What is the most secure configuration for OpenVPN Server?

[carn1x]

There seems to be a number of options all of which I find quite difficult to weigh up. Is there a generally optimal secure configuration for OpenVPN Server via Merlin's Firmware?

One of the uses I expect to get from OpenVPN is to VPN from mainland China to access blocked resources, possibly using insecure WiFi (which I try to avoid if at all possible), or at the very least, WEP in Hotels.

Thanks for any tips

 

[miller79]

It doesn't sounds like you quite understand what OpenVPN provides for you.

I would read documentation at this url:

https://openvpn.net/index.php/open-source/documentation.html

The only advice I would give is to make sure you use a certificate you create. I would not use a static key. The rest is basically up to how paranoid you are.

 

[CaptainSTX]

From your original post is sounds like you are in China and want to be able to access web sites blocked by the "Great Firewall of China."

To do this you will have to subscribe to a commercial VPN service and run their client software either on individual devices or your router. Some VPN providers including Astrill VPN have software/applications that will self install on your router.

Before subscribing to any VPN service make sure they can offer/provide an extra secure VPN method specifically developed to bypass China's often successful attempts to block VPN connections. You also want a company that will continue to develop fixes when China finds a way to counter your VPN provider's counter meaures which seems to happen every six months or so.

To maintain as much of your connection's throughput look for a VPN provider with severs in Bangkok, Hong Kong, Singapore, etc. Connect only to servers on the US west coast if you need to connect to American sites that are geo blocked.

For someone just getting started with a VPN Astrill's application is simple to install on ASUS routers running Merlin's firmware. May not be the fastest but it works and has many nice features/options.

 

[carn1x]

From your original post is sounds like you are in China and want to be able to access web sites blocked by the "Great Firewall of China."

Sorry I should clarify, I do not live in China, and my home internet connection is outside of China as well. I or family may travel to China now and again, and so I would like to provide a VPN in that case to allow access to blocked resources.

It doesn't sounds like you quite understand what OpenVPN provides for you.

I plan to use it to both bypass firewalls, as well as provide secure access to resources within my home network (SSH, HTTP services)

The only advice I would give is to make sure you use a certificate you create. I would not use a static key. The rest is basically up to how paranoid you are.

OK thanks I'll look into that. Most of the tutorials I found on setting up OpenVPN all went into detail with generating certificates, but never explained why this was required or recommended, given that the OpenVPN Server setup UI provides default values for all of the certificate fields.

 

[wayner]

Most of the tutorials I found on setting up OpenVPN all went into detail with generating certificates, but never explained why this was required or recommended, given that the OpenVPN Server setup UI provides default values for all of the certificate fields.

I just set up OpenVPN on Merlin a few days ago and I think you are right - all of the tutorials that I found seem to talk about generating certs on a PC. You can now generate the certs/keys within Merlin - see here:

https://github.com/RMerl/asuswrt-merlin/wiki/Generating-OpenVPN-keys-using-Easy-RSA

Then you export a OVPN file and install that on your client, or you take the cert/key files and manually copy them to a client.

 

[carn1x]

I just set up OpenVPN on Merlin a few days ago and I think you are right - all of the tutorials that I found seem to talk about generating certs on a PC. You can now generate the certs/keys within Merlin - see here:

https://github.com/RMerl/asuswrt-merlin/wiki/Generating-OpenVPN-keys-using-Easy-RSA

Then you export a OVPN file and install that on your client, or you take the cert/key files and manually copy them to a client.

Yes this is the direction I went initially, however I got a bit nervous that the Merlin generated certificates were somehow inferior or less secure.

 

[wayner]

I am pretty sure that it is the exact same code in Merlin as in the Win or Linux versions of OpenVPN and I don't see a way in hte UI to use keys generated externally, although I am guessing it is just a case of putting them in the right folder.

 

[RMerlin]

I am pretty sure that it is the exact same code in Merlin as in the Win or Linux versions of OpenVPN and I don't see a way in hte UI to use keys generated externally, although I am guessing it is just a case of putting them in the right folder.

Keys generated for the clients do not need to be entered on the server in any way. All they need is to be signed with the same CA key that is used to sign the server certs. After that, you configure them in the client's ovpn config file, either in-line in a <cert></cert> <key></key> block, or as external files defined by cert/key operands.

I am using a manually generated client key myself, generated using EasyRSA.

