Security question.
-
Hello everyone. I recently successfully set up a OpenVPN LDAP authentication server as part of my internship. A lot of threads that I found on this forums helped me out a great deal. Everything is running fine and without any problems.
The thing is that my boss now wants me to find out if the OpenVPN connection between the clients and the server is secure. I have no idea how to check that. I'm not entirely sure if the server is using SSL/TLS with the way I have it set up right now.
Under "Server Mode" I have the server set to Remote Access (User Auth), I'm guessing that I have to change it to SSL/TLS+User Auth in order for it to be a more secure.
Under "Cryptographic Settings" I currently have "Enable authentication of TLS packets" checked.Any help would be much appreciated, I'm rather new to the networking field.
-
You can check the server's config file in /var/etc/openvpn/ (forget exact file off the top of my head, but it'll be obvious if you look in there), and you'll see the "cipher X" line with the cipher you've chosen. It strictly uses that cipher for anything connected to that server. Given OpenVPN is widely audited and has an excellent security track record over many years, that alone can be considered adequate proof. If you really want to dig in, packet capture on WAN of the port you're using for OpenVPN, then download that capture and analyze it in Wireshark. Differentiating encrypted vs. non-encrypted isn't necessarily trivial, it depends on what you're passing across it. You could setup another instance of OpenVPN that doesn't use a cipher, send something in plain text across that, send the same thing in plain text across the encrypted one, and analyze the results to see the difference. Depends on how much you want to really dig into it.
-
Thank you for your answer cmd. I have one last question. What is the main difference between the "User Auth" and "SSL/TLS User Auth" server modes?
-
The latter requires a specific certificate for each user, and the former doesn't.