7 replies to this topic

[jpuigs]

A few weeks ago, I changed my openvpn server.

Now I have it working on a raspberry 3B+ , but until a few weeks ago it worked inside an enigma box.

The enigma version was configured using the easy-rsa enigma script, and the current rasp. version was configured using pivpn script.

 

I see differences between both server configurations.

Enigma version misses cipher, tls crypt...  and Raspberry version mises dh2048 file and compression.

 

Please,  somebody that has more experience than me using VPNs.... Which one is more secure ?

 

Should I do a "mix" between both configs ?

 

 

Old server Config in Enigma box:

port XXXXXX
proto udp
dev tun
ca /etc/openvpn/serverkeys/ca.crt
cert /etc/openvpn/serverkeys/server.crt
key /etc/openvpn/serverkeys/server.key  # This file should be kept secret
dh /etc/openvpn/serverkeys/dh2048.pem
server 10.8.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log         /etc/openvpn/openvpn.log
verb 3

Current Server config in raspberry Box:

port XXXXXX
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypi.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypi.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-GCM
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
verb 3

Thanks.

Edited by jpuigs, 27 October 2020 - 00:38.

[WanWizard]

tls-crypt was a new option in OpenVPN 2.4, your generation was on a older version, 2.4.x was only introduced in 7.0 (7.3 has 2.4.7, 8.0 will have 2.4.9).

 

The second config is better (i.e. more up to date), but it probably depends on the defaults for tls-crypt, cipher and auth.

[jpuigs]

thanks. I'll keep second one.

But the fact that misses a Diffie Hellman dh2048 file, is it important ? 

Do I need to generate one using openssl ?

[WanWizard]

The old Diffie-Hellman algorithm has been replaced by Elliptic Curve Diffie-Hellman (ecdh), which is configured.

[jpuigs]

Thank you. I didn't know it.

I understand that the current config I use (2nd. one) is safe enough.

[WanWizard]

Yes, safer than the first.

 

But note that using it means you VPN client(s) need to be up to date, as in they need to support those features.

[Erik Slagter]

Note that Diffie-Hellman is still considered safe (without the Elleptic Curve part). But it's expected that in the future enough brute force will be available to render it unsafe, so that's where EC comes in, it allows for far more secure keys with the same amount of bits (or same level of security with far less bits).

 

It's recommended to use tls-crypt if only to prevent simple DOS attacks on your server. With tls-crypt the server can check very simply whether it's a legitimate OpenVPN packet and if it's authorised or bogus.

[jpuigs]

I've added these ones...

opt-verify
verify-client-cert
ncp-disable