For added security, depending on how overboard you want to go is to build a stronger key using 2048 or 4096 rsa. Clean out your keys folder with 'clean-all.bat' and add/edit the following line to vars.bat:
KEY_SIZE to 1024
Change it to 2048 or 4096, rebuild ca and server key. When building the keys add a password so that only you can use it. You can also use username and password aswell as the certs for when a client connects but tbh its how far you want to go?
When you build the dh key it will create it to the same encryption strength you set in vars.bat ie, dh2048.pem
Tighten the security a bit using tls-auth, still in terminal use 'openvpn --genkey --secret ta.key'
You must also add the following to both server and client configs
set "tls-auth ta.key 0" in the server configuration file
set "tls-auth ta.key 1" in the client configuration file
Some info on tls-auth below.
The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for
integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped
without further processing. The tls-auth HMAC signature provides an additional level of security
above and beyond that provided by SSL/TLS. It can protect against:
· DoS attacks or port flooding on the OpenVPN UDP port.
· Port scanning to determine which server UDP ports are in a listening state.
· Buffer overflow vulnerabilities in the SSL/TLS implementation.
· SSL/TLS handshake initiations from unauthorized machines (while such handshakes would
ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).
All keys will be in the keys folder.
Now to openvpn configs,
Change cipher to AES-256-CBC in both server and client. Use a lower AES-128 if you find performance loss.
cipher AES-256-CBC
Change tls-auth cipher to DHE-RSA-AES256-SHA in both server and client. Use a lower cipher if you find performance loss.
tls-cipher DHE-RSA-AES256-SHA
They are your main ones, there is more but if you want tbh you will need to read up.
ps, dont leave your easy-rsa folder with all your keys on your server just in case.