Skip to main content
CertificatesCertificatesCertificatesCertificatesCertificatesCertificates

Insides about VPN Tracker 24.1 & 24.2

By Team equinuxSeptember 25, 2024September 27th, 2024No Comments

VPN Tracker 24.1: Enhanced Certificate Validation and Pinning Options for OpenVPN Connections

For a certificate to be considered secure, it must meet the following four conditions:

  1. It must be properly formatted.
  2. It must have a validity period of no more than one year.
  3. It must contain the server address to which it belongs.
  4. It must be signed by a trusted Certificate Authority (CA).

Starting with VPN Tracker 24.1, users can select either a remote CA or the remote OpenVPN gateway certificate directly in the connection (known as certificate pinning).

If neither a CA nor a certificate is selected, the certificate provided by the remote server will be validated using the system’s installed CAs, according to the rules above. If custom CAs are installed, you must manually trust them (which can be done through the Keychain app), as they are untrusted by default.

When selecting a CA in VPN Tracker, that CA is implicitly trusted, even if not trusted by the system. In this case, the remote server’s certificate must be signed by that specific CA, with rules (1) to (3) still applying. The exception is when the remote gateway sends a full certificate chain that includes a CA matching the selected CA; in this scenario, only rule (1) will be enforced

If a remote gateway certificate is selected in VPN Tracker, all other rules are ignored. The remote gateway’s certificate must either match exactly or be a newer version with the same public key. This allows certificate renewal without updating all VPN connections, provided the public and private key pair remains the same.

VPN Tracker 24.2: OpenVPN Adds Support for Fast ChaCha20-Poly1305 Encryption

As of VPN Tracker 24.2, the OpenVPN protocol supports ChaCha20-Poly1305. ChaCha20 is a fast encryption algorithm, and Poly1305 is a fast authentication algorithm. Encryption ensures that no one can read your VPN traffic, while authentication ensures that the traffic cannot be tampered with during transit.

For maximum security, AES remains the top choice for encryption, paired with SHA2 for authentication. AES-128 (also known as AES-CBC-128) offers robust encryption, and SHA-256 (also called SHA2-256) provides strong authentication. For enhanced security, you can opt for AES-192 or AES-256, along with SHA-384 or SHA2-512, though these are slightly slower and usually unnecessary, as AES-128 + SHA-256 is considered secure for decades.If you need faster performance without compromising encryption strength, AES-GCM-128 is a good option, with stronger alternatives available in AES-GCM-192 and AES-GCM-256. AES-GCM provides encryption as strong as AES-CBC but offers faster authentication by using checksums derived directly from encrypted data blocks, bypassing the need for separate SHA2 processing. While GCM’s authentication might be slightly weaker than SHA2, it remains secure by today’s standards.

For maximum speed, ChaCha20-Poly1305 is an excellent choice. Although ChaCha20 isn’t a NIST recommendation and its security compared to AES is still debated, it is considered secure by today’s standards and is faster than AES.

Nerd Fact: The IBM Roadrunner supercomputer (the fastest in 2008) would have taken 20 billion years to break Salsa20/7, the 128-bit precursor to ChaCha20. ChaCha20 uses 256 bits, and although 2024’s supercomputers are much faster, the computational effort doubles with each additional bit. Thus, unless an undiscovered design flaw exists, ChaCha20 is unlikely to be broken anytime soon.

VPN Tracker 24.2: Enhanced OpenVPN Connection Management with Keep-Alive, Inactivity Disconnect, and DPD

Starting with VPN Tracker 24.2, OpenVPN connections have three similar settings, each serving a distinct purpose:

  1. Keep-Alive Ping: Sends a periodic ping to ensure outgoing traffic occurs regularly (default: every 10 seconds). This prevents firewalls from marking the connection as dead, particularly in cases where ISPs use Carrier Grade NAT for IPv4. The ping is one-way, and the gateway determines whether to send pings back.
  2. Inactivity Disconnect: Disconnects the VPN after a specified period of inactivity (incoming/outgoing traffic). Pings and management traffic are not counted as activity. Even if this setting is disabled, the gateway may enforce its own inactivity timeout.
  3. Dead Peer Detection (DPD): Disconnects if the gateway appears unresponsive. VPN Tracker will drop the connection if it doesn’t receive traffic or pings from the gateway. However, DPD is only activated after detecting at least one ping from the remote gateway to avoid mistakenly marking the gateway as down.

The DPD interval is strictly enforced with UDP tunnels, while TCP connections are more relaxed, as TCP can detect dead peers on its own. In TCP tunnels, VPN Tracker allows additional time beyond the DPD interval before declaring the peer dead.

VPN Tracker 24.2: Improved Rekeying for OpenVPN Tunnels to Minimize Traffic Disruption

OpenVPN tunnels have a limited lifespan, requiring periodic key renewal (rekeying) to maintain encryption security. While frequent rekeying enhances security, it can also generate additional traffic and cause brief interruptions, especially with TCP.

OpenVPN has a design flaw during rekeying: If a high volume of traffic is in transit when a new key is negotiated, packet loss may occur. This leads to significant drops in TCP throughput and loss of UDP packets, potentially disrupting connections.

VPN Tracker 24.2 introduces a client-side workaround to mitigate this issue, though the server-side remains unaffected. As a result, default lifetime behavior has changed. If no lifetime is configured, VPN Tracker will choose a default based on the protocol. For UDP, the default remains 1 hour, but for TCP, it has been extended to 24 hours to reduce rekeying issues.

Note that the rekeying problem is only noticeable under heavy traffic. If traffic is minimal during rekeying, the issue is largely avoided. Additionally, rekeying is triggered not only by lifetime limits but also by reaching specific data or packet limits, which vary by encryption algorithm. To minimize rekeying, avoid weaker encryption algorithms like 3DES and Blowfish, which are slow and have low data limits.

Why VPN Tracker?

VPN Tracker is the best secure remote access solution for Mac, iPhone and iPad and is compatible with the most popular VPN gateways, including UniFi, NETGEAR, TP Link, Draytek, and many more.

Your VPN Tracker benefits

  • Securely connect with your home and office networks
  • Use your own gateway
  • Preconfigured profiles for 300+ VPN devices
  • Expert productivity features for teams
  • For Mac, iPhone, iPad
  • Explore all features
connect to IPsec vpn on iOS
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedback
View all comments
Privacy-Settings / Datenschutz-Einstellungen
0
Feedback or improvements? Let us know!x
()
x