Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Understanding security of a VPN server
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Understanding security of a VPN server

So i've now setup a VPN server on a VM at home, using this installer: https://github.com/Angristan/OpenVPN-install

It was extremely start forward and works great. I've setup a few .ovpn profiles for my devices and all of them work great.

My question is, if someone gets hold of one of those .ovpn files, they pretty much have full VPN access to the network right?

Is there some kind of additional layer of security I could implement? i.e. for example on my server certificate keys I have a passcode protection as well? Is that possible?

I am storing the .ovpn keys on my dropbox account which is backed up automatically to one of my backup servers.

I have quite a bit of business equipment on the home network here.. so a little concerned if it got into the wrong hands.

Is it safe to destroy those .ovpn files once installed on the devices and then generate new ones if need be in the future? I am guessing that way the only way someone could gain access to them is by hacking each of the devices and extracting that information in which case I could simply revoke access to those keys?

Is there some kind of script I could setup so that everytime the VPN is accessed it would send an email (or am I thinking overkill now)?

Comments

  • for additional security you can add username and password.

  • Put the certificate in a other file, reference it in the main config and store the certificate just offline and not online.

  • Thanks everyone!

    Is it safe to destroy those .ovpn files once installed on the devices and then generate new ones if need be in the future? I am guessing that way the only way someone could gain access to them is by hacking each of the devices and extracting that information in which case I could simply revoke access to those keys?

  • I wouldn't store the .ovpn files in a public place. However, there are a few things you can do if you really want to go that route. The first is take the public certificate and private key out of the .ovpn file and store those on the device separately. That way the configuration file is just that, configuration and nothing else. If someone gets it they still don't have access to the server because they have no certificates.

    If a certificate is compromised in some fashion, revoke it and issue a new one to put on the device. Then the server (properly configured) will check the revokation list and not allow access. The configuration file need not be re-installed or changed.

    As mentioned, you can augment OpenVPN's authentication system with username and password, as well as third-party solutions (I haven't checked but I'd be surprised if there wasn't a one-time password option available).

    You can also use firewalls on your VPN server and/or other machines to restrict access, but I'm guessing you actually want access to those machines when you're out and about. Certificate authentication is strong so use it and understand that if a key is stolen it needs to be revoked.

  • cubedatacubedata Member, Patron Provider

    use microsoft ssl vpn implementation if you use windows(sstp) built into 2012R2 and above? which requires no 3rd party client then? or if opening ports on your home firewall is a issue, use softether vpn server to act as a relay server on a ddos protected vps and another relay softether vpn server on your home network and create a layer 2 bridge between them and also if you can use radius as authentication using active directory you could even have more security where a account get's affected, just disable the account in active directory and no worries anymore then.

  • Has anybody got radius to work in Softether? I know I wasted some time on it and I've got Nyr's script modified to work with radius so I know radius works.

  • Bookmark !

Sign In or Register to comment.