Reasonably secure config for OpenVPN?



  • Just looking for some general feedback on my configuration.
    I am authenticating against AD/LDAP and using certs created within pfSense.
    Is this a reasonably secure configuration for remote RDP access?

    dev ovpns1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 50.x.x.x
    tls-server
    server 10.19.81.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Nova' true server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'edge.x.edu' 1 "
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 20
    push "route 192.168.76.0 255.255.255.0"
    push "dhcp-option DOMAIN x.pri"
    push "dhcp-option DNS 192.168.76.6"
    push "dhcp-option DNS 192.168.76.7"
    push "register-dns"
    ca /var/etc/openvpn/server1.ca 
    cert /var/etc/openvpn/server1.cert 
    key /var/etc/openvpn/server1.key 
    dh /etc/dh-parameters.4096
    crl-verify /var/etc/openvpn/server1.crl-verify 
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo no
    passtos
    persist-remote-ip
    float
    topology subnet
    tls-version-min 1.2
    tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
    


  • LAYER 8 Global Moderator

    sure…  Not sure what flavor of remote desktop your using, but for quite some time UDP is also viable and faster, so you might want to allow udp as well.



  • Clients are connecting to Win7 Pro machines in their offices.
    I've never heard of RDP over UDP, I will have to check into that.


  • LAYER 8 Netgate

    You can probably more strictly limit the destination DNS hosts too.


  • LAYER 8 Global Moderator

    RDP 8 came out in what 2012?? when windows 8 came out.. It was released for windows 7 around the same time I do believe.  Current is 8.1 which also runs on windows 7..





  • Banned

    RDP over UDP works even on W7, the RDP 8.0/8.1 updates have been available for quite some time.

    https://support.microsoft.com/en-us/kb/2592687
    https://support.microsoft.com/en-us/kb/2830477


Log in to reply