Hi Mário,
you can find some articles on the net, how to harden an OpenVPN setup. Sincs
OpenVPN is based on openssl, it really depends on the client what encryption
you can use.
A couple of weeks ago I was in your shoes and come up with the following setup
(the user authentication method can be different)
server.conf (just the security part):
# Certificates and ciphers
ca my-vpn-ca.crt
cert my-vpn-server.crt
key my-vpn-server.key # This file should be kept secret
# replaced by tls-crypt
#tls-auth ta.key 0 # This file is secret
tls-crypt tls-crypt.key
dh dh2048.pem
#ecdh-curve ED25519
ecdh-curve secp521r1
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
# TLS 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
# TLS 1.3
tls-ciphersuites
TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256
tls-version-min 1.2
auth-nocache
auth SHA512
# token-el megyunk tovabb az elso sikeres auth utan
auth-gen-token 14400
client.conf:
verify-hash FILLME_WITH_SHA_FINGERPRINT
# Use this cipher when negotiation is disabled
cipher AES-256-GCM
# Digest algorithm for HMAC authentication
auth SHA512
verify-x509-name "CN=my.server.vpn"
<ca>
-----BEGIN CERTIFICATE-----
FILLME
-----END CERTIFICATE-----
</ca>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
FILLME
-----END OpenVPN Static key V1-----
</tls-crypt>
remote-cert-tls server
# Don't cache credentials in virtual memory
auth-nocache
Hope this help!
Cheers,
Tom
-----Original Message-----
From: Mário Barbosa [mailto:mario.barb...@gmail.com]
Sent: Monday, April 6, 2020 3:14 PM
To: openvpn-users@lists.sourceforge.net
Subject: [Openvpn-users] wireguard encryption settings in openvpn
Hello,
Experienced linux sysadmin here, though rather novice with regard to openvpn,
openssl, PKI, and encryption matters in general.
Context:
I am currently in the middle of rebuilding the whole vpn infra of the company I
work for, and feeling quite overwhelmed by the amount of critical-to-security
choices I have to make that I don't understand (nor can expect to in the
limited amount of time I have). I would rather someone more knowledgeable had
either a) made those choices, or b) pointed at secure-enough defaults. The
people at wireguard did just that, and that seems to be one of their strongest
"selling points"
(simplicity of setup of security part of things).
Because of this, I have been thinking that mimicking their choices to the
extent possible might be a good idea (if you think this is wrong, please tell
me so, and explain why).
I searched the openvpn-*@lists.sourceforge.net archives for wireguard, but
couldn't find any mentions to a way to replicate wireguard's choices with
regard to encryption in openvpn roadwarrior-type of setups. I don't expect to
be able to completely replicate what is described in [1] (it would be nice,
though), just the next best option.
If you're about to suggest that I "just use wireguard, then!", please notice
that I 1) can't (the pfsense machines I am running openvpn server on don't
support it) and 2) don't want to.
[1] https://www.wireguard.com/protocol/
Thank you in advance for your time and advice, Mário Barbosa
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
