Security Measures For OpenVPN Server and Security Hardening

From our previous articles, we learned about creating new clients and setting up new OpenVPN Server on centos 7 and CentOS 6 but this article is completely different because it’s on OpenVPN Server Security and Hardening.

If we have a running OpenVPN environment it means we were absolute our network and server security. But when we are implementing OpenVPN server then we should secure our OpenVPN server also. So it’s all about OpenVPN server hardening

Note: If you are a SUDO user then prefix every command with sudo, like #sudo ifconfig

If you want to read more article on OpenVPN then you may follow given below links

Part 1: How To Install And Setup OpenVPN Server On CentOS/RHEL 7?
Part 2: How To Install And Setup OpenVPN Server On CentOS/RHEL 6?
Part 3: Setup Linux And Windows Clients To Connect With OpenVPN Server In RHEL/CentOS 6/7
Part 4: How To Add/Create A New OpenVPN Client For OpenVPN Server In CentOS/RHEL 6/7
Part 5: How To Remove Revoke OpenVPN Server’s Clients From OpenVPN Server On RHEL/CentOS 6/7
Part 6: How To Remove OpenVPN Server from CentOS/RHEL 6/7

Prerequisites:

A Pre-Installed and running OpenVPN Server.

Scenario:

OpenVPN Server: 192.168.1.188 – Already Running

Let’s Start

It’s about server hardening so read the article carefully and implement them one by one. And make sure your service is up every time and working flawlessly

Note: All Activities in this article will be done on OpenVPN Server.

Security Measures For Server Configuration

These are the security measures which can be taken on server configuration level on OpenVPN. We will try to fix these things one by one.

1. Rename Server Configurations, Certificates, And Keys Files

If you are running an OpenVPN server then you have a configuration file with the name starting with string “server” please rename such files to some other name. Also, server.conf file is something very common and default so keep this information away from the attacker by renaming all the files like below

ca customName.crt
cert customName.crt
key customName.key

2. Set Limit For Concurrent Clients

A network and a system admin know the need and number of concurrent connection in an environment. I suggest you for limiting those connections according to your requirement. Like for this Example, I will limit max concurrent client connection to 150. See example below:

max-clients 150

3. Avoid Using Default Port

When An OpenVPN server is configured then its default port is 1194 again it’s a default piece of information which attacker is aware of so It is suggested to change OpenVPN port from the default port to a custom one. For example, I am setting it on port 9090:

port 9090

4. Create Client Certificate Separately

When you are creating a “.ovpn” file using keys certificates then you should create these client certificates separately and it must be unique. Do not share certificate by duplicating them. Also if you have enabled duplicate-cn in your server configuration file then disable it by commenting or deleting the like, like in given below example

# duplicate-cn

5. Use Persistent VPN device

Whenever there is an interrupted OpenVPN connection it tries to reconnect so it is suggested to configure OpenVPN to keep the device open and to hold traffic until the connection is restored. Add below line in Server Configuration or server.conf file:

persist-tun

6. Run OpenVPN Process with nobody User and Group

Always run OpenVPN process nobody user and nobody group. To do this you need to add below given lines in your server configuration file:

user nobody
group nobody

7. Disable Remote Management

For this, you need to disable or delete the line from server configuration file “server.conf” file as given in the example. This should be disabled or delete if your OpenVPN server is not monitored from a remote location. If you still want to give access to a remote host then allow only trusted IPs and client.

# management 127.0.0.1 8000

8. Use Of PSK To Avoid DDoS Attack

This is static pre-shared key (PSK) shared among all connected clients. This is an extra layer of protection to the TLS channel because it makes compulsory for all incoming connections to correctly HMAC signed by the PSK key. This helps you to protect your VPN server from DoS attacks which increase your CPU load. PSK act as the second line of defense for SSL library vulnerabilities. We also did the same while setting up our OpenVPN server

openvpn --genkey --secret ta.key

Add the following line to your server configuration:

tls-auth ta.key
tls-auth ta.key

Note: If you’re planning to change this –tls-auth key then it must be changed on all clients at the same time

9. Keep CRL Updated and Verified

You should keep your CRL updated and it must be verified for revoked client certificates, they should not connect or keep a connection alive. Add the following line in server.conf or server configuration as below:

crl-verify /path/crl.pem

Other Security Measures

10. Secure PKI Practise

We are using PKI and X.509 certificates for OpenVPN authentication and it’s a mandatory to use secure PKI management to provide the best safeguard to your OpenVPN server. Following are few practices suggested for secure PKI management:

Managing of CA PKI securely.

Never transport private keys (create them on Targeted System).
Never share private keys.
Create the certificates with passwords and use a secure password policy.
Revoke all lost/compromised keys.

11. Prevent Attack On Default Gateway

Use a DHCP server to prevent this kind of attacks it is suggested to configure your DHCP client to ignore classless static routes. An attacker could also push a subnet mask for an extremely large subnet which will result in a traffic that could be routed on the local network and not in the VPN. And if this happens then this issue doesn’t have an easy solution, it totally depends on your OS so use a DHCP server if possible.

12. Disable IPv6 If not using

Well if you are not using ipv6 then disable it because you have used ipv4 to pass through OpenVPN channel but ipv6 was unaffected. And attacker ma user this to bypass all the traffic using ipv6. So I suggest you for disabling ipv6 if you are not using it.

13. DNS management

Use only trusted and strong DNS servers because any attacker got access or attack DNS server then an attacker could redirect all your traffic outside the VPN. You should take care of your DNS servers. It is suggested to pin your DNS servers to a secure server and use a right one.

14. Key Size

Whenever you are creating a certificate than its minimum key size must be at least 2048 bits and I would recommend going for 2048 bits. You may change or modify default bits parameter if you are generating certificates from other tools like OpenSSL.