Hi All,
As a mainstream VPN user since late 2018 I've always just used their proprietary apps to connect. Now, however, I'm on an OpenBSD system which I just couldn't get the OpenVPN networking daemon to work on, but have recently secured its internet by setting up my enterprise grade router with OpenVPN client settings so it functions as a VPN router.
Now I'm looking at hardening the security of the OpenVPN connection by adding various lines to the .ovpn config file, per this guide:
https://blog.securityevaluators.com/har ... 224a213ad2
In getting ready to do this I looked over the existing .ovpn file in the standard form its provided by NordVPN in. It seems to be missing many of the "hardening" lines that the author of the above article indicates as being important for securing the connection. Particularly the bit about using TLS 1.2 as a minimum, and then EDDE for forward secrecy which seem to be missing from the standardised ovpn file from Nord. But then again, being fairly unfamiliar with many of the commands it might be that its still quite secure..
Now when you sign up for Nord and similar services they talk about the high levels of encryption used, and I'm pretty sure I've heard mention of foolproof protocols like ChaCha20 etc. but from what I'm seeing in this .ovpn config file, I'm not getting any of these "features" am I?
(1) Does this mean that you're only getting the advertised protection if you run their proprietary apps that I'm guessing set these higher level features up behind the scenes within the app itself?
(2) If I add some of the proposed "hardening" lines to my existing .ovpn config file will it even work with Nord's servers, or would I be wasting my time?
(3) Depending on the answer to (2), is setting up a VPS the only way I can get a properly secured VPN with proper TLS, and ciphers etc.? if I only have .ovpn files to work with in getting the OpenVPN connection setup
Possible to use a modified .ovpn file with NordVPN?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
Cipherus
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Feb 09, 2023 12:14 am
-
Cipherus
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Feb 09, 2023 12:14 am
Re: Possible to use a modified .ovpn file with NordVPN?
[oconf=]Hi All,
I've just tried adding some of the OpenVPN hardening lines sourced from here: https://blog.securityevaluators.com/har ... 61774702af
to the standard and default .ovpn client configuration files downloaded from https://www.nordvpn/ovpn
I firstly added the simple
tls-version-min 1.2
command line and found that I was able to connect fine.
Feeling more confident I then added the whole series of hardening lines:
#data channel cipher
cipher AES-128-GCM
ncp-disable #don't negotiate ciphers, we know what we want
# TLS 1.2 encryption settings
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
dh none #disable static Diffie-Hellman parameters since we're using ECDHE
ecdh-curve secp384r1 # use the NSA's recommended curve
#this tells OpenVPN which side of the TLS handshake it is
tls-server #tls-client on the client
but after adding the above lines it tried negotiating the connection for what seemed like a much longer time than normal only for it to report "disconnected" in my Peplink admin window where it shows the OpenVPN WAN connection status.
Attached is the full .ovpn contents (minus the complete keys). Can someone take a look over it and advise why it won't connect? Is the inability to establish a connection with the server because the server is running a conflicting config? Or is it some problem with the lines pasted above?
Thanks in advance for any advice on getting this working with the hardened settings..
I've just tried adding some of the OpenVPN hardening lines sourced from here: https://blog.securityevaluators.com/har ... 61774702af
to the standard and default .ovpn client configuration files downloaded from https://www.nordvpn/ovpn
I firstly added the simple
tls-version-min 1.2
command line and found that I was able to connect fine.
Feeling more confident I then added the whole series of hardening lines:
#data channel cipher
cipher AES-128-GCM
ncp-disable #don't negotiate ciphers, we know what we want
# TLS 1.2 encryption settings
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
dh none #disable static Diffie-Hellman parameters since we're using ECDHE
ecdh-curve secp384r1 # use the NSA's recommended curve
#this tells OpenVPN which side of the TLS handshake it is
tls-server #tls-client on the client
but after adding the above lines it tried negotiating the connection for what seemed like a much longer time than normal only for it to report "disconnected" in my Peplink admin window where it shows the OpenVPN WAN connection status.
Attached is the full .ovpn contents (minus the complete keys). Can someone take a look over it and advise why it won't connect? Is the inability to establish a connection with the server because the server is running a conflicting config? Or is it some problem with the lines pasted above?
Thanks in advance for any advice on getting this working with the hardened settings..