Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to secure correctly your OpenVPN connection
# [EN] Use at least the version 1.2 of TLS (which is the only truly secure version atm)
# [FR] Utilise au minimum la version 1.2 de TLS (qui est la seule version de TLS réellement sécurisé pour l'instant)
tls-version-min 1.2
# [EN] Use ECDHE (Elliptic curve Diffie–Hellman) for key exchange + RSA for authentication + AES-256-GCM-SHA384 (authenticated by Galois/Counter Mode with SHA384) for the handshake
# [FR] Utilise l'ECDHE (Elliptic curve Diffie–Hellman) pour l'échange des clés + RSA pour l'authentification + AES-256-GCM-SHA384 (AES authentifié par Galois/Counter Mode avec SHA384) pour la poignée de main
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
# [EN] Use AES-256-CBC (Cipher Block Chaining) for datas encryption
# [EN] Use SHA512 to authenticate encrypted datas
# [FR] Utilise l'AES-256-CBC (Cipher Block Chaining) pour le chiffrement des données
# [FR] Utilise SHA512 pour l'authentification du chiffrement
cipher AES-256-CBC
auth SHA512
# [EN] Renegociate encryption keys each minutes
# [FR] Regénère les clés de chiffrement toutes les 60 secondes
reneg-sec 60

Hi there,

How to secure correctly your OpenVPN connection you said?

Yes! This little code snippet will improve drasticaly the strength of your OpenVPN connection while keeping very good performances. You just have to add the code available below at the end of you configuration file.

Important precisions

  • It may not work everywhere. @Korben (Twitter) got a problem because his server does not support ECDHE, if you can't use this configuration then try to change ECDHE by DHE in the tls-cipher parameters. It should works but it will consume more battery if you are on a mobile/laptop because it will not use Elliptic curves to exchange the key.
  • You should check if your processor have AES-NI instructions. If yes then the key exchange should be protected from SPA (Simple Power Analysis) and DPA (Differencial Power Analysis) attacks + AES will be a lot faster.
  • If this is your own server, you should use at least a 4096 bits RSA keypair. 2048 bits is becoming weak and I suggest you to stay away from this encryption strenght (don't even think about 1024 bits). If not, you should go to a VPN provider that have at least a 4096 bits RSA public key (most of VPN providers advertise that fact on their website).
  • This will look off-topic but never, ever rely on PPTP or L2TP for sensitive informations.

Performances details

Crashes are very rare and no loss on 150mbps (OpenVPN cannot be faster than this due to "its architecture, running in user space and not benefiting from kernel acceleration like IPsec (L2TP) does" according to VPN.ac).

Any suggestions to improve this code snippet are welcome.

@JW0914

This comment has been minimized.

JW0914 commented Nov 10, 2016

Until OpenVPN 2.4 is released, OpenVPN does not support Elliptic Curve

Unless one is at risk of governmental counter-intelligence or corporate espionage, 4096bit is overboard. 2048bit/AES256 is currently uncrackable and will be until at least 2030... even then, the only parties with the processing power to potentially crack that would be governmental intelligence agencies, and it would take them months to years. Implementing PFS via DHE would ensure that even if they did crack one VPN session, they would still have to independently crack every separate session.

Using 4096bit would provide only a minute amount of users an actual benefit, while proving a hindrance and inconvenience for 99.999999% of users. 3072bit/AES256 will be uncrackable until at least 2050+ by consumers, and may possibly be crackable by a server farm by then, but even that's iffy... even then, PFS via DHE would still guarantee even if one decrypted one VPN session, it would likely be inconsequential since one would need to decrypt every additional session using a different decryption key. Simply disconnecting/reconnecting to the VPN every 30min would provide the paranoid a better solution.

If in doubt, consult the NSA memorandum on encryption for the D.o.D which is public information, laying out the timeline for what encryption levels are currently used, when those will be discontinued for use, and the new requirements when those are. Currently, 3072bit/AES256 is the largest encryption key required for use by the NSA & D.o.D, with 2048bit/AES192 being acceptable for use until ~2020 IIRC.

@necheffa

This comment has been minimized.

necheffa commented Dec 3, 2016

Using OpenVPN 2.3.x I can confirm that tls-version-min and tls-cipher can not be used simultaneously. Further I've had trouble using tls-version-min {1.1, 1.2} which I believe is a bug.

My confirmed working config as follows:
tls-version-min 1.0
cipher AES-256-CBC
auth SHA512

My two machines negotiate a control channel cipher of ECDH-RSA-AES256-SHA so I may end up removing the tls-version-min options and use tls-cipher to force this cipher in order to protect against downgrade attacks. Looking forwards to OpenVPN 2.4 which should have support for stronger ciphers and ephemeral keys.

@pwnsdx

This comment has been minimized.

Owner

pwnsdx commented Mar 1, 2017

@JW0914: I'm trying to provides maximum security here. It's fairly useless to use AES256-* when you exchange the key with 2048 bits RSA. AES-128 bits is equal to RSA 3072 bits so you want to use RSA-3072 and AES-128 instead. FYI AES-256 is equal to RSA-15360 (source: http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2006-03/E_Barker-March2006-ISPAB.pdf)

@pwnsdx

This comment has been minimized.

Owner

pwnsdx commented Mar 1, 2017

@necheffa: It works for me. Is your server updated?

@amavarick

This comment has been minimized.

amavarick commented Apr 6, 2017

There have been some improvements with OpenVPN 2.4.1. Some thoughts on installation and hardening.

  1. Be sure to use the repo provided by OpenVPN and not default repo by OS. Install using repo rather than manually so you have the latest patching and versions: https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos

  2. tls-crypt vs tls-auth is now which uses the key file to authenticate, and also encrypt the TLS control channel. More info can be found on the man page: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

  3. 2.4.1 Now supports defining ecdh-curve. More information can be found in the link for the man page above. From your server you can also use openvpn --show-curves I used secp521r1 but welcome any advice regarding a stronger curve? Here is the output from my server: Available Elliptic curves:

secp112r1 secp112r2 secp128r1 secp128r2 secp160k1 secp160r1 secp160r2 secp192k1 secp224k1 secp224r1 secp256k1 secp384r1 secp521r1 prime192v1 prime192v2 prime192v3 prime239v1 prime239v2 prime239v3 prime256v1 sect113r1 sect113r2 sect131r1 sect131r2 sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 c2pnb163v1 c2pnb163v2 c2pnb163v3 c2pnb176v1 c2tnb191v1 c2tnb191v2 c2tnb191v3 c2pnb208w1 c2tnb239v1 c2tnb239v2 c2tnb239v3 c2pnb272w1 c2pnb304w1 c2tnb359v1 c2pnb368w1c2tnb431r1 wap-wsg-idm-ecid-wtls1 wap-wsg-idm-ecid-wtls3 wap-wsg-idm-ecid-wtls4 wap-wsg-idm-ecid-wtls5 wap-wsg-idm-ecid-wtls6 wap-wsg-idm-ecid-wtls7 wap-wsg-idm-ecid-wtls8 wap-wsg-idm-ecid-wtls9 wap-wsg-idm-ecid-wtls10 wap-wsg-idm-ecid-wtls11 wap-wsg-idm-ecid-wtls12 Oakley-EC2N-3 Oakley-EC2N-4

  1. Your clients must support these newer options. The stock OpenVPN client "OpenVPN Connect" for the Android OS didn't work. I had to use "OpenVPN for Android" Setup the repo for OpenVPN on your client to get the latest version to improve your security.

  2. Disable logging. I have seen where some people setup in their server.conf to output to dev/null

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment