Most secure connection for openvpn 2.3.2

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
DaDave
OpenVpn Newbie
Posts: 3
Joined: Wed Jun 03, 2015 9:48 pm

Most secure connection for openvpn 2.3.2

Post by DaDave » Sat Mar 11, 2023 4:08 pm

Hi everyone,

I am two days deep in this topic and it is driving me nuts. I tried to find my answers in various forums and did use various search engines before I created this topic. You are my last hope :-)

I am running a home network based on a Unifi USG 3 Pro and I managed to establish a openvpn connection from my Android phone. So this is fine...But when I want to connect from my Windows PC I cannot establish a connection. I figured out, that the new OpenVPN version utilize OpenSSL 3 which does not allow TLS 1.0 connections anymore. I also figured out that the OpenVPN version included in the USG is 2.3.2 and that there is no valid option to upgrade it. It seems that the USG is stuck on an old debian (weezy) distribution and that Ubiquiti does not plan to do an update.

Of course I could just downgrade my Windows Client to a version which still allows TLS 1.0. But I guess there is a reason they try to force TLS 1.2 or above. I really want to just use my USG as vpn server and I think I do not need the same security as a big company, but it should at least be secure enough to block any non professional hacker from accessing my home network. May you can help me with the following questions:

1) Is it a real risk to use TLS 1.0 for my private VPN access?
2) Is there a way to re-allow TLS 1.0 in the OpenVPN 2.6.1 version?
3) what can I do to maximize the security with the OpenVPN server version of 2.3.2


Here is my current config
Server:
The USG uses a configuration tool/file which differs a bit from a classic openvpn config file, so I just did not use the ocode format. For authentication I use the build in RADIUS server, which is referenced in the --plugin option. If I understood the tutorials right the certificates are not even used for authentication or encryption. If possible I would like to change that. When creating the certificates I double checked that SHA265 was used as hash algorithm.

Code: Select all

        encryption aes256
        mode server
        openvpn-option "--keepalive 8 30"
        openvpn-option --comp-lzo
        openvpn-option --duplicate-cn
        openvpn-option "--user nobody --group nogroup"
        openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn"
        openvpn-option "--client-cert-not-required --username-as-common-name"
        openvpn-option "--verb 1"
        openvpn-option "--proto udp6"
        openvpn-option "--port 1194"
        openvpn-option "--push redirect-gateway def1"
        openvpn-option "--push dhcp-option DNS 8.8.8.8"
        openvpn-option "--push dhcp-option DNS 8.8.4.4"
        openvpn-option "--cipher aes-256-cbc"
        server {
            subnet 192.168.2.0/24
        }
        tls {
            ca-cert-file /config/auth/keys/ca.crt
            cert-file /config/auth/keys/server.crt
            dh-file /config/auth/keys/dh2048.pem
            key-file /config/auth/keys/server.key
        }
Client Config

client
float
dev tun

remote dyndns.address.com 1194 udp

resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-256-CBC
comp-lzo
verb 3

<ca>
-----BEGIN CERTIFICATE-----
CA CERT in BASE64
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
CERT in BASE64
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
KEY in BASE64
-----END PRIVATE KEY-----
</key>


Every help or comment is wellcome. To not use the USG as a openvpn server would be my last option.

Thanks in advance, Dave

Post Reply