Security vpn

It's similar to a seedbox

I have openvpn running on my home machine

I have installed openvpn on server

Made certificates and issued 1 for home machine

But openvpn fails to start on server ?

On home machine it's running ok
 
the server config looks a bit bare but most essentials are there. also remove comp-lzo from both configs for now.

ok add this to the bottom of server config

verb 6 # 6 to 11 -- Debug info range

You may need to set a higher debug number but that should get you started.

next open a console to start openvpn

/usr/sbin/openvpn --config /path /to/your/config

obviously correct the paths.

this should give you an idea of where openvpn is failing, post output here
 
ok followed another tut

got openvpn setup on SERVER ok and running

server config
Code: 
You don't have permission to view the code content. Log in or register now.

openvpn starts ok on server, but on client it wont start

client config

Code: 
You don't have permission to view the code content. Log in or register now.

weird ......
 
hmmm

for some reason cant edit previous post

ok with those configs above its working now

openvpn is running ok on SERVER
openvpn is running ok on CLIENT

now ........

how do i know its connected to each other via tunnel???

and how do i direct traffic through tunnel

cheers
 
the server ip is the normal public ip u can ping it even with openvpn off

i thaught in the tunnel it gets another ip???

somthing like 10.8.0.1 .etc
 
correct

The openvpn on the server will create a new network dev, usually tun0. The same happenson the client manchine when the client openvpn is started.

The tun0 ip for the server will be 10.8.0.1 or whatever you set in the server line in the sever config

server "10.8.0.0 255.255.255.0"

The server will give the client tun0 an ip of lets say 10.8.0.10, or you can specify specific ips for specific clients using the ccd directory and relevant options in server config. The ccd option is also good for added security.

So from client machine ping 10.8.0.1


You can also look at the management options for detailed logging. Management Interface
 
cheers

yes i can ping 10.8.0.1 from client

and in a log i found its given 10.8.0.8 to client

now is that dynamic ip or static???

i want it as static

and just say i got a programme that connects to port 1234 on client machine

e.g. clientdns port1234

how would i send it through tunnel???

would it be like 10.8.0.8 port 1234???

thanks 4 ur help guys its not easy to setup if u new to it lol
 
If you want static you can use this in the server config

ifconfig_pool_persist /etc/openvpn/ipp_private.txt

Connect a client the edit the ipp_private.txt, change the ip associated with the client for what you what. Then reconnect the client.


Or for a more secure method use the ccd option in the server config.

client_config_dir /etc/openvpn/ccd_private

In the ccd_private directory create a file with same name as the client certificate you created. In that file put

ifconfig-push 10.8.0.10 10.8.0.11

This will only allow that clients name certificate to connect. So if you created a cert and did not add it to the ccd directory then the client could not connect.

If you are connecting a windows machine there is something about you must leave 4 ip address between each client. Not sure if that was for all clients or just the windows clients. eg

client 1 - ifconfig-push 10.8.0.10 10.8.0.11
client 2 - ifconfig-push 10.8.0.14 10.8.0.15
client 3 - ifconfig-push 10.8.0.18 10.8.0.19

If you want i can post some of my configs tomorrow and go through some more options with you but tonight its late and im tired.
 
Ain't done anything yet

Was waiting for u to post some configs / tip / tricks for added security
 
1more thing

I have openvpn server running on dedicated

And if my m8 has a dedicated server running openvpn as server

How do u connect via tunnel 2 VPN servers ??
 
For added security, depending on how overboard you want to go is to build a stronger key using 2048 or 4096 rsa. Clean out your keys folder with 'clean-all.bat' and add/edit the following line to vars.bat:

KEY_SIZE to 1024

Change it to 2048 or 4096, rebuild ca and server key. When building the keys add a password so that only you can use it. You can also use username and password aswell as the certs for when a client connects but tbh its how far you want to go?

