Speed Up Generating Openvpn Key
Entropy is nothing but the measure of “randomness” in a sequence of bits. The PRNG ( pseudorandom number generator ) is a special device (e.g. /dev/random on Linux) to create randomness from server hardware activities. It uses interrupts generated from the keyboard, hard disk, mouse, network and other sources. The random number generator gathers environmental noise from device drivers and other sources into an entropy pool. The randomness usually used for security purposes like creating TLS/SSL keys and the quality source of random bits is critical. For example, OpenSSL APIs can use quality randomness to make your program cryptographically secure. However, a poor source of randomness could result in loss of security. In this post, I will cover haveged and rng-utils/rng-tools to generate random numbers and feed Linux random device for your virtual or dedicated Linux server.
It converts Microsoft document into various formats.Using the program is very clear-cut and simple; there is no experience necessary. Nitro pdf 10 key generator.
Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key: openvpn -genkey -secret ta.key This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines. Optimizing OpenVPN throughput. The throughput of an OpenVPN network is determined by many factors which lie outside of OpenVPN itself. OpenVPN does have quite a few parameters which can be tweaked to optimize throughput. This section of the wiki is intended for demonstrating and explaining the optimalizations that are possible on all platforms. How to connect your Android devices to an OpenVPN VPN. Such as haveged, to speed things up here): $./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time # rest of output. Generating a random key to be used as a shared secret helps in increasing OpenVPN's resiliency to these attacks.
Running out of entropy on server or VMs is common
To see available entropy on Linux, enter:$ cat /proc/sys/kernel/random/entropy_avail
Sample outputs:
It is rather low (anything below =< 1000) is going to take a long time to generate randomness using /dev/random as apps will block until you have enough entropy. In other words, you will see slow speed while generating keys or while using OpenSSL APIs. I recently asked on Twitter about it:
Does anyone know how to speed up?
openssl dhparam -out dhparams.pem 4096
— nixCraft # (@nixcraft) September 2, 2016
I was suggested to look into the haveged project. The haveged software provides an easy-to-use, unpredictable random number generator based on an adaptation of the HAVEGE algorithm. Another suggested option was to use rng-tools/rng-utils to speed up entropy.
Finding out your current availability of entropy and quality of randomness
You need to use the rngtest command as follows. Install it from rng-tools without starting rng in background:$ sudo RUNLEVEL=1 apt-get install rng-tools
$ cat /dev/random rngtest -c 1000
It is going to take forever to run last command due to low quality randomness. Let us see how to install haveged or rng-tools.
Option #1: Install haveged
Linux entropy source using the HAVEGE algorithm and can installed as follows:
Debian/Ubuntu Linux
Type the following apt-get command:$ sudo apt-get install haveged
Sample outputs:
RHEL/CentOS Linux
First, turn on EPEL repo and type:$ sudo yum install epel-release
$ sudo yum install haveged
Sample outputs:
That is all. Test it:$ cat /proc/sys/kernel/random/entropy_avail
$ cat /dev/random rngtest -c 1000
$ haveged -n 2g -f - dd of=/dev/null
Option #2: Install rng-utils/rng-tools
The rngd is hardware RNG entropy gatherer daemon. Type the following yum command on a CentOS/RHEL based system:$ sudo yum install -y rng-utils
Sample outputs:
Debian / Ubuntu Linux users type the following apt-get command:$ sudo apt-get install rng-tools
Sample outputs:
That is all. Test it:$ cat /proc/sys/kernel/random/entropy_avail
$ cat /dev/random rngtest -c 1000
Examples
Now you should see speed up while using the following commands. To use perfect forward secrecy cipher suites, you must set up Diffie-Hellman parameters on the server side. To generate a strong DH group or GPG keys using CLI, run:$ openssl dhparam -out dhparams.pem 2048
OR$ openssl dhparam -out dhparams.pem 4096
OR$ openssl dhparam -out dhparams.pem -dsaparam 4096
Type the following command to generates a key pair that consists of a public and a private key, execute:$ gpg2 --gen-key
To generate a /root/keyfile for disk encryption with LUKS, enter:$ sudo haveged -n 2048 -f /root/keyfile
To generate random ASCII passwords of the length 16 characters, run:$ (haveged -n 1000 -f - 2>/dev/null tr -cd '[:graph:]' fold -w 16 && echo ) head -1
To test the randomness of the generated data with dieharder test suite (use ‘apt-get install dieharder‘ to use dieharder on Debian/Ubuntu Linux):$ haveged -n 0 dieharder -g 200 -a
Sample outputs:
A note about ChaosKey
There is a hardware based True Random Number Generator that attaches via USB:
References:
- Man pages – openssl(1),gpg(1),haveged(8),rngtest(1),dieharder(1)
ADVERTISEMENTS
I've been struggling with this for the past days and I have not made any progress so far. The configuration of OpenVPN was delightfully straight forward and pretty much everything worked out of the box. The only thing wrong with the installation are the transfer speeds. Without OpenVPN 'iperf' reports about 300 mbps download speed. As soon as OpenVPN is involved the speed drops to anywhere between 10 and 70 mbps depending on different mtu/crypto configurations.
I've been able to reproduce the issue in a simple adhoc VPN.
Speed Up Generating Openvpn Key Download
Server (Debian 8):Client (Ubuntu 16.04):
Code: Select all
This gives me about 35 mbps on a link that should be 300 mbps. The situation is much worse when using tcp at 2-11 mbps. I've experimented with countless combinations of tun-mtu/fragment/mssfix/sndbuf/rcvbuf and many more, the maximum I've ever reached was about 60-70 mbps by adding the following parameters:CPU usage on the client is <50% and on the server it's <20%. I've tried different ports as well (443 for example) and iperf over an SSH tunnel gives me almost the full 300 mbps.