Jump to content


Photo

Different OpenVPN configs


  • Please log in to reply
7 replies to this topic

#1 jpuigs

  • Senior Member
  • 1,143 posts

+32
Good

Posted 27 October 2020 - 00:37

A few weeks ago, I changed my openvpn server.

Now I have it working on a raspberry 3B+ , but until a few weeks ago it worked inside an enigma box.

The enigma version was configured using the easy-rsa enigma script, and the current rasp. version was configured using pivpn script.

 

I see differences between both server configurations.

Enigma version misses cipher, tls crypt...  and Raspberry version mises dh2048 file and compression.

 

Please,  somebody that has more experience than me using VPNs.... Which one is more secure ?

 

Should I do a "mix" between both configs ?

 

 

Old server Config in Enigma box:

port XXXXXX
proto udp
dev tun
ca /etc/openvpn/serverkeys/ca.crt
cert /etc/openvpn/serverkeys/server.crt
key /etc/openvpn/serverkeys/server.key  # This file should be kept secret
dh /etc/openvpn/serverkeys/dh2048.pem
server 10.8.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log         /etc/openvpn/openvpn.log
verb 3

Current Server config in raspberry Box:

port XXXXXX
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypi.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypi.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-GCM
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
verb 3

Thanks.


Edited by jpuigs, 27 October 2020 - 00:38.

Enigma is getting old....

 

Spoiler

Re: Different OpenVPN configs #2 WanWizard

  • PLi® Core member
  • 70,528 posts

+1,811
Excellent

Posted 27 October 2020 - 01:14

tls-crypt was a new option in OpenVPN 2.4, your generation was on a older version, 2.4.x was only introduced in 7.0 (7.3 has 2.4.7, 8.0 will have 2.4.9).

 

The second config is better (i.e. more up to date), but it probably depends on the defaults for tls-crypt, cipher and auth.


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: Different OpenVPN configs #3 jpuigs

  • Senior Member
  • 1,143 posts

+32
Good

Posted 27 October 2020 - 11:26

thanks. I'll keep second one.

But the fact that misses a Diffie Hellman dh2048 file, is it important ? 

Do I need to generate one using openssl ?


Enigma is getting old....

 

Spoiler

Re: Different OpenVPN configs #4 WanWizard

  • PLi® Core member
  • 70,528 posts

+1,811
Excellent

Posted 27 October 2020 - 16:03

The old Diffie-Hellman algorithm has been replaced by Elliptic Curve Diffie-Hellman (ecdh), which is configured.


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: Different OpenVPN configs #5 jpuigs

  • Senior Member
  • 1,143 posts

+32
Good

Posted 27 October 2020 - 16:48

Thank you. I didn't know it.

I understand that the current config I use (2nd. one) is safe enough.


Enigma is getting old....

 

Spoiler

Re: Different OpenVPN configs #6 WanWizard

  • PLi® Core member
  • 70,528 posts

+1,811
Excellent

Posted 27 October 2020 - 17:52

Yes, safer than the first.

 

But note that using it means you VPN client(s) need to be up to date, as in they need to support those features.


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: Different OpenVPN configs #7 Erik Slagter

  • PLi® Core member
  • 46,969 posts

+542
Excellent

Posted 27 October 2020 - 18:58

Note that Diffie-Hellman is still considered safe (without the Elleptic Curve part). But it's expected that in the future enough brute force will be available to render it unsafe, so that's where EC comes in, it allows for far more secure keys with the same amount of bits (or same level of security with far less bits).

 

It's recommended to use tls-crypt if only to prevent simple DOS attacks on your server. With tls-crypt the server can check very simply whether it's a legitimate OpenVPN packet and if it's authorised or bogus.


* Wavefrontier T90 with 28E/23E/19E/13E via SCR switches 2 x 2 x 6 user bands
I don't read PM -> if you have something to ask or to report, do it in the forum so others can benefit. I don't take freelance jobs.
Ik lees geen PM -> als je iets te vragen of te melden hebt, doe het op het forum, zodat anderen er ook wat aan hebben.


Re: Different OpenVPN configs #8 jpuigs

  • Senior Member
  • 1,143 posts

+32
Good

Posted 28 October 2020 - 00:15

I've added these ones...

opt-verify
verify-client-cert
ncp-disable

Enigma is getting old....

 

Spoiler


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users