WebVeta - Advanced, unified, consistent search for your website(s), from content of your website(s), blogs(s). First 50 customers, who sign-up prior to 15/05/2024 get unlimited access to existing features, newer features for at least 1 year. Sign up now! https://webveta.alightservices.com/
Security VPN

Some interesting and important configuration settings for OpenVPN

Yesterday in the announcements blog, I have mentioned about – Security levels at ALight Technology And Services Limited (U.K) ALight Technologies USA Inc (U.S.A).

Over the past few months, I have been writing about CyberSecurity, VPNs etc… I am using two levels of encryption i.e outer layer uses OpenVPN and the traffic gets sent to a OpenVPN server, the second layer is based on Wireguard. I use Oracle VM Virtual Box with Ubuntu linux for accessing sensitive servers. The ubuntu virtual box uses Wireguard based VPN while the Windows based laptop uses OpenVPN.

The reference manual for OpenVPN can be accessed from: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/

–fast-io: Experimental but apparently has speed improvement.

–mlock: Tunnel data etc… are not written to disk, might have some speed improvement.

–script-security: The security setting for allowing what types of scripts to execute.

–allow-compression (NO): Don’t use compression.

–auth: Use 256-bit or higher algorithms, I am using 512-bit.

–auth-user-pass: Client option for the GUI to prompt for username and password.

–single-session: After first connection, don’t allow more connections.

–max-clients: Maximum number of concurrent clients to allow.

–verify-client-cert: Use require

–reneg-sec: How often should the keys get changed

–tls-cert-profile: Use at least preferred

–tls-cipher: Specify list of ciphers i.e mention only strong ciphers. Suggestion: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA

–tls-version-min: Use “1.2”

–hand-window: How long can a handshake happen.

–tcp-queue-limit: Use 4096, the default value very less and causes connection drops.

–sndbuf: 512000 for buffer size, the default values cause connection drops.

–rcvbuf: 512000 for buffer size, the default values cause connection drops.

The other interesting useful options:

txqueuelen 15000
tun-mtu 9000
mssfix 0


The following scripting options are useful:



I don’t have any fake aliases, nor any virtual aliases like some of the the psycho spy R&AW traitors of India. NOT associated – “ass”, eass, female “es”, “eka”, “ok”, “okay”, “is”, “erra”, yerra, karan, kamalakar, diwakar, kareem, karan, sowmya, zinnabathuni, bojja srinivas (was a friend and batchmate 1998 – 2002), mukesh golla (was a friend and classmate 1998 – 2002), thota veera, uttam’s, bandhavi’s, bhattaru’s, thota’s, bojja’s, bhattaru’s or Arumilli srinivas or Arumilli uttam (may be they are part of a different Arumilli family – not my family).

Mr. Kanti Kalyan Arumilli

Arumilli Kanti Kalyan, Founder & CEO
Arumilli Kanti Kalyan, Founder & CEO

B.Tech, M.B.A






Founder & CEO, Lead Full-Stack .Net developer

ALight Technology And Services Limited

ALight Technologies USA Inc




Phone / SMS / WhatsApp on the following 3 numbers:

+91-789-362-6688, +1-480-347-6849, +44-07718-273-964

+44-33-3303-1284 (Preferred number if calling from U.K, No WhatsApp)

kantikalyan@gmail.com, kantikalyan@outlook.com, admin@alightservices.com, kantikalyan.arumilli@alightservices.com, KArumilli2020@student.hult.edu, KantiKArumilli@outlook.com and 3 more rarely used email addresses – hardly once or twice a year.