Contact Us
Security Measures For OpenVPN Server and Security Hardening
From our previous articles, we learned about creating new clients and setting up new OpenVPN Server on centos 7 and CentOS 6 but this article is completely different because it’s on OpenVPN Server Security and Hardening.
If we have a running OpenVPN environment it means we were absolute our network and server security. But when we are implementing OpenVPN server then we should secure our OpenVPN server also. So it’s all about OpenVPN server hardening
Note: If you are a SUDO user then prefix every command with sudo, like #sudo ifconfig
If you want to read more article on OpenVPN then you may follow given below links
Part 1: How To Install And Setup OpenVPN Server On CentOS/RHEL 7?
Part 2: How To Install And Setup OpenVPN Server On CentOS/RHEL 6?
Part 3: Setup Linux And Windows Clients To Connect With OpenVPN Server In RHEL/CentOS 6/7
Part 4: How To Add/Create A New OpenVPN Client For OpenVPN Server In CentOS/RHEL 6/7
Part 5: How To Remove Revoke OpenVPN Server’s Clients From OpenVPN Server On RHEL/CentOS 6/7
Part 6: How To Remove OpenVPN Server from CentOS/RHEL 6/7
Prerequisites:
A Pre-Installed and running OpenVPN Server.
Scenario:
OpenVPN Server: 192.168.1.188 – Already Running
Let’s Start
It’s about server hardening so read the article carefully and implement them one by one. And make sure your service is up every time and working flawlessly
Note: All Activities in this article will be done on OpenVPN Server.
Security Measures For Server Configuration
These are the security measures which can be taken on server configuration level on OpenVPN. We will try to fix these things one by one.
1. Rename Server Configurations, Certificates, And Keys Files
If you are running an OpenVPN server then you have a configuration file with the name starting with string “server” please rename such files to some other name. Also, server.conf file is something very common and default so keep this information away from the attacker by renaming all the files like below
ca customName.crt cert customName.crt key customName.key
2. Set Limit For Concurrent Clients
A network and a system admin know the need and number of concurrent connection in an environment. I suggest you for limiting those connections according to your requirement. Like for this Example, I will limit max concurrent client connection to 150. See example below:
max-clients 150
3. Avoid Using Default Port
When An OpenVPN server is configured then its default port is 1194 again it’s a default piece of information which attacker is aware of so It is suggested to change OpenVPN port from the default port to a custom one. For example, I am setting it on port 9090:
port 9090
4. Create Client Certificate Separately
When you are creating a “.ovpn” file using keys certificates then you should create these client certificates separately and it must be unique. Do not share certificate by duplicating them. Also if you have enabled duplicate-cn in your server configuration file then disable it by commenting or deleting the like, like in given below example
# duplicate-cn
5. Use Persistent VPN device
Whenever there is an interrupted OpenVPN connection it tries to reconnect so it is suggested to configure OpenVPN to keep the device open and to hold traffic until the connection is restored. Add below line in Server Configuration or server.conf file:
persist-tun
6. Run OpenVPN Process with nobody User and Group
Always run OpenVPN process nobody user and nobody group. To do this you need to add below given lines in your server configuration file:
user nobody group nobody
7. Disable Remote Management
For this, you need to disable or delete the line from server configuration file “server.conf” file as given in the example. This should be disabled or delete if your OpenVPN server is not monitored from a remote location. If you still want to give access to a remote host then allow only trusted IPs and client.
# management 127.0.0.1 8000
8. Use Of PSK To Avoid DDoS Attack
This is static pre-shared key (PSK) shared among all connected clients. This is an extra layer of protection to the TLS channel because it makes compulsory for all incoming connections to correctly HMAC signed by the PSK key. This helps you to protect your VPN server from DoS attacks which increase your CPU load. PSK act as the second line of defense for SSL library vulnerabilities. We also did the same while setting up our OpenVPN server
openvpn --genkey --secret ta.key
Add the following line to your server configuration:
tls-auth ta.key tls-auth ta.key
Note: If you’re planning to change this –tls-auth key then it must be changed on all clients at the same time
9. Keep CRL Updated and Verified
You should keep your CRL updated and it must be verified for revoked client certificates, they should not connect or keep a connection alive. Add the following line in server.conf or server configuration as below:
crl-verify /path/crl.pem
Other Security Measures
10. Secure PKI Practise
We are using PKI and X.509 certificates for OpenVPN authentication and it’s a mandatory to use secure PKI management to provide the best safeguard to your OpenVPN server. Following are few practices suggested for secure PKI management:
Managing of CA PKI securely.
- Never transport private keys (create them on Targeted System).
- Never share private keys.
- Create the certificates with passwords and use a secure password policy.
- Revoke all lost/compromised keys.
11. Prevent Attack On Default Gateway
Use a DHCP server to prevent this kind of attacks it is suggested to configure your DHCP client to ignore classless static routes. An attacker could also push a subnet mask for an extremely large subnet which will result in a traffic that could be routed on the local network and not in the VPN. And if this happens then this issue doesn’t have an easy solution, it totally depends on your OS so use a DHCP server if possible.
12. Disable IPv6 If not using
Well if you are not using ipv6 then disable it because you have used ipv4 to pass through OpenVPN channel but ipv6 was unaffected. And attacker ma user this to bypass all the traffic using ipv6. So I suggest you for disabling ipv6 if you are not using it.
13. DNS management
Use only trusted and strong DNS servers because any attacker got access or attack DNS server then an attacker could redirect all your traffic outside the VPN. You should take care of your DNS servers. It is suggested to pin your DNS servers to a secure server and use a right one.
14. Key Size
Whenever you are creating a certificate than its minimum key size must be at least 2048 bits and I would recommend going for 2048 bits. You may change or modify default bits parameter if you are generating certificates from other tools like OpenSSL.
You May Like These Also
Part 1: How To Install And Setup OpenVPN Server On CentOS/RHEL 7?
Part 2: How To Install And Setup OpenVPN Server On CentOS/RHEL 6?
Part 3: Setup Linux And Windows Clients To Connect With OpenVPN Server In RHEL/CentOS 6/7
Part 4: How To Add/Create A New OpenVPN Client For OpenVPN Server In CentOS/RHEL 6/7
Part 5: How To Remove Revoke OpenVPN Server’s Clients From OpenVPN Server On RHEL/CentOS 6/7
Part 6: How To Remove OpenVPN Server from CentOS/RHEL 6/
Part 7: Security Measures For OpenVPN Server and Security Hardening