Do we change current OpenVPN cipher and key length ?

Have Your Say Add comments

This is not a question that will stir the interest of every reader! :) …….but for those who have had their curiosity stirred, we would love to hear your thoughts! Read on and all will be revealed…..


We have received several requests to change our current OpenVPN cipher. We are currently using the default cipher provided with OpenVPN – Blowfish.


Our view has been that the developers of OpenVPN should have a deep knowledge and insight as to which cipher works best with their software. To the best of our knowledge, Blowfish has never been broken and there are several reports that support Blowfish as the faster cipher with OpenVPN.


However, in the spirit of maintaining our healthy dialogue with customers, we would welcome your opinion.


In particular, we have had requests to move from Blowfish to AES with 256bit key. If we were to change, this would be our preferred option also. We would argue that it could give a good balance of speed and arguably enhanced security.


Change wouldn't be extremely difficult to implement for TUVPN. We would do a slight tweak on each server configuration, reboot them and provide users with a new OpenVPN installer or directions to add a single line to their OpenVPN configuration. That would be it.


In any case, before committing to a particular course of action, we would really love to have your feedback about this subject. Please feel free !


19 Responses to “Do we change current OpenVPN cipher and key length ?”

  1. Car Says:

    Yes, i would like a change to 256bit AES enryption! ūüôā

  2. James Says:

    Me too. It’s time for an upgrade!

  3. Paolo Says:

    You sure want to be protected by an American approved cipher ? I would rather prefer to use a non gov cipher, if not blowfish, then twofish or serpent or idea …

  4. Me Says:

    Yes please, AES.

  5. john Says:

    blowfish is very secure. No need to change to be trendy

    there is no effective cryptanalysis on the full-round version of Blowfish known publicly as of 2011

  6. valorisa Says:

    Yes I agree with this change.


  7. valorisa Says:

    Please have a look at :

  8. tuvpn Says:

    Thanks to all for your very valuable input and Valorisa, yes we also found that link and went over it.

    We have been discussing it internally and have agreed to perform a further test that hopefully will bring more data into the discussion.

    We will set up a test VPN server an compare performance of current configuration (Blowfish, 128bit) with the on that has got more votes (here and in twitter) that is AES 256. We will check performance in different situations (big file download, normal browsing, streaming …) and post the results so we can take a final decision.

    Hope you like the idea. We will keep you posted !

    TUVPN.COM Team

  9. Timmi Says:

    I think some of you are very mis-educated and assume that the AES algorithm is automatically wonderful and the best because its used as standard by security.

    Blowfish is very good and hasn’t been cracked to date fully at all. Many VPNs offer Blowfish but it seems sales increase when you say its AES at 256 bits because everyone assumes they are invincible which is false!!

    Its only as good as the vpn provider at the other end and the security they offer, updates and server firewalls etc.

    I trust tuvpn are very good, had no problems and have used several providers (Big names) who never matched the speed that tuvpn do.

    The AES at 256 bit WILL slow the speeds down, who knows by how much and I appreciate it that tuvpn are going to dummy run the system before changing anything.

    Sure sounds good AES 256 bits but when it drags the system down quite a bit than no point when Blowfish as it stands is unbreakable unless you have super computers and millions of dollars.

    Something else that has not been discussed regarding this cipher stuff is the Control channel encryption which establishes and Keeps a connection, instead everyone always discusses the data channel.

    Currently the control channel encryption is 1024 bit RSA and I see no one mention about tweaking that.

    The control channel max is over 4000 with OpenVPN and as it stands we are at 1024 so plenty to play with on that if one desires. I would see 2048 being very fine for it.

    Lastly the HMAC packet authentication … currently uses 160 bit SHA-1 … the newest is SHA-2 which would be much better to use.

    So to summarize instead of concentrating on the data channel so much i.e. Blowfish and AES also concentrate on the HMAC Packet authentication and the control channel encryption because altering them all together, you dont need to impact so much with either as they would balance out one another.

  10. tuvpn Says:

    Very thoughtful and educated comments Timmi, thanks for that.

    We should be publishing later this week the test results for blowfish vs AES 256 so we will be closer to a final decision. Also we will take a look at your control channel proposals that were also raised in the forums some time ago.

    As it stands now, things are very tight between proponents of the change to AES and those of keeping Blowfish. We would say that Blowfish defendants have done a better job at arguing their point :). Tests will shed some more light on it and although not everyone will be happy we hope to take the best decision !.

    Will keep you posted.

    Thanks again to all !

    TUVPN.COM Team

  11. Timmi Says:

    Sounds good however I would expect a change somewhere in the tuvpn network, you NEED to at least alter the HMAC and the RSA keys which are the integrity and authentication of the data, whereas the AES-Blowfish deals with the privacy aspect.

    Currently HMAC is 160 bit SHA-1 where SHA stands for Secure Hash Algorithm. You currently have the highest bit size for SHA-1 at 160 but try to have SHA-2 implemented into the network because its more secure and has keys of 224, 256, 384 and 512 bits and I’ll quote below

    “Federal agencies should stop using SHA-1 for…applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010” from

    So its very much a case you use SHA-2 at the very least. Wont be hard to implement, its compatible for all SSL that use SHA-1 (Our case).

    The control channel isn’t such a big deal for us which uses RSA. We use 1024 bits and many who use it go from 1024-2048. Security experts claim 1024 wont be broken for sometime to come and that 4096 bits which is the highest, would be near impossible to break.

    I know a few VPN providers use 2048bit RSA now for that additional security. It would ease the minds of those who wanted AES.

    So for my books you should stick with Blowfish as our main data encryption, implement for HMAC the SHA-2 at 224-256 bits and boost the control channel from 1024 to 2048 bits RSA.

    Than we have had a security boost and even if that means the main data encryption hasn’t changed (Blowfish) the whole system has been tweaked to high standards.

  12. Timmi Says:

    Good links with information on the HMAC, SHA-2 and RSA I spoke about plus how OpenVPN works.

  13. Blog TUVPN.COM - VPN Performance Tests For Different Ciphers and Key Strengths Says:

    […] with the lively discussion on our post about changing current TUVPN.COM cipher and as we promised there, we have performed a number of tests with different ciphers and key […]

  14. Elvis Says:

    I would also really like SHA2/256bit RSA/2048bit.

  15. Blog TUVPN.COM - Change of TUVPN OpenVPN Cipher to AES-CBC with 256bit key Says:

    […] this topic, this is a follow up of a very interesting engagement with our users that started with this blog post where we considered the options we had at hand and then continued with a performance analysis of […]

  16. Change of TUVPN OpenVPN Cipher to AES-CBC with 256bit key | MyIpTest Blog Says:

    […] this topic, this is a follow up of a very interesting engagement with our users that started with¬†this blog post where we considered the options we had at hand and then continued with a¬†performance analysis of […]

  17. Blog TUVPN.COM - TUVPN News: April Says:

    […] already announced, and after long discussions with the community and our own testing, we are going to implement AES-CBC as our OpenVPN […]

  18. Pinoy Says:

    On your tests is AES really faster than Blowfish? Would you mind posting the link to your test results? Thank you

  19. tuvpn Says:

    Here you have it:

    Not “really faster”, but slightly faster in some tests and definitely not slower.

Leave a Reply


Get Your VPN NOW!

©2011 TUVPN.COM. All rights reserved.