Reasonably secure config for OpenVPN?
Just looking for some general feedback on my configuration.
I am authenticating against AD/LDAP and using certs created within pfSense.
Is this a reasonably secure configuration for remote RDP access?
dev ovpns1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local 50.x.x.x tls-server server 10.19.81.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Nova' true server1" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'edge.x.edu' 1 " lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 20 push "route 192.168.76.0 255.255.255.0" push "dhcp-option DOMAIN x.pri" push "dhcp-option DNS 192.168.76.6" push "dhcp-option DNS 192.168.76.7" push "register-dns" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.4096 crl-verify /var/etc/openvpn/server1.crl-verify tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo no passtos persist-remote-ip float topology subnet tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
sure… Not sure what flavor of remote desktop your using, but for quite some time UDP is also viable and faster, so you might want to allow udp as well.
Clients are connecting to Win7 Pro machines in their offices.
I've never heard of RDP over UDP, I will have to check into that.
You can probably more strictly limit the destination DNS hosts too.
RDP 8 came out in what 2012?? when windows 8 came out.. It was released for windows 7 around the same time I do believe. Current is 8.1 which also runs on windows 7..
RDP over UDP works even on W7, the RDP 8.0/8.1 updates have been available for quite some time.