OpenVPN 2.4 and pure elliptic curve crypto setup

[dariusz]

i am sure not:) the length is not random. I don't know. but i will check my setup

[matt3226]

Your tutorial is really helpful for setting up EC, should be made into a sticky?

[dariusz]

can you run

YOUR_PATH/openssl x509 -in ca.crt -text -noout

and post result?

[dariusz]

I think that my ca.crt is longer as I include more information in them. The keys itself are the same.

You only use Common Name when I use full org info.

In vars file:

set_var EASYRSA_DN org
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"

It is not required. It does not change anything but only carries more info when e.g. you have to manage many keys and want to have descriptive info.

When you run
openssl x509 -in ca.crt -text -noout
you will see yourself what is included in your key.

[dariusz]

in my example at the beginning of the thread I only included parts of vars file which are mandatory to handle ec correctly. as you can see yourself in vars there are few more things you can configure - but they are optional.

[dariusz]

The ca.crt from my example contains the following:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f1:31:45:09:7d:c0:c7:91
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = Copyleft Certificate Co, OU = My Organizational Unit, CN = Easy-RSA CA, emailAddress = me@example.net
Validity
Not Before: Jan 16 09:14:02 2017 GMT
Not After : Jan 14 09:14:02 2027 GMT
Subject: C = US, ST = California, L = San Francisco, O = Copyleft Certificate Co, OU = My Organizational Unit, CN = Easy-RSA CA, emailAddress = me@example.net
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:01:61:b0:87:7a:184c:e9:55:7e:ea:ca:a3:
b8:03:4c:a0:a3f8:77:87:99:d9:93:c7:39:8a:
31:65:17:41:89:e4:2f:e7:5a:42:63:a8:59:97:fe:
bf:aa:57:14:97:ca:4a:aa:7e:e6:0d:61:fd:c9:22:
08:8a:ac:f4:5f:c4:13:00:ce:97:48:7f:07:6a:df:
ed:85:03:d9:b7:9a:3a:b1:1a:c9:aa:b0:42:b9:7d:
21:f2:56:6c:d1:05:88:46:ce:28:77:4e:38:d8:d4:
08:27:bb:29:bb:93:08:61:70:a8:c9:cb:a8:66:6f:
9b:44:6a:1c:7a:b4:46:e8:c9:ad:d0:6d:cc
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Subject Key Identifier:
4A:3D:CC:75:4C:38:68:01:91:2C:87:6F:AE:0D:81:27:82:11:16:D2
X509v3 Authority Key Identifier:
keyid:4A:3D:CC:75:4C:38:68:01:91:2C:87:6F:AE:0D:81:27:82:11:16:D2
DirName:/C=US/ST=California/L=San Francisco/O=Copyleft Certificate Co/OU=My Organizational Unit/CN=Easy-RSA CA/emailAddress=me@example.net
serial:F1:31:45:09:7D:C0:C7:91

X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:81:88:02:42:00:a5:ae:c4:6a:e9:05:f3:67:2a:94:ce:48:
21:b4:3f:db3b:54:8e:f3:a1:d4:b9:1b:9b:4d:8b:5f:eb:
a4:4d:8c:7f:8a:e0:f5:75:0d:3d:b3:eb:91:70:37:8d:95:bc:
02:bf:33:76:f2:e3:52:a2:1c:60:f1:66:fb:a9:3a:d3:42:02:
42:01:6d:72:64:0d:4e:8d:1c:d7:17:ed:f3:30:0f:44:e9:8d:
38:62:f0:88:a6:d0:f2:80:4e:e4:f7:d8:27:0a:9c:ce:41:c1:
8e:47:b0:d8:67:a2:66:0d:5a:8e:f8:85:9f:68:51:42:62:fa:
ea:64:6a:a4:b3:62:d3:49:25:ba:0f9d

[dariusz]

and systemd. It is relatively simple and you will find plenty of info on the net.

quick hack as you have already 2.3.4 installed is just edit /lib/systemd/system/openvpn@.service

and make sure that below line points into your 2.4 openvpn file instead of 2.3

ExecStart=/usr/local/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf

also you will have to recompile your openvpn to enable systemd if not done already.

