On 16/11/2019 21:29, Gert Doering wrote: > Hi, > > On Sat, Nov 16, 2019 at 09:07:43PM +0100, Boris wrote: >>> Generally speaking: use tls-auth. This will stop all packets from >>> unauthorized sources from generating state and eating memory in the >>> openvpn server process (it will still eat up some CPU, but if that is >>> enough to crash the server, you need a faster CPU - or move the openvpn >>> service to another port). >> >> thanks a lot for your statement. >> >> Yes, the openvpn daemon is dying from all those requests. >> >> Is it that section,that you suggest to be enabled? >> : >> >> # For extra security beyond that provided >> # by SSL/TLS, create an "HMAC firewall" >> # to help block DoS attacks and UDP port flooding. > > Yes. But this needs to be included in all client configs as well, so > if you "just change the server", things will no longer work. > > So, generate the ta.key on the server, distribute it to all the clients, > enable it in all client configs and then enable it in the server config.
This just gave me a little itch. Such old routers can often have quite poor random entropy - which can result in more predictable keys. This is especially more important for keys which have longer life time (like key files stored to disk). So I rather suggest using a real computer to generate the keying material and then copy that file to the server/router and clients. Now, tls-auth with a potentially weaker key will still give some protection and most likely shed off most of troubles you have. But, theoretically at least, it can be easier to "figure out" the tls-auth key if a dedicated attacker figures out what kind of device you have and what kind of firmware it is running. Other than that, Gert is absolutely right. But you should generally put some efforts upgrading asap. The last OpenVPN 2.0 release was somewhere around 2006-ish (over 13 years ago). -- kind regards, David Sommerseth OpenVPN Inc _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
