container-openvpn/docs/paranoid.md
Robin Schneider ee9f4531ad
Only setup networking for containers which need it.
This should mitigate a hypothetical compromise of the scripts used to
manage the CA and other sensitive material.

The examples should still work and make sense although I have not tried
all of them with this change applied.

Note that I did not append the --net=none to all examples because in
some cases network is probably wanted.

* Changing this for all docs was not accepted by @kylemanna.
  https://github.com/kylemanna/docker-openvpn/pull/65#issuecomment-138559257
2015-09-08 15:34:58 +02:00

33 lines
2.1 KiB
Markdown

# Advanced security
## Keep the CA root key save
As mentioned in the [backup section](/docs/backup.md), there are good reasons to not generate the CA and/or leave it on the server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients.
Execute the following commands. Note that you might want to change the volume `$PWD` or use a data docker container for this.
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_initpki
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files
The [`ovpn_copy_server_files`](/bin/ovpn_copy_server_files) script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go.
## Crypto Hardening
If you want to select the cyphers used by OpenVPN the following parameters of the `ovpn_genconfig` might interest you:
-T Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher).
-C A list of allowable TLS ciphers delimited by a colon (cipher).
-a Authenticate packets with HMAC using the given message digest algorithm (auth).
The following options have been tested successfully:
docker run --volumes-from $OVPN_DATA --net=none --rm kylemanna/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384'
Changing the `tls-cipher` option seems to be more complicated because some clients (namely NetworkManager in Debian Jessie) seem to have trouble with this. Running `openvpn` manually also did not solve the issue:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
Have a look at the [Applied-Crypto-Hardening](https://github.com/BetterCrypto/Applied-Crypto-Hardening/tree/master/src/configuration/VPNs/OpenVPN) project for more examples.