./configure \
--enable-systemd \
--with-crypto-library=mbedtls

Happy tinkering:)

[matt3226]

output of YOUR_PATH/openssl x509 -in ca.crt -text -noout

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ef:a6:69:ed:bf:7a:a6:ab
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = EC-test
        Validity
            Not Before: Jul 17 11:49:37 2017 GMT
            Not After : Jul 15 11:49:37 2027 GMT
        Subject: CN = EC-test
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (521 bit)
                pub:
                    04:01:eb:b0:d8:3f:1b:b9:b9:9e:70:55:5f:c4:f9:
                    91:ce:04:44:6f:7f:a1:1e:13:e1:1e:c2:a8:f5:79:
                    07:e8:d5:46:bc:ab:9e:15:a6:92:41:86:4f:89:a4:
                    56:7c:20:d8:8f:94:ca:cf:80:ad:85:ba:4c:50:10:
                    6d:c0:28:61:c2:09:20:00:ea:18:7a:77:f0:25:c8:
                    50:7b:4d:d3:fd:6e:af:50:c8:5a:af:ff:3c:36:58:
                    f2:1a:04:c4:90:be:3a:7f:c2:29:b9:03:96:de:72:
                    b1:ab:11:29:83:46:05:6b:e6:e8:a5:a1:71:60:a3:
                    87:94:b3:47:92:6d:ec:92:79:bc:65:ff:2d
                ASN1 OID: secp521r1
                NIST CURVE: P-521
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                FA:7D:53:E5:FF:68:64:75:FE:6F:76:56:F6:41:B5:A9:FF:37:DA:C9
            X509v3 Authority Key Identifier: 
                keyid:FA:7D:53:E5:FF:68:64:75:FE:6F:76:56:F6:41:B5:A9:FF:37:DA:C9
                DirName:/CN=EC-test
                serial:EF:A6:69:ED:BF:7A:A6:AB

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
    Signature Algorithm: ecdsa-with-SHA256
         30:81:87:02:42:01:9b:98:7a:80:15:6c:a6:f2:ba:b8:c3:11:
         eb:8b:f5:10:31:78:65:ef:97:0f:0b:eb:19:5b:64:fb:2e:2c:
         79:a3:da:2d:a3:57:ad:b9:50:28:fa:a6:d5:63:ab:a8:22:63:
         d5:06:bc:fd:46:a5:45:73:66:e7:cc:01:89:f2:cc:03:35:02:
         41:31:89:c1:3f:21:e9:29:74:ce:a8:64:2d:46:21:7d:77:4b:
         d6:b6:13:2f:c2:46:00:34:86:f5:fb:20:9c:ed:d9:4e:be:02:
         56:c1:0d:bc:33:58:46:7f:78:94:57:a5:8b:9d:28:7d:a7:9d:
         e4:42:06:43:8b:cd:1e:d3:80:ea:12:c2

Yep, only have CN here, so putting more info into the vars, will generate a longer output? It's just additional info, but doesn't negatively affect the security right?

[matt3226]

ExecStart=/usr/local/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf

That line is a little different for me:

Code: Select all

ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf

Yours is /usr/local/sbin/openvpn and mine is /usr/sbin/openvpn I went to both directories and also found a openvpn there, so to check if they're the same, I did the md5sum on both. Here's an imgur

So they're different binaries, which one to use?

[matt3226]

When recompiling openvpn to use systemd, I get this:

Code: Select all

checking for libsystemd... no
checking for libsystemd... no
configure: error: Package requirements (libsystemd-daemon) were not met:

No package 'libsystemd-daemon' found

I tried apt-get install libsystemd-daemon0, I thought it was a missing package/dependency?

That didn't work..

[matt3226]

Okay, quick update:

I seem to have fixed it by simply changing from:

Code: Select all

ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf

TO

Code: Select all

ExecStart=/usr/local/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf

The thing is, before this change, my tun0 interface was not showing up on reboot indicating that my openvpn wasn't starting up properly. After making the change and doing a reboot, the tun0 interface shows up like before !

So I guess the new 2.4.3 binary is at /usr/local/sbin/openvpn and the old one was at /usr/sbin/openvpn

My recompile with systemd failed, and this still works? Does it mean that recompiling with systemd is not required? All that is needed was to make the changes above..

