-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21/05/15 14:25, Josu Lazkano wrote: > 2015-05-20 23:49 GMT+02:00 David Sommerseth > <openvpn.l...@topphemmelig.net>: [...snip...] >> >> I'll admit I haven't paid attention to all details in this >> discussion. Static encrypted VPN tunnels can work very well, but >> I just want to emphasize one security aspect of static encrypted >> VPN tunnels. This configuration will not give you PFS (Perfect >> Forward Secrecy). That means that if someone saves all your VPN >> traffic and either manages to bruteforce the encryption key or >> manags to get a copy of your static encryption key, all the saved >> traffic can be decrypted. >> >> That is one of the key reasons it is adviseable to use the TLS >> mode with client/server certificates. Using this method, the >> encryption keys used for the VPN tunnel are negotiated upon >> connection *and* can be renegotiated after a certain time >> (default is every hour, but you can modify that and add >> renegotiation after X number of network packets and/or Y >> transferred bytes). This provides a very good protection when it >> comes replay attaks and it provides PFS. TLS mode also adds >> possibility to further protect you against MITM attacks from >> unkown attackers, using --tls-auth. The --tls-auth feature has >> also proved to be a very good protection against many OpenSSL >> bugs as well. If you combine UDP with --tls-auth, the OpenVPN >> server port will also be hidden for port scanners. >> >> If these things are not of any concern to you, then static >> tunnels can indeed be a good alternative. >> >> >> kind regards, >> >> David Sommerseth > > Thanks David, > > I started with static key just to start with a simple > configuration. Now I want to secure my connection, would it work > just adding "--tls-auth" option?
It's not that easy, unfortunately. And you've already been down that path once already. To switch to TLS mode, you need to use --ca, --cert and --key. In addition on the server side you need --dh as well. This means you need to have a CA where you issue certificates. In addition, you're back to the need to use --client-config-dir and - --iroute as well to make LAN-to-LAN-over-VPN work. And then you can add --tls-auth as well, on top of all of this. [...snip...] > > Both networks have 30mbps/3mbps WAN connection, I want to secure > my VPN link and have a good latency, is this possible? Which is the > best configuration for this? - From my experiences with VPNs, there are no "silver bullet" config file which works optimal for everyone. How your ISPs handles your VPN traffic can impact this a lot. Some networks I had to use TCP instead of the preferred UDP. Some places I needed to tweak MTU settings to have a reliable tunnel. Once I even had to tunnel a TCP connection through obfsproxy to be able to have a functional tunnel (despite traffic not being blocked by a "great firewall"). So, it is close to impossible to say "do this and it will perform optimal". You need to try different things yourself and see what works for you. I suggest you grab a copy of the "OpenVPN 2 Cookbook" [1] and read this wiki carefully: <https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux> With these resources, you'll get a long way. [1] <http://shop.oreilly.com/product/9781849510103.do> - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlVd0ZAACgkQDC186MBRfrpnXgCZAcLJ5S6rq/hC8WcylmiskzAA EtwAoJ1Tya3wHbAm0dC6qSx3ndj5pbU3 =luth -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
