Default VPN encryption
What is the default encryption for the VPN? Is it cipher AES-256-CBC?
-
As the Gold unit has a chipset that support AES-offload, it would be great to take advance of the additional speed and security of AES-128-GCM encryption. PIA, Watchguard, Sonicwall, and others have been supporting it for about two years now and it definitely makes an impact on branch-office and SSL VPN tunnel performance.
Quick recap of GCM:
-
Given the same key length, say 128-bit, GCM has been shown more secure than CBC along with performance gains. This is obviously not to say 128-bit CBC is not secure. One of the many articles over the years supporting this: https://www.leozqin.me/aes-chain-block-cipher-vs-galoiscounter-modes-of-operation/
I've been using 128-GCM cipher to PIA's VPN servers on the FWG VPN Client with promising performance. Given then the hardware acceleration capability of the FWG, I'm curious the server-side performance gain of GCM and if that yields better than stated 120Mbps VPN throughput on the FWG.
-
I didn't realize Firewalla was going to introduce WireGuard in an early access release. Happy to see this.
Nevertheless, would be great to have AES-GCM as a backup option. I have issues with Wireguard (via Cloudflare) in certain countries and some US locations, but excited to see adoption of it. It will only get better.
Please sign in to leave a comment.
Comments
6 comments