Which openvpn cipher should I use?

From both a performance and security standpoint, which cipher should I use with openvpn?

According to http://openvpn.net/index.php/open-source/documentation/howto.html#security , the default is Blowfish, and the recommendation/example is to use AES-256-CBC, for its larger key size. Is 256-bit AES the best practice?


AES-256-CBC is probably "the best". AES-128-CBC is roughly 2x the speed however, at least according to openssl, and is perfectly fine for all but the highest security traffic. OpenVPN is pretty efficient and so my experience has been that either works very well.


For the TLS cipher you can choose a good 256 bit cipher and it will not slow things much because the TLS channel is only the control channel and doesn't carry much data compared to the main channel.