When you build the dh key it will create it to the same encryption strength you set in vars.bat ie, dh2048.pem

Tighten the security a bit using tls-auth, still in terminal use 'openvpn --genkey --secret ta.key'

You must also add the following to both server and client configs

set "tls-auth ta.key 0" in the server configuration file
set "tls-auth ta.key 1" in the client configuration file

Some info on tls-auth below.

The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for
integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped
without further processing. The tls-auth HMAC signature provides an additional level of security
above and beyond that provided by SSL/TLS. It can protect against:
· DoS attacks or port flooding on the OpenVPN UDP port.
· Port scanning to determine which server UDP ports are in a listening state.
· Buffer overflow vulnerabilities in the SSL/TLS implementation.
· SSL/TLS handshake initiations from unauthorized machines (while such handshakes would
ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).
Click to expand...

All keys will be in the keys folder.


Now to openvpn configs,

Change cipher to AES-256-CBC in both server and client. Use a lower AES-128 if you find performance loss.

cipher AES-256-CBC

Change tls-auth cipher to DHE-RSA-AES256-SHA in both server and client. Use a lower cipher if you find performance loss.

tls-cipher DHE-RSA-AES256-SHA

They are your main ones, there is more but if you want tbh you will need to read up.

ps, dont leave your easy-rsa folder with all your keys on your server just in case.
 
fes_786 said:
1more thing

I have openvpn server running on dedicated

And if my m8 has a dedicated server running openvpn as server

How do u connect via tunnel 2 VPN servers ??
Click to expand...

you are getting me confussed now lol, i can show you but first get a full functioning server as secure as you want it then we go from there?
 
Server config could look something like this


port 11094
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
server "10.8.0.0 255.255.255.0"
client_config_dir /etc/openvpn/ccd
client_to_client 1
keepalive "10 120"
tls_auth "/etc/openvpn/keys/ta.key 0"
cipher AES-256-CBC
tls-cipher DHE-RSA-AES256-SHA
comp_lzo 1
max_clients 10
persist_key 1
persist_tun 1
status /tmp/openvpn-status-server.log 10
status-version 2
verb 6
mute 20
Click to expand...


Client (windows config)

client
proto udp
remote [email protected] 11094
resolv-retry infinite
nobind
dev tun
comp-lzo
persist-key
persist-tun
ca C:\\program\ files\\openvpn\\keys\\ca.crt
cert C:\\program\ files\\openvpn\\keys\\laptop.crt
key C:\\program\ files\\openvpn\\keys\\laptop.key
tls-auth C:\\program\ files\\openvpn\\keys\\ta.key 1
cipher AES-256-CBC
tls-cipher DHE-RSA-AES256-SHA
log C:\\openvpn.log
verb 5
Click to expand...
 
Last edited:
The cipher is in server.conf

Or is it some other file

And clear all cert

And then re make them with better security

Cheers 4 ur help m8
Can't do much till Monday as I'm buzy
 
ok i have done the following:

cipher AES-256-CBC
tls-cipher DHE-RSA-AES256-SHA

in server and client

also made the ta.key

thats working ok

done this:

vars.bat:

KEY_SIZE to 2048

need to remake certificates

now u saying i can add a password / username? will this be in cert or u have to type it each time u connect??

i have noticed it adds around 10/15ms to ur traffic via tunnel
but that will b the encryption.etc

now when it comes to do tls negotiating i think every 1hr, will it drop connection then reconnect?? or does connection stay live?
 
You must log in or register to reply here.

Similar threads

alimac
    • Like
Backup4all Lite V.9.8.826
Replies
0
Views
148
alimac
alimac
rawsy
    • Like
ISP Cityfibre Vodafone
Replies
1
Views
185
rawsy
rawsy
spud1966
    • Like
Secure-PDF Professional Edition [for PC]
Replies
0
Views
179
spud1966
spud1966
O
    • Like
Millions of Netflix subscribers to get free upgrade that improves streaming
Replies
2
Views
547
Ferret
Ferret
S
    • Like
The Real Origin of Political Correctness
Replies
5
Views
369
spud1966
spud1966
Back
Top