Re: [Openvpn-users] Hardening an OpenVPN server
On 10/08/2023 21:44, Jason Long via Openvpn-users wrote: [...snip...] Hello, I see. Can you show me a good article about hardening an OpenVPN server on Linux? The best hardening trick you can do to OpenVPN: Use tls-crypt together with UDP With this setup, port scanners will not see anything - and all you get on your end is some log noise that TLS-unwrap failed (because the tls-crypt protection can't decrypt the scan). And OpenVPN will silently drop the packet. If you use a different port than 1194 - you might not see so much noise even. Secondly, ensure you use AES-GCM algoritums (default with OpenVPN 2.6). Ensure your CA, server and clients use certificates with at least RSA 4096 keys or ECC based keys. And don't reuse certificates for more clients or servers. That's the main attack vector for OpenVPN. These two steps avoid random external users to attempt inspecting your OpenVPN server for weaknesses and it ensures only devices with key pairs issued by you can connect. And the strength of the AES algorithm coupled with the RSA/ECC based keys makes it harder to dump tunnelled traffic and decrypting that dump. To further control users/devices connecting, you can look into using --client-config-dir together with --ccd-exclusive. This will require the server side to have a file named the same as the "CN" field in the client certificate. This way you can also block devices/users which should have their access revoked very easily (remove the file, or just add "disable" as a line in CCD file). The rest of the hardening you can do is actually more pretty basic and standard network and host hardening, which is out-of-scope for OpenVPN itself. OpenVPN is basically just a "virtual network cable" between the VPN server and client. How you treat the traffic coming out or going into that cable is up to the host this "cable" is "plugged" into. -- kind regards, David Sommerseth OpenVPN Inc ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] What are these three *.deb packages and how do I use them? They are for version 2.6.5 and Debian 12/Bookworm
Hi, seems nobody has replied to this question yet... On Fri, Jun 23, 2023 at 03:01:58AM +0200, Stella Ashburne wrote: > Firstly, I wish to thank you for giving us OpenVPN 2.6.5. > > Secondly I have a few questions about the *.deb packages for Debian 12 > (bookworm). They are: > > (A) After navigating to /debian/openvpn/release/2.6/pool/bookworm/main/o/, I > found three packages. They are: > > openvpn-dbgsym_2.6.5-bookworm0_amd64.deb This sounds like "debug symbols", so if OpenVPN crashes in weird ways for you (like "segmentation violation, core dumped") then you'd use this to see "where and why?". > openvpn_2.6.5-bookworm0_amd64.deb This is the regular package. > openvpn-dco-dkms_0.2.20230426-bookworm0_all.deb This is the kernel module needed for DCO. > (E) Does my VPN service provider/vendor need to install > openvpn-dbgsym_2.6.5-bookworm0_amd64.deb and > openvpn-dco-dkms_0.2.20230426-bookworm0_all.deb on their VPN servers in order > to make full use of the new functionalities that OpenVPN 2.6.5 provides? No. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Hardening an OpenVPN server
On 10/08/2023 21:44, Jason Long via Openvpn-users wrote: [...snip...] > Hello, > I see. Can you show me a good article about hardening an OpenVPN > server on Linux? The best hardening trick you can do to OpenVPN: Use tls-crypt together with UDP With this setup, port scanners will not see anything - and all you get on your end is some log noise that TLS-unwrap failed (because the tls-crypt protection can't decrypt the scan). And OpenVPN will silently drop the packet. If you use a different port than 1194 - you might not see so much noise even. Secondly, ensure you use AES-GCM algoritums (default with OpenVPN 2.6). Ensure your CA, server and clients use certificates with at least RSA 4096 keys or ECC based keys. And don't reuse certificates for more clients or servers. That's the main attack vector for OpenVPN. These two steps avoid random external users to attempt inspecting your OpenVPN server for weaknesses and it ensures only devices with key pairs issued by you can connect. And the strength of the AES algorithm coupled with the RSA/ECC based keys makes it harder to dump tunnelled traffic and decrypting that dump. To further control users/devices connecting, you can look into using --client-config-dir together with --ccd-exclusive. This will require the server side to have a file named the same as the "CN" field in the client certificate. This way you can also block devices/users which should have their access revoked very easily (remove the file, or just add "disable" as a line in CCD file). The rest of the hardening you can do is actually more pretty basic and standard network and host hardening, which is out-of-scope for OpenVPN itself. OpenVPN is basically just a "virtual network cable" between the VPN server and client. How you treat the traffic coming out or going into that cable is up to the host this "cable" is "plugged" into. -- > kind regards, > David Sommerseth > OpenVPN Inc Hi David,Thank you so much for your great advice.Please consider the following server configuration file, what lines would you add or remove? port 1194proto udpdev tun0ca ca.crtcert server.crtkey server.key dh dh.pemserver 10.8.0.0 255.255.255.0 push "dhcp-option DNS 172.20.1.2"keepalive 10 120tls-auth ta.key 0 data-ciphers AES-256-CBCuser nobodygroup nogrouppersist-keypersist-tunstatus /var/log/openvpn/openvpn-status.loglog /var/log/openvpn/openvpn.loglog-append /var/log/openvpn/openvpn.logverb 3explicit-exit-notify 1 I guess you will change "tls-auth ta.key 0" to "tls-crypt ta.key 0" and "data-ciphers AES-256-CBC" to "data-cipher AES-256-GCM". What else? Cheers. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] OpenVPN vs WireGuard
Hello,Is it true that WireGuard is safer and faster than OpenVPN? Thank you.___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Cannot pre-load keyfile (ta.key)
Hello, I added "tls-crypt ta.key 0" and "data-cipher AES-256-GCM" to my Server.conf and "tls-crypt ta.key 1" and "data-cipher AES-256-GCM" to my Client.conf. Client.ovpn is: client dev tun20 proto udp remote 192.168.1.20 2000 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server tls-crypt ta.key 1 data-ciphers AES-256-GCM verb 3 -BEGIN CERTIFICATE- ... -END CERTIFICATE- ... -BEGIN PRIVATE KEY- ... -END PRIVATE KEY- # # 2048 bit OpenVPN static key # -BEGIN OpenVPN Static key V1- ... -END OpenVPN Static key V1- But I got the following errors: Cannot pre-load keyfile (ta.key) Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. Why? Is this because my key is not a separate file? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] I set the local statement and I got Connection reset by peer (WSAECONNRESET) (fd=ec, code=10054)
Hello, I added a virtual IP to my OpenVPN NIC as below: ... enp0s3:1: flags=4163 mtu 1500 inet 20.1.1.20 netmask 255.0.0.0 broadcast 20.255.255.255 ether 08:00:27:ed:b4:7c txqueuelen 1000 (Ethernet) ... Then, I added the following line to my Server.conf file: local 20.1.1.20 I did the following iptables rules: IF_MAIN=enp0s3:1 IF_TUNNEL=tun20 YOUR_OPENVPN_SUBNET=10.10.0.0/16 iptables -I INPUT -p udp --dport 2000 -j ACCEPT iptables -A FORWARD -i $IF_MAIN -o $IF_TUNNEL -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j ACCEPT iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -o $IF_MAIN -j MASQUERADE iptables -t nat -A POSTROUTING -s $YOUR_OPENVPN_SUBNET -j SNAT --to 20.1.1.20 But, the client can't connect to the OpenVPN server and showed me below error: Sat Aug 12 11:10:24 2023 read UDPv4: Connection reset by peer (WSAECONNRESET) (fd=ec,code=10054) How to solve it? Thank you. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
