container-openvpn/docs/paranoid.md

# Advanced security

## Keep the CA root key save
As mentioned in the [backup section](/docs/backup.md), there are good reasons to not generate the CA and/or leave it on the server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients.

Execute the following commands. Note that you might want to change the volume `$PWD` or use a data docker container for this.

    docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
    docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_initpki
    docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files

The [`ovpn_copy_server_files`](/bin/ovpn_copy_server_files) script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go.

## Crypto Hardening

If you want to select the cyphers used by OpenVPN the following parameters of the `ovpn_genconfig` might interest you:

    -T    Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher).
    -C    A list of allowable TLS ciphers delimited by a colon (cipher).
    -a    Authenticate  packets with HMAC using the given message digest algorithm (auth).


The following options have been tested successfully:

    docker run -v $OVPN_DATA:/etc/openvpn --net=none --rm kylemanna/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384'

Changing the `tls-cipher` option seems to be more complicated because some clients (namely NetworkManager in Debian Jessie) seem to have trouble with this. Running `openvpn` manually also did not solve the issue:

    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    TLS Error: TLS handshake failed

## EasyRSA and 4096 bit RSA Keys

EasyRSA will generate 4096 bit RSA keys when the `-e EASYRSA_KEY_SIZE=4096` argument is added to `ovpn_initpki` and `easyrsa build-client-full` commands.

    docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
    docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass

## Additional Resources

Have a look at the [Applied-Crypto-Hardening](https://github.com/BetterCrypto/Applied-Crypto-Hardening/tree/master/src/configuration/VPNs/OpenVPN) project for more examples.
Added documentation for ovpn_copy_server_files. 2015-03-12 22:07:34 +00:00			`# Advanced security`

Allow to change security related options tls-cipher, cipher and auth. 2015-08-26 10:43:25 +00:00			`## Keep the CA root key save`
Fixed typos. 2015-03-14 11:59:07 +00:00			`As mentioned in the [backup section](/docs/backup.md), there are good reasons to not generate the CA and/or leave it on the server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients.`
Added documentation for ovpn_copy_server_files. 2015-03-12 22:07:34 +00:00
Updated documentation. * Related to https://github.com/kylemanna/docker-openvpn/pull/54 * Allow better syntax highlighting. * Added/Fixed hyperlinks. * Spelling. 2015-08-25 10:40:02 +00:00			Execute the following commands. Note that you might want to change the volume `$PWD` or use a data docker container for this.
Added documentation for ovpn_copy_server_files. 2015-03-12 22:07:34 +00:00
Only setup networking for containers which need it. This should mitigate a hypothetical compromise of the scripts used to manage the CA and other sensitive material. The examples should still work and make sense although I have not tried all of them with this change applied. Note that I did not append the --net=none to all examples because in some cases network is probably wanted. * Changing this for all docs was not accepted by @kylemanna. https://github.com/kylemanna/docker-openvpn/pull/65#issuecomment-138559257 2015-09-08 13:34:58 +00:00			`docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM`
			`docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_initpki`
			`docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files`
Added documentation for ovpn_copy_server_files. 2015-03-12 22:07:34 +00:00
Fixed up Markdown. 2015-03-14 12:00:11 +00:00			The [`ovpn_copy_server_files`](/bin/ovpn_copy_server_files) script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go.
Allow to change security related options tls-cipher, cipher and auth. 2015-08-26 10:43:25 +00:00
			`## Crypto Hardening`

			If you want to select the cyphers used by OpenVPN the following parameters of the `ovpn_genconfig` might interest you:

			`-T Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher).`
			`-C A list of allowable TLS ciphers delimited by a colon (cipher).`
			`-a Authenticate packets with HMAC using the given message digest algorithm (auth).`


			`The following options have been tested successfully:`

misc: Switch from data container to data volume * Use the `docker volume` mechanism. * Less confusing and makes more sense. * Released in ~ docker v1.9 2016-09-03 23:08:49 +00:00			`docker run -v $OVPN_DATA:/etc/openvpn --net=none --rm kylemanna/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384'`
Allow to change security related options tls-cipher, cipher and auth. 2015-08-26 10:43:25 +00:00
			Changing the `tls-cipher` option seems to be more complicated because some clients (namely NetworkManager in Debian Jessie) seem to have trouble with this. Running `openvpn` manually also did not solve the issue:

			`TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)`
			`TLS Error: TLS handshake failed`

docs: paranoid: Describe how to do 4096 RSA keys * For the paranoid of course. :) * Someday elliptic curve? * Closes #154 2016-09-03 23:24:49 +00:00			`## EasyRSA and 4096 bit RSA Keys`

			EasyRSA will generate 4096 bit RSA keys when the `-e EASYRSA_KEY_SIZE=4096` argument is added to `ovpn_initpki` and `easyrsa build-client-full` commands.

			`docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki`
			`docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass`

			`## Additional Resources`

Allow to change security related options tls-cipher, cipher and auth. 2015-08-26 10:43:25 +00:00			`Have a look at the [Applied-Crypto-Hardening](https://github.com/BetterCrypto/Applied-Crypto-Hardening/tree/master/src/configuration/VPNs/OpenVPN) project for more examples.`