VPN Provider says they support Perfect Forward Secrecy but I am not so sure.

I have really looked all over for an answer to this. I signed up for a VPN service that provides a ca.crt and ta.key only. When I asked if they support PFS the tech told me yes the keys are re-negotiated every 30 minutes (what keys?) I asked what keys and never got an answer. I understand what the ca.crt does and that the ta.key is for control channel auth but there are no other keys so how do they support perfect forward secrecy?

 

OpenVPN servers can authenticate clients using client.crt/client.key or username/password, or both methods. You have perfect forward secrecy either way. See the OpenVPN HOWTO <http://openvpn.net/index.php/open-source/documentation/howto.html> and Security Overview <http://openvpn.net/index.php/open-source/documentation/security-overview.html>.

 

I assume user/pass is the least preferred method?


Thanks for the links I never seen the security overview one

 

That's a complicated question. Using certificates is probably more secure. And using user/pass requires custom server-side scripting, which could be buggy.

But on the other hand, if each user has a unique certificate, it's easy to identify a user's traffic in logs, and to ban bad users by revolking their certificates. And that's bad for anonymity. Good providers use the same certificate for all users.

The OpenVPN wiki is not very well organized or indexed