wiki:Hardening

Version 2 (modified by JoshC, 10 years ago) (diff)

add PKI management

Hardening OpenVPN

This is a work in progress.

A number of things can be done to harden OpenVPN's security. This is a non-exclusive list of ways to harden OpenVPN on a number of levels.

Practice secure PKI management

This one is so obvious it's often missed in hardening/security review. Your security system is only as secure as its weakest link, and the PKI is no exception. Practice secure PKI management, safeguard your CA-related passphrases, and ensure you have the level of control and auditing over your PKI infrastructure as suitable for your security needs.

Some basic principles of secure PKI management can include:

  • Keep the CA PKI on a secure system:
    • Limited user login access
    • Limited software installed that could compromise the system
    • Do not perform CA PKI tasks as root; use a restricted/limited account
    • Maintain filesystem controls/access
  • Generate private keys on the target system
    • As above, do not use root/admin accounts to generate keypairs/requests
    • Do not transport private keys, even encrypted ones (attackers can attempt to guess/brute-force passphrases)
    • Any passphrase used needs to be shared/transported as well
    • When keys are shared, future compromise can't be as easily shown to come from a specific one
  • Use secure passphrases
    • A copied/stolen encrypted key is no good if the passphrase used to protect it is weak/guessable
    • Standard password practices apply, such as not re-using passwords elsewhere
  • Use a CRL, and quickly revoke lost/compromised keys
    • Generate/use a CRL upfront, even when initially empty (OpenVPN requires a restart to add this option later)
    • Ensure holders of issued certificates know to promptly report loss/compromise of private keys
    • Have a system in place for revoking certificates and deploying them to live systems
    • Consider if clients need a copy of the CRL as well; some considerations:
      • multiple servers?
      • re-issuance of a compromised server?
      • key rollover for other reasons prior to expiry?

X.509 key size

For asymmetric keys, general wisdom is that 1024-bit keys are no longer sufficient to protect against well-equipped adversaries. Use of 2048-bit is a good minimum. It is wise to ensure all keys across your active PKI (including the CA root keypair) are using at least 2048-bit keys.

Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN,) but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide.

Use of --tls-cipher

By default, OpenVPN accepts a wide range of possible TLS cipher-suites; hardened systems should limit this to an acceptable list (which can be just 1) cipher as shown with openvpn --show-tls. As of OpenVPN 2.3.2, only TLSv1.0 RSA ciphers are usable. You should use a DHE cipher-suite as well for forward-secrecy.

A git-master (slated to be included in >=2.3.3) enables support for TLSv1.2 cipher-suites, but note that requiring only TLSv1.2 cipher-suites is not backwards-compat with <=2.3.2 clients; your server/client may accept both a TLSv1.0 and TLSv1.2 option though.

It's wise to use as small of a list as possible for your --tls-cipher option. Exceptions could include if you wish to provide the client their choice of several acceptable options.

Limiting to TLSv1.0 DHE + RSA choices yields the following list, suitable for <=2.3.2 peers. The choices with SHA256 are preferred; DES choices are best avoided, especially single-DES (known very weak.)

  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
  • TLS-DHE-RSA-WITH-AES-256-CBC-SHA
  • TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
  • TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
  • TLS-DHE-RSA-WITH-AES-128-CBC-SHA
  • TLS-DHE-RSA-WITH-SEED-CBC-SHA
  • TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
  • TLS-DHE-RSA-WITH-DES-CBC-SHA
    • Avoid: known very week

The following are TLSv1.2 DHE + RSA choices, requiring a compatible peer (git-master today, and targeted for a future >=2.3.3 version.):

  • TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
  • TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Today, OpenVPN does not support ECDHE or more exotic cipher-suites as there is no elliptic curve support currently.