Default VPN encryption

Comments

6 comments

  • Avatar
    Firewalla

    cipher AES-128-CBC

    1
    Comment actions Permalink
  • Avatar
    RDubbs

    As the Gold unit has a chipset that support AES-offload, it would be great to take advance of the additional speed and security of AES-128-GCM encryption.  PIA, Watchguard, Sonicwall, and others have been supporting it for about two years now and it definitely makes an impact on branch-office and SSL VPN tunnel performance.

    Quick recap of GCM:

    https://www.privateinternetaccess.com/helpdesk/kb/articles/what-s-the-difference-between-aes-cbc-and-aes-gcm

    0
    Comment actions Permalink
  • Avatar
    RDubbs

    Are there any plans to change this to a more secure/performance oriented cipher?  One example would be my comment above, which would have a significant throughput increase on the FWG.  Wireguard is now making its way into the market, and has been fully adopted by Cloudflare.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    It is hard to say that when used correctly CBC is lesser secure than GCM.  But you do have a point, we will see if we can ask the engineering team to see if they can do something to model and see if we can gain more performance with GCM. 

     

    0
    Comment actions Permalink
  • Avatar
    RDubbs

    Given the same key length, say 128-bit, GCM has been shown more secure than CBC along with performance gains.  This is obviously not to say 128-bit CBC is not secure.  One of the many articles over the years supporting this: https://www.leozqin.me/aes-chain-block-cipher-vs-galoiscounter-modes-of-operation/ 

    I've been using 128-GCM cipher to PIA's VPN servers on the FWG VPN Client with promising performance.  Given then the hardware acceleration capability of the FWG, I'm curious the server-side performance gain of GCM and if that yields better than stated 120Mbps VPN throughput on the FWG.

    0
    Comment actions Permalink
  • Avatar
    RDubbs

    I didn't realize Firewalla was going to introduce WireGuard in an early access release.  Happy to see this.

    Nevertheless, would be great to have AES-GCM as a backup option.  I have issues with Wireguard (via Cloudflare) in certain countries and some US locations, but excited to see adoption of it.  It will only get better.

    0
    Comment actions Permalink

Please sign in to leave a comment.