Asentria SiteBoss 530 User Manual
69
I'm paranoid about security, how do I make it as secure as possible?
There are three things you can do to improve security with OpenVPN.
1. Add more HMAC authentication using a pre-shared key called a TLS-auth key. This is manipulated with
the SSLC command with the "TLS-auth key" item. The key must be generated by another OpenVPN
server installation.
2. Configure a cipher you are comfortable with. See the next question for how to configure the cipher.
3. Use a server certificate with the "server" nsCertType value, and configure the client to require a "server"
nsCertType certificate (more on this in the next section).
I already have an OpenVPN client configuration in mind...how do I make the unit cooperate?
The client is configured with a text configuration file; this is the first place to look to figure out what you need to
configure on the unit. The unit essentially maintains the same configuration file, but you cannot edit it directly.
Instead, you specify settings via the unit's Setting Keys, and then the unit generates the configuration file from the
Setting Keys.
Some keys are specific: they specify the VPN protcol and VPN port, or the certificate to use. The previous
answers in this section have discussed how to configure such things on the unit. Other Setting Keys on the unit
are generic: they merely specify text where you can enter an OpenVPN configuration option. Once you have your
client configuration in mind, you can see what configuration items it requires on the server, and then supply any
further configuration items that you require on the unit, minus any configuration items that the unit handles
automatically for you. First, let's go over what a generic key is.
A generic key is of this form:
net.vpn[x].ssl.conf[y]
, where y is a number between 1 and 16. For example,
by default, the cipher is "BF-CBC" (128-bit Blowfish CBC). You can change this to be stronger with, say, AES-256-
CBC (256-bit AES CBC), with the following setting:
•
net.vpn[1].ssl.conf[7]
="cipher AES-256-CBC"
"cipher AES-256-CBC" is the OpenVPN configuration item, 1 is VPN slot 1 (which could also be slot 2), and 7 is
an arbitrary number between 1 and 16 that is unique among any other "ssl.conf" Setting Keys. In other words, 7 is
just an index used to denote your multiple configuration items. You can configure multiple settings, and the 'y' in
net.vpn[x].ssl.conf[y]
can be in any order and not necessarily adjacent. For example:
•
net.vpn[x].ssl.conf[7]
="cipher AES-256-CBC"
•
net.vpn[x].ssl.conf[3]
="comp-lzo"
•
net.vpn[x].ssl.conf[9]
="persist-key"
Some values of OpenVPN configuration items cannot be specified in a generic key. For example, the "ca"
OpenVPN configuration item is required. But you cannot specify the "ca" OpenVPN configuration item because
the unit already configures that item from the data you provide via the SSLC command.
The generic key has been identified, now examine the example below to see how to make the unit cooperate.
Example
Here is an example OpenVPN client configuration. It discusses what it means for the client and what it means for
the unit. For a better understanding of OpenVPN configuration, consult the documenation at
client
remote 10.82.3.1
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/myserver.crt
key /etc/openvpn/myserver.key
tls-auth /etc/openvpn/tlsauth.key
cipher AES-256-CBC
comp-lzo
ping 15
ping-restart 60
verb 3
daemon
Содержание SiteBoss 530
Страница 6: ......