Ideas for securing OpenVPN on an OpenWrt router

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Ideas for securing OpenVPN on an OpenWrt router

erikmccaskey64
ok, i putted an OpenVPN server on port 1194 on an OpenWrt 10.03 router.
https://pastebin.com/raw.php?i=xEZTvnhT
http://pastebin.mozilla.org/1138443


Questions: what could i do to increase security regarding this OpenVPN server? - i mean on server side!


1 - i sed 's/1194/50000/' the port number to a higher one - it's against the automated robots, ok!
2 - iptables? i should only allow ip ranges [on the input chain] that i will use in reality? - ok!
3 - if i don't use my router - e.g.: when i'm sleeping i just turn it off.
4 - ? what else?? Plese write down you're idea/solution!!!


OpenWrt isn't OpenBSD, so from the "ps" command i can see that the OpenVPN is runned by root. it's not so secure. How can i make it more secure?

Reply | Threaded
Open this post in threaded view
|

Re: Ideas for securing OpenVPN on an OpenWrt router

Hugo Osvaldo Barrera
On 03/08/2011 12:34 PM, erikmccaskey64 wrote:

> ok, i putted an OpenVPN server on port 1194 on an OpenWrt 10.03 router.
> https://pastebin.com/raw.php?i=xEZTvnhT
> http://pastebin.mozilla.org/1138443
>
>
> Questions: what could i do to increase security regarding this OpenVPN server? - i mean on server side!
>
>
> 1 - i sed 's/1194/50000/' the port number to a higher one - it's against the automated robots, ok!
> 2 - iptables? i should only allow ip ranges [on the input chain] that i will use in reality? - ok!
> 3 - if i don't use my router - e.g.: when i'm sleeping i just turn it off.
> 4 - ? what else?? Plese write down you're idea/solution!!!
>
>
> OpenWrt isn't OpenBSD, so from the "ps" command i can see that the OpenVPN is runned by root. it's not so secure. How can i make it more secure?
>

Google OpenVPN+chroot, and run it as another user as well.

This isn't related to OpenBSD in any way; OpenWRT is based on linux,
OpenVPN is someone else's product.

--
Hugo Osvaldo Barrera

Reply | Threaded
Open this post in threaded view
|

Re: Ideas for securing OpenVPN on an OpenWrt router

Kapetanakis Giannis
In reply to this post by erikmccaskey64
On 08/03/11 17:34, erikmccaskey64 wrote:

> ok, i putted an OpenVPN server on port 1194 on an OpenWrt 10.03 router.
> https://pastebin.com/raw.php?i=xEZTvnhT
> http://pastebin.mozilla.org/1138443
>
>
> Questions: what could i do to increase security regarding this OpenVPN server? - i mean on server side!
>
>
> 1 - i sed 's/1194/50000/' the port number to a higher one - it's against the automated robots, ok!
> 2 - iptables? i should only allow ip ranges [on the input chain] that i will use in reality? - ok!
> 3 - if i don't use my router - e.g.: when i'm sleeping i just turn it off.
> 4 - ? what else?? Plese write down you're idea/solution!!!
>
>
> OpenWrt isn't OpenBSD, so from the "ps" command i can see that the OpenVPN is runned by root. it's not so secure. How can i make it more secure?

In addition to the above mentioned:
Use tls-auth
Use tls-remote
Use user/group
Use udp
Use certificates as well as username/password authentication.
Use mutual authentication (both client and server)
Use strong ciphers, encryption keys and dh parameters.

secure your server (host)
read the documentation

Giannis

Reply | Threaded
Open this post in threaded view
|

Re: Ideas for securing OpenVPN on an OpenWrt router

erikmccaskey64
Why does using only UDP gives more security??


