Asentria SiteBoss 530 User Manual
64
2. Some of the things you must transfer using the SSLC command are secret data (the key and the TLS-
auth key). "Secret" means that only the unit knows about it (and possibly the server as well, if that is kept
in secure location), and if this key is compromised then the security of the entire VPN is compromised.
The CA certificate is the certificate of the certificate authority that both the unit and the server trust. The CA signs
both the certificate for the server and the certificate for the unit. The CA certificate must exist on both machines.
So it works through NAT-ting routers, that means it uses TCP or UDP, right?
It can use either UDP or TCP, although it works optimally with UDP. Change this to suit your firewall access
policies with the
net.vpn[x].ssl.proto
key (its values are "TCP" and "UDP"), and the
net.vpn[x].ssl.port
keys (its value is an integer for the TCP/UDP port you choose).
I'm paranoid about security, how do I make it as secure as possible?
There are four things you can do to improve security with OpenVPN.
1.
Add more HMAC authentication using a pre-shared key called a TLS-auth key. This is manipulated
with the SSLC command with the "TLS-auth key" item. The key must be generated by the OpenVPN
server.
2.
Add the requirement that the unit must specify the credentials of a user account on the OpenVPN
server in order for the unit to connect. The credentials are specified on the unit with the
net.vpn[x].ssl.username
and
net.vpn[x].ssl.password
keys.
3.
Configure a cipher you are comfortable with. See the next question for how to configure the cipher.
4.
Use a server certificate with the "server" nsCertType value, and configure the client to require a
"server" nsCertType certificate (more on this in the next section).
I already have a server...how do I make the unit cooperate?
The server is configured with a text configuration file; this is the first place to look to figure out what you need to
configure on the unit. The unit essentially maintains the same configuration file, but you cannot edit it directly.
Instead, you specify settings via the unit's setting keys, and then the unit generates the configuration file from the
setting keys.
Some keys are specific: they specify the VPN protcol and VPN port, or the certificate to use. The previous
answers in this section have discussed how to configure such things on the unit. Other setting keys on the unit are
generic: they merely specify text where you can enter an OpenVPN configuration option. The idea is to look at the
server configuration to see what configuration items it requires on the client, and then supply any further
configuration items that you require on the unit, minus any configuration items that the unit handles automatically
for you. First, let's go over what a generic key is.
A generic key is of this form:
net.vpn[x].ssl.conf[y]
, where y is a number between 1 and 16. For example,
by default, the cipher is "BF-CBC" (128-bit Blowfish CBC). You can change this to be stronger with, say, AES-256-
CBC (256-bit AES CBC), with the following setting:
•
net.vpn[1].ssl.conf[7]
="cipher AES-256-CBC"
"cipher AES-256-CBC" is the OpenVPN configuration item, 1 is VPN slot 1 (which could also be slot 2), and 7 is
an arbitrary number between 1 and 16 that is unique among any other "ssl.conf" setting keys. In other words, 7 is
just an index used to denote you multiple configuration items. You can configure multiple settings, and the 'y' in
net.vpn[x].ssl.conf[y]
can be in any order and not necessarily adjacent. For example:
•
net.vpn[x].ssl.conf[7]
="cipher AES-256-CBC"
•
net.vpn[x].ssl.conf[3]
="comp-lzo"
•
net.vpn[x].ssl.conf[9]
="persist-key"
Some values of OpenVPN configuration items cannot be specified in a generic key. For example, the "ca"
OpenVPN configuration item is required. But you cannot specify the "ca" OpenVPN configuration item because
the unit already configures that item from the data you provide via the SSLC command.
Now that we've identified what a generic key is, examine the example below to see how to make the unit
cooperate.
Содержание SiteBoss 530
Страница 6: ......