 

[wayner]

DO you know if you can use the same client key on many different clients? My experience so far is yes, although these clients were both iOS devices - an iPhone and an iPad.

I am now in the process of establishing a VPN connection to my VPS which runs Ubuntu and wondering if I can use the same key again.

@RMerlin - do you observe the same as I do that when you use the Export function that it may not include all of the blocks?

 

[Martineau]

DO you know if you can use the same client key on many different clients? My experience so far is yes, although these clients were both iOS devices - an iPhone and an iPad.

I am now in the process of establishing a VPN connection to my VPS which runs Ubuntu and wondering if I can use the same key again.

@RMerlin - do you observe the same as I do that when you use the Export function that it may not include all of the blocks?

In my opinion, using the same key for multiple clients should be discouraged.

If you were to lose say the iPhone, you should immediately revoke the certificate on the server but this would also revoke the certificate on the iPad.

Now this is not necessarily a bad thing, but if the iPad was being used at a location where it was impossible to install the new certificates/keys then this may be an inconvenience that may not be tolerable.

I find the OpenVPN status page can very useful to be able to see differing device names connecting e.g. 'iPhone_John' or 'iPad_Mum' rather than the same generic name - to potentially assist in identifying any 'cloning' of the the single VPN key.

Regards,

 

[netware5]

................
I plan to use it to both bypass firewalls, as well as provide secure access to resources within my home network (SSH, HTTP services)
.................

I'm traveling frequently to countries which block or filter Internet access to some resources. I'm using my home router as secure access point for rerouting all traffic. I can confirm that it works during my last visit in China few month ago. My advice is to use tls-auth option

The --tls-auth option uses a static pre-shared key (PSK) that must be generated in advance and shared among all peers. This features adds "extra protection" to the TLS channel by requiring that incoming packets have a valid signature generated using the PSK key. If this key is ever changed, it must be changed on all peers at the same time (there is no support for rollover.)

The primary benefit is that an unauthenticated client cannot cause the same CPU/crypto load against a server as the junk traffic can be dropped much sooner. This can aid in mitigating denial-of-service attempts.

This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite or implementation (such as CVE-2014-0160, Heartbleed, where the tls-auth key provided protection against attackers who did not have a copy). However, it offers no protection at all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic.

In addition to the extra protection this option helps to fool very sophisticated Chinese "Great Firewall", especially if combined with using TCP ports 80 or 443 as OpenVPN server ports listening to. Personally I'm using TCP port 80. Many people here will oppose that using standard HTTP port by OpenVPN server is not a good idea, but I do believe that this helps if you are in "not friendly" environment. If you are using tls-auth on TCP port 80 you are almost immune against "deep packet inspection". And last remark - don't forget that your server should instruct clients to re-route all traffic through the tunnel and to use the server's DNS service.

 

[cornflake]

And last remark - don't forget that your server should instruct clients to re-route all traffic through the tunnel and to use the server's DNS service.

I would advise to turn off IPv6 on the client as well. My experience with OpenVPN on a R-N66U was that IPv4 traffic gets routed through the VPN tunnel, while IPv6 traffic skips the VPN altogether and is transmitted "in the clear" to wherever its destination is. Turning off IPv6 on the client will force all traffic to use the VPN tunnel.

 

[miller79]

I plan to use it to both bypass firewalls, as well as provide secure access to resources within my home network (SSH, HTTP services)

When using VPN, you will also need to be aware of the port as many places may block the common ports (1194). You may have to use port 443 as your entry port.

OK thanks I'll look into that. Most of the tutorials I found on setting up OpenVPN all went into detail with generating certificates, but never explained why this was required or recommended, given that the OpenVPN Server setup UI provides default values for all of the certificate fields.

This is why I mentioned that I didn't think you quite understood what it provides as you mentioned connecting to unsecure WiFi or WEP as that's on the wrong side of what you are trying to keep secure. The security is through the certs and privates keys so even if someone can read your packets, they are encrypted so it doesn't matter what you are connecting through and who may be watching them. The following site goes through the details of the security if you are interested but with the correct configuration you can have a pretty good state of mind regarding your security.

https://openvpn.net/index.php/open-source/documentation/security-overview.html

 

[GloriaLindsey]

VPN

Right now I am using http://www.sunvpn.net/stealthvpn , I was able to pass the internet filters. It is an advanced VPN technology that is not detectable by smart firewalls tools.