Hi Jan,
Thanks a lot for your reply. It was not what I hoped for but, seems true
nonetheless :)
On 12-08-2015 16:57, Jan Just Keijser wrote:
> Hi Rui,
>
> On 12/08/15 16:49, Rui Santos wrote:
>> Hi all,
>>
>> I'm now hardening our OpenVPN Production Server.
>> I've managed to hardened all required aspects, except the HMAC/TLS-AUTH
>> option.
>>
>> AFAICT, activating the HMAC extra security mechanism, will force me to
>> reconfigure all clients, with the risk of failure and a lot of downtime.
>> The only way a client/remote network can connect is through a specific
>> CCD file.
>>
>> Is there any way I can have this feature, but optional ? Something like
>> activating tls-auth on a ccd file only. This way it would be a smooth
>> transition. Otherwise I would have to schedule a maintenance window,
>> which would be be cumbersome.
>>
> nope, that is not possible - the tls-auth handshake is done at a very
> early stage and a ccd-file does not come into play yet.
> your only option is downtime, or to set up a second instance on a
> different port, and migrate the clients slowly to the second instance.
I've set up a new instance, as you advised, and all seems to be working
now. I just had to do a few extra settings/things for all to work as I
would expect it to. It's best just to archive it so everyone can google
it ;)
- The newsever.conf file is a duplicate of server.conf with minimal
changes (just for testing), new: port, tun, server, ipp and status
parameters.
Since all my remote users are all on /30 networks, I had to insert that
route on the newserver.conf file as route X.X.X.X 255.255.255.252.
Since I want to have almost no downtime, I also inserted that route
manually on the Linux box. I had to, because openvpn runs as user nobody
and has no access to the ip/route command to setup the route by itself.
The gateway will be using the one used by the tun device at
newserver.conf file.
Note 1: There will be two routes on the Linux routing table that can be
used to reach the remote client's IP. It will use the route with greater
CIDR number so, it will use the /30 (255.255.255.252) one.
Note 2: Since the new route is recorded on the conf file, if the machine
restarts all will work.
One can now generate a new openvpn.conf client configuration file and
send it to whoever needs it.
Done with clients.
With the remote networks, usually supported by a router, it all has to
be done online so there where a few extra cares needed:
First, setup the remote router, with everything you need to (the new):
key, ca path, crt, tls-auth, port, encryption, authentication, etc... If
you fail here you will never regain access to your remove router through
your VPN tunnel. It's wise to setup some sort of direct public remote
access, just temporary, to your routers configuration page or ssh.
Then move the remote network route instruction from server.conf to
newserver.conf. This way if the openvpn machine goes down it will be
setup correctly when it boots.
Then, on the Linux box, remove the route to that network, and add it
back again but, to the new gateway ip address, using the tun interface
indicated on newserver.conf file.
If all goes well, the remote router will connect again and all will work.
Bottom line: I'm aware this is a bit messy, but it has been working so
far :) If anyone uses this method, {s}he might be able to migrate their
remote network and clients, one by one, with almost no downtime.
Jan, thanks for your input on this. If you think this is way too messy
and/or have any other suggestions or notes, please do not hesitate to
contradict me :)
Best regards,
Rui
>
> HTH,
>
> JJK
>
>
>
--
Melhores Cumprimentos / Best Regards,
*Rui Santos* <mailto:rsan...@ruisantos.com>
Systems Administrator
<https://www.facebook.com/GRUP0PIE>
<http://www.linkedin.com/company/grupopie-portugal>
<https://twitter.com/GrupoPIE> <http://www.youtube.com/user/PIEGrupo>
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
