On 10/08/2023 21:44, Jason Long via Openvpn-users wrote: [...snip...] > Hello, > I see. Can you show me a good article about hardening an OpenVPN > server on Linux?
The best hardening trick you can do to OpenVPN: Use tls-crypt together with UDP With this setup, port scanners will not see anything - and all you get on your end is some log noise that TLS-unwrap failed (because the tls-crypt protection can't decrypt the scan). And OpenVPN will silently drop the packet. If you use a different port than 1194 - you might not see so much noise even. Secondly, ensure you use AES-GCM algoritums (default with OpenVPN 2.6). Ensure your CA, server and clients use certificates with at least RSA 4096 keys or ECC based keys. And don't reuse certificates for more clients or servers. That's the main attack vector for OpenVPN. These two steps avoid random external users to attempt inspecting your OpenVPN server for weaknesses and it ensures only devices with key pairs issued by you can connect. And the strength of the AES algorithm coupled with the RSA/ECC based keys makes it harder to dump tunnelled traffic and decrypting that dump. To further control users/devices connecting, you can look into using --client-config-dir together with --ccd-exclusive. This will require the server side to have a file named the same as the "CN" field in the client certificate. This way you can also block devices/users which should have their access revoked very easily (remove the file, or just add "disable" as a line in CCD file). The rest of the hardening you can do is actually more pretty basic and standard network and host hardening, which is out-of-scope for OpenVPN itself. OpenVPN is basically just a "virtual network cable" between the VPN server and client. How you treat the traffic coming out or going into that cable is up to the host this "cable" is "plugged" into. -- > kind regards, > David Sommerseth > OpenVPN Inc Hi David,Thank you so much for your great advice.Please consider the following server configuration file, what lines would you add or remove? port 1194proto udpdev tun0ca ca.crtcert server.crtkey server.key dh dh.pemserver 10.8.0.0 255.255.255.0 push "dhcp-option DNS 172.20.1.2"keepalive 10 120tls-auth ta.key 0 data-ciphers AES-256-CBCuser nobodygroup nogrouppersist-keypersist-tunstatus /var/log/openvpn/openvpn-status.loglog /var/log/openvpn/openvpn.loglog-append /var/log/openvpn/openvpn.logverb 3explicit-exit-notify 1 I guess you will change "tls-auth ta.key 0" to "tls-crypt ta.key 0" and "data-ciphers AES-256-CBC" to "data-cipher AES-256-GCM". What else? Cheers.
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
