Wasabi
Wasabi
Jul 22, 2017 · 1 min read

Hi Bradley, first thank you for the clearly witten article on getting OpenVPN setup on an Ubnt EdgeRouter.

However, I did notice an issue with one section of the article. You recommend creating a 1024 bit Diffie-Hellman (DH) parameter, which has been considered weak since 2015 (see https://weakdh.org/). The recommendation from that research is to use a minimum of 2048 (see “Using a Strong DH Group” https://weakdh.org/sysadmin.html). The Information Assurance Directorate (IAD) at the NSA Suite B currently recommendation is a minimum of 3072 bits (https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm).

I would recommend updating your article to use 2048 so that anyone following the instructions who is not familiar with DH/crypto are not creating weak parameters:

openssl dhparam -out /config/auth/dhp.pem 2048
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade