# Choice of VPN



## Hechicero (Jun 10, 2013)

Hello!

I think about type of realization VPN in order to connect local offices with central office. All gates are based on FreeBSD. First - I need good security of data. OpenVPN can not change encryption key self. It's very sad. Can you advise me of something else? Second - easy realization. I think, using BGP and register AS is not apropriate..and expensive..

What are you using? And why?

PS: sorry about my poor English =)


----------



## kpa (Jun 10, 2013)

Can you elaborate on "OpenVPN can not change encryption key self"? My experience with OpenVPN is that it's among the most secure you can find assuming you know how it works and avoid the common mistakes.


----------



## Hechicero (Jun 10, 2013)

kpa said:
			
		

> Can you elaborate on "OpenVPN can not change encryption key self"? My experience with OpenVPN is that it's among the most secure you can find assuming you know how it works and avoid the common mistakes.



Ok. I don't pretend on guru role. =) 
There is two local network and two gates on FreeBSD to the internet. Can I tune OpenVPN so, that certificates and keys will change automatically?

How?


----------



## kpa (Jun 10, 2013)

In TLS mode the session keys are rotated automatically. The keys that you set up in the configuration are not used for encryption directly but a set of keys is generated from them and OpenVPN uses those for encryption.


----------



## gkontos (Jun 10, 2013)

Since both locations have FreeBSD gateways, setting up an IPSEC tunnel would seem like the fastest method.


----------



## kpa (Jun 10, 2013)

I would still use OpenVPN but with static keys. The TLS mode is best suited for road-warrior type use.


----------



## Hechicero (Jun 10, 2013)

kpa said:
			
		

> In TLS mode the session keys are rotated automatically. The keys that you set up in the configuration are not used for encryption directly but a set of keys is generated from them and OpenVPN uses those for encryption.



It may be very very stupid question... 
We encryption channel with TLS? Can we change certification of clients regularly or dynamical?


----------



## kpa (Jun 10, 2013)

There is no automatic renewal of certificates if that's what you're asking. It has to be done by installing new certificates by hand. The TLS part is just authentication, the actual encryption is done with what is called a block cipher that defaults to BF-CBC.


----------

