Update documentation with logging warning; closes #189 .
3.1 KiB
Advanced security
Keep the CA root key save
As mentioned in the backup section, there are good reasons to not generate the CA and/or leave it on the server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients.
Execute the following commands. Note that you might want to change the volume $PWD
or use a data docker container for this.
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_initpki
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files
The ovpn_copy_server_files
script puts all the needed configuration in a subdirectory which defaults to $OPENVPN/server
. All you need to do now is to copy this directory to the server and you are good to go.
Crypto Hardening
If you want to select the cyphers used by OpenVPN the following parameters of the ovpn_genconfig
might interest you:
-T Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher).
-C A list of allowable TLS ciphers delimited by a colon (cipher).
-a Authenticate packets with HMAC using the given message digest algorithm (auth).
The following options have been tested successfully:
docker run -v $OVPN_DATA:/etc/openvpn --net=none --rm kylemanna/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384'
Changing the tls-cipher
option seems to be more complicated because some clients (namely NetworkManager in Debian Jessie) seem to have trouble with this. Running openvpn
manually also did not solve the issue:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
EasyRSA and 4096 bit RSA Keys
EasyRSA will generate 4096 bit RSA keys when the -e EASYRSA_KEY_SIZE=4096
argument is added to ovpn_initpki
and easyrsa build-client-full
commands.
docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
docker run -e EASYRSA_KEY_SIZE=4096 -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
Logging and stdout
Because you are running within Docker, remember that any command that generates output to stdout may also log that output through Docker's log-driver mechanism. That may mean that e.g. keying material generated by ovpn_getclient
will be logged somewhere that you don't want it to be logged.
A simple way to avoid having Docker log output for a given command is to run with --log-driver=none
, e.g
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_getclient USER > USER.ovpn
Additional Resources
Have a look at the Applied-Crypto-Hardening project for more examples.