container-openvpn/docs/paranoid.md
Robin Schneider ee9f4531ad
Only setup networking for containers which need it.
This should mitigate a hypothetical compromise of the scripts used to
manage the CA and other sensitive material.

The examples should still work and make sense although I have not tried
all of them with this change applied.

Note that I did not append the --net=none to all examples because in
some cases network is probably wanted.

* Changing this for all docs was not accepted by @kylemanna.
  https://github.com/kylemanna/docker-openvpn/pull/65#issuecomment-138559257
2015-09-08 15:34:58 +02:00

2.1 KiB

Advanced security

Keep the CA root key save

As mentioned in the backup section, there are good reasons to not generate the CA and/or leave it on the server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients.

Execute the following commands. Note that you might want to change the volume $PWD or use a data docker container for this.

docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_initpki
docker run --net=none --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files

The ovpn_copy_server_files script puts all the needed configuration in a subdirectory which defaults to $OPENVPN/server. All you need to do now is to copy this directory to the server and you are good to go.

Crypto Hardening

If you want to select the cyphers used by OpenVPN the following parameters of the ovpn_genconfig might interest you:

-T    Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher).
-C    A list of allowable TLS ciphers delimited by a colon (cipher).
-a    Authenticate  packets with HMAC using the given message digest algorithm (auth).

The following options have been tested successfully:

docker run --volumes-from $OVPN_DATA --net=none --rm kylemanna/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384'

Changing the tls-cipher option seems to be more complicated because some clients (namely NetworkManager in Debian Jessie) seem to have trouble with this. Running openvpn manually also did not solve the issue:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

Have a look at the Applied-Crypto-Hardening project for more examples.