VPN improvements: Stronger encryption and multi-user authentication
1. Looks like it's using SHA1 which is obsolete:
Fri Mar 3 07:54:22 2017 us=826132 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Fri Mar 3 07:54:22 2017 us=826220 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Mar 3 07:54:22 2017 us=826266 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Fri Mar 3 07:54:22 2017 us=826311 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication WFri Mar 3 07:54:22 2017 us=826456 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
I'm glad you're using TLS1 and AES, but I'd expected SHA1 would have been retired years ago. SHA2 is the new minimum. Actually, if you want these devices to last, I would think you'd go for the maximum that clients are likely to support, since today's maximum becomes the minimum in 2-5 years.
2. There is no way to specify different users for the VPN. Presumably anyone with the zip file of certificates can connect to this VPN. If there were multiple users and a key were compromised, we could shut down that user and keep using the VPN. But with this router, there's only one VPN "user". Maybe multiple people can use that at once, but if the certificate/key were ever exposed, I think our only secure recourse would be to get a new router.
I understand that this is a home router, so maybe having a VPN at all is an afterthought - most people only care about an easy setup and fast routing. But even dd-wrt has a facility to create multiple VPN clients, each with a different password:
I guess I had expected some way to manage VPN clients.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.