Allow to change security related options tls-cipher, cipher and auth.

2015-08-26 12:43:25 +02:00 · 2015-08-26 12:43:25 +02:00 · d6209eebc2
commit d6209eebc2
parent 15ac3c89b0
3 changed files with 53 additions and 1 deletions
--- a/bin/ovpn_genconfig
+++ b/bin/ovpn_genconfig
@ -45,6 +45,9 @@ usage() {
    echo " -N    Configure NAT to access external server network"
    echo " -m    Set client MTU"
    echo " -t    Use TAP device (instead of TUN device)"
+    echo " -T    Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher)."
+    echo " -C    A list of allowable TLS ciphers delimited by a colon (cipher)."
+    echo " -a    Authenticate  packets with HMAC using the given message digest algorithm (auth)."
 }

 if [ "$DEBUG" == "1" ]; then
@ -64,13 +67,25 @@ OVPN_ROUTES=()
 TMP_ROUTES=()
 OVPN_PUSH=()
 TMP_PUSH=()
+OVPN_TLS_CIPHER=''
+OVPN_CIPHER=''
+OVPN_AUTH=''

 # Import defaults if present
 [ -r "$OVPN_ENV" ] && source "$OVPN_ENV"

 # Parse arguments
-while getopts ":r:s:du:cp:DNm:t" opt; do
+while getopts ":a:C:T:r:s:du:cp:DNm:t" opt; do
    case $opt in
+        a)
+            OVPN_AUTH="$OPTARG"
+            ;;
+        C)
+            OVPN_CIPHER="$OPTARG"
+            ;;
+        T)
+            OVPN_TLS_CIPHER="$OPTARG"
+            ;;
        r)
            TMP_ROUTES+=("$OPTARG")
            ;;
@ -142,6 +157,7 @@ fi
 export OVPN_SERVER OVPN_ROUTES OVPN_DEFROUTE
 export OVPN_SERVER_URL OVPN_ENV OVPN_PROTO OVPN_CN OVPN_PORT
 export OVPN_CLIENT_TO_CLIENT OVPN_PUSH OVPN_NAT OVPN_DNS OVPN_MTU OVPN_DEVICE
+export OVPN_TLS_CIPHER OVPN_CIPHER OVPN_AUTH

 # Preserve config
 if [ -f "$OVPN_ENV" ]; then
@ -181,6 +197,9 @@ user nobody
 group nogroup
 EOF

+[ -n "$OVPN_TLS_CIPHER" ] && echo "tls-cipher $OVPN_TLS_CIPHER" >> "$conf"
+[ -n "$OVPN_CIPHER" ] && echo "cipher $OVPN_CIPHER" >> "$conf"
+[ -n "$OVPN_AUTH" ] && echo "auth $OVPN_AUTH" >> "$conf"

 [ -n "$OVPN_CLIENT_TO_CLIENT" ] && echo "client-to-client" >> "$conf"
 [ "$OVPN_DNS" == "1" ] && echo push "dhcp-option DNS 8.8.4.4" >> "$conf"
--- a/bin/ovpn_getclient
+++ b/bin/ovpn_getclient
@ -72,6 +72,18 @@ $OVPN_ADDITIONAL_CLIENT_CONFIG
    if [ -n "$OVPN_MTU" ]; then
        echo "tun-mtu $OVPN_MTU"
    fi
+
+    if [ -n "$OVPN_TLS_CIPHER" ]; then
+        echo "tls-cipher $OVPN_TLS_CIPHER"
+    fi
+
+    if [ -n "$OVPN_CIPHER" ]; then
+        echo "cipher $OVPN_CIPHER"
+    fi
+
+    if [ -n "$OVPN_AUTH" ]; then
+        echo "auth $OVPN_AUTH"
+    fi
 }

 dir="$OPENVPN/clients/$cn"
--- a/docs/paranoid.md
+++ b/docs/paranoid.md
@ -1,5 +1,6 @@
 # Advanced security

+## Keep the CA root key save
 As mentioned in the [backup section](/docs/backup.md), there are good reasons to not generate the CA and/or leave it on the server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients.

 Execute the following commands. Note that you might want to change the volume `/tmp/openvpn` to persistent storage or use a data docker container for this.
@ -9,3 +10,23 @@ Execute the following commands. Note that you might want to change the volume `/
    docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files

 The [`ovpn_copy_server_files`](/bin/ovpn_copy_server_files) script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go.
+
+## Crypto Hardening
+
+If you want to select the cyphers used by OpenVPN the following parameters of the `ovpn_genconfig` might interest you:
+
+    -T    Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher).
+    -C    A list of allowable TLS ciphers delimited by a colon (cipher).
+    -a    Authenticate  packets with HMAC using the given message digest algorithm (auth).
+
+
+The following options have been tested successfully:
+
+    docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384'
+
+Changing the `tls-cipher` option seems to be more complicated because some clients (namely NetworkManager in Debian Jessie) seem to have trouble with this. Running `openvpn` manually also did not solve the issue:
+
+    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
+    TLS Error: TLS handshake failed
+
+Have a look at the [Applied-Crypto-Hardening](https://github.com/BetterCrypto/Applied-Crypto-Hardening/tree/master/src/configuration/VPNs/OpenVPN) project for more examples.