Continuing with the lively discussion on our post about changing current TUVPN.COM cipher and as we promised there, we have performed a number of tests with different ciphers and key strength combinations that should allow us to take a final decision with better judgement and understanding of the results.
So without further delays, here you have the results:
To perform the test, we have used speedtest.net, connecting always to the same server in their network.
First, you have the results without VPN, so we can have a baseline to compare with.
For your information, the test laptop was located in Sweden and the VPN Servers we used for testing were Chicago and Steinsel.
Speedtest without running OpenVPN
Speedtest Default Cipher (BF-CBC) and Default Key Length (128bit) – Chicago VPN Server
Speedtest Default Cipher (BF-CBC) and Default Key Length (128bit) – Steinsel VPN Server
Speedtest AES-CBC and 256bit key – Chicago VPN Server
Speedtest AES-CBC and 256bit key – Steinsel VPN Server
Speedtest BF-CBC and 256bit key – Chicago VPN Server
Speedtest BF-CBC and 256bit key – Steinsel VPN Server
Up to here we have just been playing with cipher and key length. So we have strengthened the data channel of the VPN.
As Timmi's very interesting comments on our last post point, we can also play with control channel security (the one which creates and maintains the VPN connection).
So now we have a new round of tests, playing too with the strength of the control channel encryption and also with the HMAC packet authentication.
For reference in the control channel we are currently using RSA 1024bit (encryption) and SHA-1-160bit (HMAC packet authentication).
Speedtest Default Cipher (BF-128-CBC) and RSA 2048bit + SHA-2-512bit – Chicago VPN Server
Speedtest Default Cipher (BF-128-CBC) and RSA 2048bit + SHA-2-512bit – Steinsel VPN Server
Speedtest AES-CBC-256bit key and RSA 2048bit + SHA-2-512bit – Chicago VPN Server
Speedtest AES-CBC-256bit key and RSA 2048bit + SHA-2-512bit – Steinsel VPN Server
Speedtest BF-CBC-256bit key and RSA 2048bit + SHA-2-512bit – Chicago VPN Server
Speedtest BF-CBC-256bit key and RSA 2048bit + SHA-2-512bit – Steinsel VPN Server
So now WHAT ?
First thing: TUVPN VPN servers are REALLY fast ! Well, we already knew that, but here it has been more than proved !
Second thing: Increasing the cipher strength to 256bit, with both AES or Blowfish, doesn't seem to penalise performance much. As expected, current configuration is faster, but not that much faster.
Third thing: Keeping current configuration and strengthening control channel security again doesn't inflict a noticeable damage to performance.
Fourth thing: Increasing BOTH data channel and control channel security AFFECTS VPN performance. We see a sustained 20% performance decrease.
So, considering that TUVPN's users give a lot of importance to the SPEED of our network, we would not go for a full blown security revamp of the network including both channels.
And, as most users prefer to increase data channel security vs control channel security (agree that many probably don't know about control channel, but at the end of the day we are here, not only to instruct , but also to listen and act on the wishes of the majority of our users ), we are willing to go in that direction.
About AES-CBC-256 or BF-CBC-256, we would have a preference for Blowfish as it has been working pretty well up to know, but let's see WHAT YOU HAVE TO SAY!
Hope something comes out of this, after so much work !