Thank you for the feedback!
a)
You're absolutely right, once the tool is not maintained anymore, it could give
a false sense of security and therefore do more harm than good. I'll do my best
to keep it up-to-date. I'm also to open-source it on github, therefore any user
suggestions will be taken into consideration.
It will not be an online tool for now, although I've considered the option.
I've planned to release the tool via github, for anyone to download and use it
anywhere they want - as some servers may not be publicly accessible. Depending
on the usage of the tool, an online service would also make sense. However,
with the online service, I want the user data to be handled with in a privacy
respecting manner, so that will require some more work.
b)
Precisely. The tool can not decide such situation depending options. Many of
which, I've implemented as an informative text, with an explanation what the
option does exactly (e.g. --client-to-client, which may be a threat or may be
very much intended). Other cryptography based options (e.g. --cipher or
--tls-cipher) may also be deliberately configured in a less secure manner, to
achieve a better compatibility with older devices. The user will be informed
about the less secure options (with an information about the compatibility
trade-off), but in the end the user has to decide what is right for their
specific setup.
Kind regards
16. Aug 2017 08:43 by a...@unstable.cc:
> Hello,
>
> On 16/08/17 14:21, > open...@keemail.me> wrote:
>> Hello,
>>
>> I've developed a Python script to grade OpenVPN server configurations
>> considering the security.
>> The tool mainly focuses on: auth, cipher, tls-cipher, prng, tls-auth,
>> tls-version-min/max, no-replay, no-iv, key-method, ncp-ciphers, ncp-disable,
>> tls-crypt and key-direction.
>>
>> The result is a grade between F and A+ and suggestions on how to enhance the
>> security of the OpenVPN setup.
>>
>> I've tested it with various OpenVPN server configurations, I found online,
>> but I would like to gather some feedback from the community and update the
>> tool accordingly, before releasing it.
>>
>> This tool is intended for server operators, but I'm about to complete a
>> second tool, intended for OpenVPN users.
>>
>> The goal is to help operators to enhance the security of their OpenVPN
>> servers and to help users determine the security of the server they're using.
>>
>> If you're interested in testing the tool and would like to provide some
>> valuable feedback, or have any other questions about the project, please
>> contact me.
>
>
> I am no expert here, but my personal opinion is that such a tool can be
> a bit dangerous. Here are some thought that just came to my mind:
>
> a) you have to be sure you keep it up to date, because a good option X
> today, might become a bad option tomorrow (i.e. due to a bug being
> found). Is the tool an online tool? otherwise this means that people
> having different versions might get different results (due to the
> previous point). Without talking about when the tool won't be maintained
> anymore (like what happens to today with thousands of openvpn outdated
> resources online)
>
> b) certain options can be good or bad depending on the situation/setup
> and I doubt the tool can take that into account, although I guess you
> can lean towards a "safer" or "stricter" ranking approach...
>
>
> Anyway, this is just my opinion :) I might be wrong here, therefore
> don't be torn down by my statements.
> For sure it's nice to see effort being put in improving the average
> server configuration out there.
>
> Cheers,
>
>
>>
>> Thank you and kind regards.
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! >> http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> Openvpn-users mailing list
>> Openvpn-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>>
>
> --
> Antonio Quartulli
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