[matt3226]

I might as well post my server/client conf and logs:

View Original Server.conf

dev tun
proto tcp
port 666
compress lz4
tls-server
ca /etc/openvpn/ECC/ca.crt
cert /etc/openvpn/ECC/EC-test.crt
key /etc/openvpn/ECC/EC-test.key
tls-crypt /etc/openvpn/ECC/ta.key
dh none
ecdh-curve secp521r1
auth SHA512
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-min 1.2
persist-key
persist-tun
server 10.8.0.0 255.255.255.0
push "compress lz4"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
user nobody
group nogroup
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 3

View Original Client

client
dev tun
remote no-ip-domain 666 tcp
resolv-retry infinite
compress lz4
nobind
verify-x509-name EC-test name
remote-cert-tls server
auth SHA512
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
tls-version-min 1.2
persist-key
persist-tun
verb 3
auth-nocache
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-crypt>
</tls-crypt>

Logs:

View Original Server logs

Tue Jul 18 10:51:19 2017 TCP connection established with [AF_INET]192.168.1.1:51749
Tue Jul 18 10:51:20 2017 192.168.1.1:51749 TLS: Initial packet from [AF_INET]192.168.1.1:51749, sid=d7a8641f 4ed05a82
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 VERIFY OK: depth=1, CN=EC-test
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 VERIFY OK: depth=0, CN=test1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_VER=2.4.3
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_PLAT=win
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_PROTO=2
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_NCP=2
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_LZ4=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_LZ4v2=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_LZO=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_COMP_STUB=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_COMP_STUBv2=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_TCPNL=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 Control Channel: TLSv1.2, cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, 521 bit key
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 [test1] Peer Connection Initiated with [AF_INET]192.168.1.1:51749
Tue Jul 18 10:51:21 2017 test1/192.168.1.1:51749 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Tue Jul 18 10:51:21 2017 test1/192.168.1.1:51749 MULTI: Learn: 10.8.0.6 -> test1/192.168.1.1:51749
Tue Jul 18 10:51:21 2017 test1/192.168.1.1:51749 MULTI: primary virtual IP for test1/192.168.1.1:51749: 10.8.0.6
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 SENT CONTROL [test1]: 'PUSH_REPLY,compress lz4,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

View Original Client Logs

Tue Jul 18 02:51:18 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017
Tue Jul 18 02:51:18 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jul 18 02:51:18 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Tue Jul 18 02:51:18 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jul 18 02:51:18 2017 Need hold release from management interface, waiting...
Tue Jul 18 02:51:19 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'state on'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'log all on'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'echo all on'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'hold off'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'hold release'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'password [...]'
Tue Jul 18 02:51:19 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jul 18 02:51:19 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 18 02:51:19 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jul 18 02:51:19 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 18 02:51:19 2017 MANAGEMENT: >STATE:1500371479,RESOLVE,,,,,,
Tue Jul 18 02:51:19 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]external ip:666
Tue Jul 18 02:51:19 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jul 18 02:51:19 2017 Attempting to establish TCP connection with [AF_INET]external ip:666 [nonblock]
Tue Jul 18 02:51:19 2017 MANAGEMENT: >STATE:1500371479,TCP_CONNECT,,,,,,
Tue Jul 18 02:51:20 2017 TCP connection established with [AF_INET]external ip:666
Tue Jul 18 02:51:20 2017 TCP_CLIENT link local: (not bound)
Tue Jul 18 02:51:20 2017 TCP_CLIENT link remote: [AF_INET]external ip:666
Tue Jul 18 02:51:20 2017 MANAGEMENT: >STATE:1500371480,WAIT,,,,,,
Tue Jul 18 02:51:20 2017 MANAGEMENT: >STATE:1500371480,AUTH,,,,,,
Tue Jul 18 02:51:20 2017 TLS: Initial packet from [AF_INET]external ip:666, sid=0d55331e 8a62a69e
Tue Jul 18 02:51:20 2017 VERIFY OK: depth=1, CN=EC-test
Tue Jul 18 02:51:20 2017 VERIFY KU OK
Tue Jul 18 02:51:20 2017 Validating certificate extended key usage
Tue Jul 18 02:51:20 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jul 18 02:51:20 2017 VERIFY EKU OK
Tue Jul 18 02:51:20 2017 VERIFY X509NAME OK: CN=EC-test
Tue Jul 18 02:51:20 2017 VERIFY OK: depth=0, CN=EC-test
Tue Jul 18 02:51:21 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384
Tue Jul 18 02:51:21 2017 [EC-test] Peer Connection Initiated with [AF_INET]external ip:666
Tue Jul 18 02:51:22 2017 MANAGEMENT: >STATE:1500371482,GET_CONFIG,,,,,,
Tue Jul 18 02:51:22 2017 SENT CONTROL [EC-test]: 'PUSH_REQUEST' (status=1)
Tue Jul 18 02:51:22 2017 PUSH: Received control message: 'PUSH_REPLY,compress lz4,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: compression parms modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: route options modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: peer-id set
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: data channel crypto options modified
Tue Jul 18 02:51:22 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 18 02:51:22 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 18 02:51:22 2017 interactive service msg_channel=0
Tue Jul 18 02:51:22 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=6 HWADDR=c4:e9:84:0d:37:1c
Tue Jul 18 02:51:22 2017 open_tun
Tue Jul 18 02:51:22 2017 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{09D3110F-A374-4FAC-815E-C165F51F7901}.tap
Tue Jul 18 02:51:22 2017 TAP-Windows Driver Version 9.21
Tue Jul 18 02:51:22 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {09D3110F-A374-4FAC-815E-C165F51F7901} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Tue Jul 18 02:51:22 2017 Successful ARP Flush on interface [10] {09D3110F-A374-4FAC-815E-C165F51F7901}
Tue Jul 18 02:51:22 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jul 18 02:51:22 2017 MANAGEMENT: >STATE:1500371482,ASSIGN_IP,,10.8.0.6,,,,
Tue Jul 18 02:51:27 2017 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD external ip MASK 255.255.255.255 192.168.1.1
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 02:51:27 2017 MANAGEMENT: >STATE:1500371487,ADD_ROUTES,,,,,,
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 02:51:27 2017 Initialization Sequence Completed
Tue Jul 18 02:51:27 2017 MANAGEMENT: >STATE:1500371487,CONNECTED,SUCCESS,10.8.0.6,external ip,666,192.168.1.112,51749

