OPENVPN - OpenVPN Server Security Best Practices

Return to Wiki Index

To ensure that the traffic between the OpenVPN server and its clients is secure, choose strong encryption algorithms. Below is an example of configuring strong encryption:

 
cipher AES-256-CBC
auth SHA256

This configuration ensures AES-256 encryption and SHA-256 message authentication.

Use TLS authentication (HMAC) to protect against DoS and DDoS attacks. The `tls-auth` directive adds an additional layer of security by requiring a shared secret key.

 
tls-auth /etc/openvpn/ta.key 0

This will require both the server and client to share the `ta.key` file, preventing unauthorized access from untrusted clients.

Generate and use strong server and client certificates signed by a trusted Certificate Authority (CA). Avoid using weak RSA keys or default certificates.

For example, generate a 2048-bit RSA key pair:

 
openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048

Ensure that client certificates are properly generated and signed using the same CA. This ensures that both the server and client have trusted identities.

Disable unnecessary OpenVPN services and options in the configuration file. Avoid running the OpenVPN server with root privileges unless absolutely necessary.

 
user nobody
group nogroup

By setting the OpenVPN server to run as an unprivileged user (`nobody`), you limit potential damage if an attacker exploits the service.

Perfect Forward Secrecy ensures that even if the private server key is compromised, past sessions cannot be decrypted. Enable PFS by using Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH) parameters.

For example, include the following in the OpenVPN server configuration:

 
dh /etc/openvpn/dh2048.pem

Alternatively, you can use ECDH with:

 
ecdh-curve prime256v1

Client certificate verification ensures that only authorized clients can connect. Configure the OpenVPN server to require client certificates and verify their validity.

 
client-cert-not-required

You can also enforce that only specific client certificates are allowed to connect:

 
verify-client-cert require

Ensure that your OpenVPN server only accepts connections from specific IP ranges. This can be configured using the `push` directive to push client-specific routes or manually configuring firewall rules to restrict access.

For example, push a specific route to the client:

 
push "route 192.168.1.0 255.255.255.0"

And configure firewall rules to restrict IP access:

 
iptables -A INPUT -s 203.0.113.0/24 -p udp --dport 1194 -j ACCEPT

Prevent abuse and denial-of-service (DoS) attacks by limiting the number of simultaneous client connections. Use the `max-clients` directive to limit connections:

 
max-clients 100

This will limit the OpenVPN server to a maximum of 100 clients.

Monitoring and logging are critical for detecting potential security incidents and responding quickly.

Enable detailed logging to capture OpenVPN server activity, including client connections, disconnections, and errors. This will allow for easier identification of suspicious activities.

Example logging configuration:

 
log /var/log/openvpn.log
verb 4

`verb 4` provides detailed logging, which is useful for debugging and identifying potential security issues.

To use Fail2Ban with OpenVPN, you need to create a custom filter that matches OpenVPN log entries indicative of failed authentication attempts. Here's how to create the filter.

1. **Create the Filter File** The Fail2Ban filter for OpenVPN should match failed login attempts from the OpenVPN log. Start by creating a new filter configuration in the Fail2Ban `filter.d` directory:

sudo nano /etc/fail2ban/filter.d/openvpn.conf

2. **Define the Regular Expression for Failures** Inside this file, define a regular expression that matches failed authentication attempts. Below is an example pattern for OpenVPN logs that you can use:

[Definition]
failregex = *AUTH: Received control message: AUTH_FAILED, user=<HOST>
ignoreregex =

This `failregex` matches any log entry that contains `AUTH_FAILED`, followed by an IP address. The IP address will be captured and used by Fail2Ban to ban the source of the attack.

Save and close the filter file (`Ctrl + X`, then `Y` to confirm saving).

Create a new jail configuration for OpenVPN in the Fail2Ban `jail.d` directory:

sudo nano /etc/fail2ban/jail.d/openvpn.local

2. **Define the Jail Settings** Inside this file, you will specify the actions to take when a failed login attempt is detected, as well as the parameters for banning the IP. Here’s an example configuration:

[openvpn]
enabled = true
port = 1194
filter = openvpn
logpath = /var/log/openvpn.log
maxretry = 3
bantime = 3600
findtime = 600
action = iptables[name=OpenVPN, port=1194, protocol=udp]

Explanation of the parameters: - `enabled = true`: Enables the OpenVPN jail. - `port = 1194`: Specifies the OpenVPN default port (UDP 1194). - `filter = openvpn`: Refers to the filter file we created earlier. - `logpath = /var/log/openvpn.log`: Path to the OpenVPN log file where failed login attempts are recorded. - `maxretry = 3`: Limits the number of failed login attempts before banning the IP. - `bantime = 3600`: Bans the offending IP for 1 hour (3600 seconds). - `findtime = 600`: Defines the time window (600 seconds, or 10 minutes) during which failed attempts are counted. - `action = iptables[name=OpenVPN, port=1194, protocol=udp]`: The action that Fail2Ban will take when a banning condition is met. In this case, Fail2Ban will block the attacking IP using `iptables`.

After configuring the filter and jail, restart Fail2Ban to apply the changes:

sudo systemctl restart fail2ban

To verify that the OpenVPN jail is active, run:

sudo fail2ban-client status openvpn

You should see output that indicates the jail is enabled and how many IPs have been banned based on the filter.

1. 1. 1. Customizing Fail2Ban Settings

You can customize the settings based on your security requirements: - **Adjust `maxretry`**: If you want a more aggressive approach, you can lower the number of failed login attempts before banning an IP (e.g., `maxretry = 2`). - **Shorten `bantime`**: If you prefer to unban IPs sooner, reduce the `bantime` value (e.g., `bantime = 600` for 10 minutes). - **Add multiple actions**: You can combine actions, such as sending email alerts or integrating with other systems.

For instance, to send an email alert when a client is banned, you can modify the `action` directive in the jail configuration like so:

action = iptables[name=OpenVPN, port=1194, protocol=udp]
         sendmail-whois[name=OpenVPN, dest=your-email@example.com]

Once the configuration is in place, you can test if the Fail2Ban filter and jail are working by attempting to connect to the OpenVPN server with incorrect credentials multiple times. After reaching the `maxretry` threshold, the offending IP should be banned.

To check the current bans, run:

sudo fail2ban-client status openvpn

This will show the list of currently banned IP addresses.

Configure system resource limits to protect your OpenVPN server from potential denial-of-service (DoS) attacks. Limit the number of open file descriptors and processes available to OpenVPN.

 
ulimit -n 4096
ulimit -u 256

This will prevent resource exhaustion by capping the number of open files and processes.

Periodically audit your OpenVPN configuration and system to identify potential vulnerabilities.

Ensure that OpenVPN and its dependencies are up to date with security patches. Set up automatic updates or subscribe to security mailing lists to stay informed.

 
apt-get update && apt-get upgrade openvpn

Regularly conduct penetration testing to identify any weaknesses in your OpenVPN setup. Tools such as `nmap` and `openvpn-tools` can help simulate potential attack vectors.

 
nmap -p 1194 --script openvpn-version <your-server-ip>

This command checks the OpenVPN version and any potential vulnerabilities related to that version.

• OpenVPN Community Resources
• OpenVPN Server Documentation
• OpenVPN iptables Configuration
• Fail2ban GitHub Repository
• OpenSSL Project Website
• OpenVPN on Arch Linux
• Fail2Ban Official Website
• Fail2Ban GitHub Repository
• OpenVPN Logs and Debugging
• OpenVPN Security Best Practices