From d6209eebc2e429639b3445995074b7a52716f955 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Wed, 26 Aug 2015 12:43:25 +0200 Subject: [PATCH] Allow to change security related options tls-cipher, cipher and auth. --- bin/ovpn_genconfig | 21 ++++++++++++++++++++- bin/ovpn_getclient | 12 ++++++++++++ docs/paranoid.md | 21 +++++++++++++++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) diff --git a/bin/ovpn_genconfig b/bin/ovpn_genconfig index 11e0438..6c7817d 100755 --- a/bin/ovpn_genconfig +++ b/bin/ovpn_genconfig @@ -45,6 +45,9 @@ usage() { echo " -N Configure NAT to access external server network" echo " -m Set client MTU" echo " -t Use TAP device (instead of TUN device)" + echo " -T Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher)." + echo " -C A list of allowable TLS ciphers delimited by a colon (cipher)." + echo " -a Authenticate packets with HMAC using the given message digest algorithm (auth)." } if [ "$DEBUG" == "1" ]; then @@ -64,13 +67,25 @@ OVPN_ROUTES=() TMP_ROUTES=() OVPN_PUSH=() TMP_PUSH=() +OVPN_TLS_CIPHER='' +OVPN_CIPHER='' +OVPN_AUTH='' # Import defaults if present [ -r "$OVPN_ENV" ] && source "$OVPN_ENV" # Parse arguments -while getopts ":r:s:du:cp:DNm:t" opt; do +while getopts ":a:C:T:r:s:du:cp:DNm:t" opt; do case $opt in + a) + OVPN_AUTH="$OPTARG" + ;; + C) + OVPN_CIPHER="$OPTARG" + ;; + T) + OVPN_TLS_CIPHER="$OPTARG" + ;; r) TMP_ROUTES+=("$OPTARG") ;; @@ -142,6 +157,7 @@ fi export OVPN_SERVER OVPN_ROUTES OVPN_DEFROUTE export OVPN_SERVER_URL OVPN_ENV OVPN_PROTO OVPN_CN OVPN_PORT export OVPN_CLIENT_TO_CLIENT OVPN_PUSH OVPN_NAT OVPN_DNS OVPN_MTU OVPN_DEVICE +export OVPN_TLS_CIPHER OVPN_CIPHER OVPN_AUTH # Preserve config if [ -f "$OVPN_ENV" ]; then @@ -181,6 +197,9 @@ user nobody group nogroup EOF +[ -n "$OVPN_TLS_CIPHER" ] && echo "tls-cipher $OVPN_TLS_CIPHER" >> "$conf" +[ -n "$OVPN_CIPHER" ] && echo "cipher $OVPN_CIPHER" >> "$conf" +[ -n "$OVPN_AUTH" ] && echo "auth $OVPN_AUTH" >> "$conf" [ -n "$OVPN_CLIENT_TO_CLIENT" ] && echo "client-to-client" >> "$conf" [ "$OVPN_DNS" == "1" ] && echo push "dhcp-option DNS 8.8.4.4" >> "$conf" diff --git a/bin/ovpn_getclient b/bin/ovpn_getclient index 3e388c4..bc32942 100755 --- a/bin/ovpn_getclient +++ b/bin/ovpn_getclient @@ -72,6 +72,18 @@ $OVPN_ADDITIONAL_CLIENT_CONFIG if [ -n "$OVPN_MTU" ]; then echo "tun-mtu $OVPN_MTU" fi + + if [ -n "$OVPN_TLS_CIPHER" ]; then + echo "tls-cipher $OVPN_TLS_CIPHER" + fi + + if [ -n "$OVPN_CIPHER" ]; then + echo "cipher $OVPN_CIPHER" + fi + + if [ -n "$OVPN_AUTH" ]; then + echo "auth $OVPN_AUTH" + fi } dir="$OPENVPN/clients/$cn" diff --git a/docs/paranoid.md b/docs/paranoid.md index 086a41e..dcab29d 100644 --- a/docs/paranoid.md +++ b/docs/paranoid.md @@ -1,5 +1,6 @@ # Advanced security +## Keep the CA root key save As mentioned in the [backup section](/docs/backup.md), there are good reasons to not generate the CA and/or leave it on the server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients. Execute the following commands. Note that you might want to change the volume `/tmp/openvpn` to persistent storage or use a data docker container for this. @@ -9,3 +10,23 @@ Execute the following commands. Note that you might want to change the volume `/ docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files The [`ovpn_copy_server_files`](/bin/ovpn_copy_server_files) script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go. + +## Crypto Hardening + +If you want to select the cyphers used by OpenVPN the following parameters of the `ovpn_genconfig` might interest you: + + -T Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher). + -C A list of allowable TLS ciphers delimited by a colon (cipher). + -a Authenticate packets with HMAC using the given message digest algorithm (auth). + + +The following options have been tested successfully: + + docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384' + +Changing the `tls-cipher` option seems to be more complicated because some clients (namely NetworkManager in Debian Jessie) seem to have trouble with this. Running `openvpn` manually also did not solve the issue: + + TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) + TLS Error: TLS handshake failed + +Have a look at the [Applied-Crypto-Hardening](https://github.com/BetterCrypto/Applied-Crypto-Hardening/tree/master/src/configuration/VPNs/OpenVPN) project for more examples.