type-of-Service = unchecked
- Advanced = (enter the following into the text field, one item per line with a semi-colon separating each)
auth-user-pass /etc/openvpn-password.txt;
verb 5;
remote-cert-tls server
Comments
Running openssl speed test with aes-256-cbc:
- aes-ni hw acceleration: 0.03-0.41 seconds
- without hw accel: 2.9 - 3 seconds
Pia VPN with hw accel bsd cryptodev ... aes-256-cbc checked OR unchecked, SAME results using top in shell:
-140mbps dl @ 35% cpu
-14mbps ul @ 15% cpu
I've tested this over 20 times with and without. Results are the same. Checking the log for pia vpn:
Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
So, I know hardware acceleration works in pfSense, but not for PIA. This lets me conclude PIA accepts it, but overrides it with the blowfish encryption... I'd love to see some factual data to confirm or deny my thought. Thanks.
Too much wording from the analyses, observations and theories.
To conclude:
As for the moment, I don't know if aes-ni is enabled by default or not and the options of hardware acceleration are just obsolete, not only for aes-ni for pfsense openvpn client, but also for pfsense system->advanced->miscellaneous.
Please enlighten me and others if you're in the ability to test this by setting vt-d and virtualization off in bios and test it in pfsense with top while doing a speedtest or iperf, as my host needs to keep runnning and can't restart/shutdown. Imho, this mystery needs to be solved. I've read about it and threads kept dying and nobody knows why and how.