| | 1 | [[TOC(depth=2)]] |
| | 2 | |
| | 3 | = Hardening OpenVPN = |
| | 4 | |
| | 5 | This is a work in progress. |
| | 6 | |
| | 7 | A number of things can be done to harden OpenVPN's security. This is a non-exclusive list of ways to harden OpenVPN on a number of levels. |
| | 8 | |
| | 9 | == X.509 key size == |
| | 10 | |
| | 11 | For asymmetric keys, general wisdom is that 1024-bit keys are no longer sufficient to protect against well-equipped adversaries. Use of 2048-bit is a good minimum. It is wise to ensure all keys across your active PKI (including the CA root keypair) are using at least 2048-bit keys. |
| | 12 | |
| | 13 | Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN,) but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide. |
| | 14 | |
| | 15 | == Use of --tls-cipher == |
| | 16 | |
| | 17 | By default, OpenVPN accepts a wide range of possible TLS cipher-suites; hardened systems should limit this to an acceptable list (which can be just 1) cipher as shown with `openvpn --show-tls`. As of OpenVPN 2.3.2, only TLSv1.0 RSA ciphers are usable. You should use a DHE cipher-suite as well for forward-secrecy. |
| | 18 | |
| | 19 | A git-master (slated to be included in >=2.3.3) enables support for TLSv1.2 cipher-suites, but note that requiring only TLSv1.2 cipher-suites is not backwards-compat with <=2.3.2 clients; your server/client may accept both a TLSv1.0 and TLSv1.2 option though. |
| | 20 | |
| | 21 | It's wise to use as small of a list as possible for your `--tls-cipher` option. Exceptions could include if you wish to provide the client their choice of several acceptable options. |
| | 22 | |
| | 23 | Limiting to TLSv1.0 DHE + RSA choices yields the following list, suitable for <=2.3.2 peers. The choices with SHA256 are preferred; DES choices are best avoided, '''especially''' single-DES (known very weak.) |
| | 24 | * TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 |
| | 25 | * TLS-DHE-RSA-WITH-AES-256-CBC-SHA |
| | 26 | * TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA |
| | 27 | * TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA |
| | 28 | * TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 |
| | 29 | * TLS-DHE-RSA-WITH-AES-128-CBC-SHA |
| | 30 | * TLS-DHE-RSA-WITH-SEED-CBC-SHA |
| | 31 | * TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA |
| | 32 | * TLS-DHE-RSA-WITH-DES-CBC-SHA |
| | 33 | * ^Avoid: known very week^ |
| | 34 | |
| | 35 | The following are TLSv1.2 DHE + RSA choices, requiring a compatible peer (git-master today, and targeted for a future >=2.3.3 version.): |
| | 36 | |
| | 37 | * TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 |
| | 38 | * TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 |
| | 39 | |
| | 40 | Today, OpenVPN does not support ECDHE or more exotic cipher-suites as there is no elliptic curve support currently. |