[dariusz]

Well done!

you should still recompile because some things might not work as expected - what you are missing is

sudo apt-get install libsystemd-daemon-dev

[matt3226]

Oh great ! libsystemd-daemon-dev is exactly what I needed, now ./configure --enable-systemd --with-crypto-library=mbedtls works fine !


What's the point of recompiling it so that systemd is enabled?

[TinCanTech]

What's the point of recompiling it so that systemd is enabled?

The openvpn -> systemd code ensures that openvpn correctly notifies systemd of success or failure (It is a little more complicated than that because only specific use cases caused any error which is probably why you do not notice any difference).

Example: https://community.openvpn.net/openvpn/ticket/801

[matt3226]

Okay... that's complicated stuff !

Oh and, anything else to add to both the server and client configs to make it more secure?

[dariusz]

It really depends what you want achieve. Depending on threat level and potential adversaries it might even better not to use Internet at all:) hahaha

Check below if you want tinker more. In general what you've got in your config is more than enough for casual usage.

https://community.openvpn.net/openvpn/wiki/Hardening

https://gist.github.com/pwnsdx/8fc14ee1e9f561a0a5b8

[matt3226]

Thanks for sharing that github link !

Depending on threat level and potential adversaries huh?

From my understanding, the crypto implemented in these systems (like openVPN). Should be (for all practical purposes) secure from anything. I mean anything at all, NSA or huge powerful adversary or not. The crypto as far as I've read around the internet, is very secure.


And to back it up, it's been heavily audited by trusted cryptographers too, and even they agree it is a sound system. So what gives? Why are people assuming that the NSA (or anyone for that matter) is capable of breaking the crypto?

I'm just saying, just some thoughts...

[dariusz]

I would just follow good IT practices. E.g. I've noticed on your screenshot that you do stuff using root account. This is type of things you should worry more than crypto strength:)

Make sure that your openvpn server and client don't have any other vulnerabilities. Keep it patched.

if you want to be super secure I am afraid it will turn into full time job. Even the best configured system today might be compromised tomorrow. Read security blogs and stay on top of new issues - they emerge almost daily.

It is interesting subject but security is much more than choosing the longest possible key:)

Congratulation in making openvpn with ec work!! This is for sure achievement!

[dariusz]

for openvpn just run

man openvpn

and read about available options. There are plenty. But sometimes too much is not good. You can easily weaken security if you don't understand all implications of changing something.

For casual use I would stick to basic configuration.