Re: [Openvpn-users] Hardening an OpenVPN server

Fri, 11 Aug 2023 06:46:10 -0700 

On 10/08/2023 21:44, Jason Long via Openvpn-users wrote:
[...snip...]

    Hello,
    I see. Can you show me a good article about hardening an OpenVPN
    server on Linux?



The best hardening trick you can do to OpenVPN:  Use tls-crypt together 
with UDP



With this setup, port scanners will not see anything - and all you get 
on your end is some log noise that TLS-unwrap failed (because the 
tls-crypt protection can't decrypt the scan).  And OpenVPN will silently 
drop the packet.  If you use a different port than 1194 - you might not 
see so much noise even.



Secondly, ensure you use AES-GCM algoritums (default with OpenVPN 2.6). 
Ensure your CA, server and clients use certificates with at least RSA 
4096 keys or ECC based keys.  And don't reuse certificates for more 
clients or servers.



That's the main attack vector for OpenVPN.  These two steps avoid random 
external users to attempt inspecting your OpenVPN server for weaknesses 
and it ensures only devices with key pairs issued by you can connect. 
And the strength of the AES algorithm coupled with the RSA/ECC based 
keys makes it harder to dump tunnelled traffic and decrypting that dump.



To further control users/devices connecting, you can look into using 
--client-config-dir together with --ccd-exclusive.  This will require 
the server side to have a file named the same as the "CN" field in the 
client certificate.  This way you can also block devices/users which 
should have their access revoked very easily (remove the file, or just 
add "disable" as a line in CCD file).



The rest of the hardening you can do is actually more pretty basic and 
standard network and host hardening, which is out-of-scope for OpenVPN 
itself.  OpenVPN is basically just a "virtual network cable" between the 
VPN server and client.  How you treat the traffic coming out or going 
into that cable is up to the host this "cable" is "plugged" into.



--
kind regards,

David Sommerseth
OpenVPN Inc




_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to