---- Be Tue, 08 Mar 2011 14:04:08 -0800 Kapetanakis Giannis
<[hidden email]> C-rta ----

On 08/03/11 17:34, erikmccaskey64 wrote:
> ok, i putted an OpenVPN server on port 1194 on an OpenWrt 10.03 router.
> https://pastebin.com/raw.php?i=xEZTvnhT
> http://pastebin.mozilla.org/1138443
>
>
> Questions: what could i do to increase security regarding this OpenVPN
server? - i mean on server side!
>
>
> 1 - i sed 's/1194/50000/' the port number to a higher one - it's against
the automated robots, ok!
> 2 - iptables? i should only allow ip ranges [on the input chain] that i
will use in reality? - ok!
> 3 - if i don't use my router - e.g.: when i'm sleeping i just turn it
off.
> 4 - ? what else?? Plese write down you're idea/solution!!!
>
>
> OpenWrt isn't OpenBSD, so from the "ps" command i can see that the
OpenVPN is runned by root. it's not so secure. How can i make it more secure?

In addition to the above mentioned:
Use tls-auth
Use tls-remote
Use user/group
Use udp
Use certificates as well as username/password authentication.
Use mutual authentication (both client and server)
Use strong ciphers, encryption keys and dh parameters.

secure your server (host)
read the documentation

Giannis

Reply | Threaded
Open this post in threaded view
|

Re: Ideas for securing OpenVPN on an OpenWrt router

Rod Whitworth-3
On Tue, 08 Mar 2011 23:40:16 -0800, erikmccaskey64 wrote:

>Why does using only UDP gives more security??
He didn't say it did.

TCP-over-TCP is the problem.

TCP-over-UDP is less fractious.

http://sites.inka.de/bigred/devel/tcp-tcp.html


*** NOTE *** Please DO NOT CC me. I <am> subscribed to the list.
Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Reply | Threaded
Open this post in threaded view
|

Re: Ideas for securing OpenVPN on an OpenWrt router

erikmccaskey64
ohh, ok, got it!

my opinion: using vpn with tcp could be good, because there could be firewalls
only allowing tcp [on port e.g.: 443], if you want to vpn home from youre
workplace


---- Be Wed, 09 Mar 2011 01:11:38 -0800 Rod Whitworth
&lt;[hidden email]&gt; C-rta ----

On Tue, 08 Mar 2011 23:40:16 -0800, erikmccaskey64 wrote:

&gt;Why does using only UDP gives more security??
He didn't say it did.

TCP-over-TCP is the problem.

TCP-over-UDP is less fractious.

http://sites.inka.de/bigred/devel/tcp-tcp.html


*** NOTE *** Please DO NOT CC me. I &lt;am&gt; subscribed to the list.
Mail to the sender address that does not originate at the list server is
tarpitted. The reply-to: address is provided for those who feel compelled to
reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Reply | Threaded
Open this post in threaded view
|

Re: Ideas for securing OpenVPN on an OpenWrt router

Kevin Chadwick-2
In reply to this post by erikmccaskey64
On Tue, 08 Mar 2011 23:40:16 -0800
erikmccaskey64 wrote:

> 3 - if i don't use my router - e.g.: when i'm sleeping i just turn it
> off.

Well that's a controversial one, yes it's said an attacker will wait to
see if your online for long before attacking but it's more of a Windows
type defence and could be seen as trading security for obscurity. The
boot up phase whilst likely one of the cleanest stages is also one of
the most priviledged and vulnerable. Of course it's a lot easier to
protect your bios/chips and have a read only root on OpenBSD ;-) which
IMO is definately the best OS for a router money can buy.

I can't believe off the shelf linux routers being rebooted is
tollerated or ones that send packets you haven't told them too (cisco
and a freebsd one I had). I was in PC World seeing out of interest if
they had ANY laptops that weren't widescreen once and asked if this
laser printer came with toners more than a third full (printers cheaper
than the toners!!!). He said I'll have a look....Hold on I'll just go
and reset the router, and they're the ones telling people what to buy,
too.

Reply | Threaded
Open this post in threaded view
|

Re: Ideas for securing OpenVPN on an OpenWrt router

Kapetanakis Giannis
In reply to this post by Rod Whitworth-3
> On Tue, 08 Mar 2011 23:40:16 -0800, erikmccaskey64 wrote:
>
>> Why does using only UDP gives more security??
> He didn't say it did.
>
> TCP-over-TCP is the problem.
>
> TCP-over-UDP is less fractious.
>
> http://sites.inka.de/bigred/devel/tcp-tcp.html
>
>

True.
Also it's more resilient to dos attacks than on tcp.
http://openvpn.net/index.php/open-source/documentation/howto.html#security

Giannis

[demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]