Skip to content

Instantly share code, notes, and snippets.

@rZn

rZn/Tutorial.md

Created July 5, 2020 13:23
Show Gist options
  • Save rZn/f500721d9d1e6843d8b6d0e95c3affe1 to your computer and use it in GitHub Desktop.
Save rZn/f500721d9d1e6843d8b6d0e95c3affe1 to your computer and use it in GitHub Desktop.
Download ZIP
How to secure correctly your OpenVPN connection
Raw
openvpn.conf
# [EN] Use at least the version 1.2 of TLS (which is the only truly secure version atm)
# [FR] Utilise au minimum la version 1.2 de TLS (qui est la seule version de TLS réellement sécurisé pour l'instant)
tls-version-min 1.2
# [EN] Use ECDHE (Elliptic curve Diffie–Hellman) for key exchange + RSA for authentication + AES-256-GCM-SHA384 (authenticated by Galois/Counter Mode with SHA384) for the handshake
# [FR] Utilise l'ECDHE (Elliptic curve Diffie–Hellman) pour l'échange des clés + RSA pour l'authentification + AES-256-GCM-SHA384 (AES authentifié par Galois/Counter Mode avec SHA384) pour la poignée de main
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
# [EN] Use AES-256-CBC (Cipher Block Chaining) for datas encryption
# [EN] Use SHA512 to authenticate encrypted datas
# [FR] Utilise l'AES-256-CBC (Cipher Block Chaining) pour le chiffrement des données
# [FR] Utilise SHA512 pour l'authentification du chiffrement
cipher AES-256-CBC
auth SHA512
# [EN] Renegociate encryption keys each minutes
# [FR] Regénère les clés de chiffrement toutes les 60 secondes
reneg-sec 60
Raw
Tutorial.md

Hi there,

How to secure correctly your OpenVPN connection you said?

Yes! This little code snippet will improve drasticaly the strength of your OpenVPN connection while keeping very good performances. You just have to add the code available below at the end of you configuration file.

Important precisions

  • It may not work everywhere. @Korben (Twitter) got a problem because his server does not support ECDHE, if you can't use this configuration then try to change ECDHE by DHE in the tls-cipher parameters. It should works but it will consume more battery if you are on a mobile/laptop because it will not use Elliptic curves to exchange the key.
  • You should check if your processor have AES-NI instructions. If yes then the key exchange should be protected from SPA (Simple Power Analysis) and DPA (Differencial Power Analysis) attacks + AES will be a lot faster.
  • If this is your own server, you should use at least a 4096 bits RSA keypair. 2048 bits is becoming weak and I suggest you to stay away from this encryption strenght (don't even think about 1024 bits). If not, you should go to a VPN provider that have at least a 4096 bits RSA public key (most of VPN providers advertise that fact on their website).
  • This will look off-topic but never, ever rely on PPTP or L2TP for sensitive informations.

Performances details

Crashes are very rare and no loss on 150mbps (OpenVPN cannot be faster than this due to "its architecture, running in user space and not benefiting from kernel acceleration like IPsec (L2TP) does" according to VPN.ac).

Any suggestions to improve this code snippet are welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment