Reasonably secure config for OpenVPN?
-
Just looking for some general feedback on my configuration.
I am authenticating against AD/LDAP and using certs created within pfSense.
Is this a reasonably secure configuration for remote RDP access?dev ovpns1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh local 50.x.x.x tls-server server 10.19.81.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Nova' true server1" via-env tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'edge.x.edu' 1 " lport 1194 management /var/etc/openvpn/server1.sock unix max-clients 20 push "route 192.168.76.0 255.255.255.0" push "dhcp-option DOMAIN x.pri" push "dhcp-option DNS 192.168.76.6" push "dhcp-option DNS 192.168.76.7" push "register-dns" ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.4096 crl-verify /var/etc/openvpn/server1.crl-verify tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo no passtos persist-remote-ip float topology subnet tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
-
sure… Not sure what flavor of remote desktop your using, but for quite some time UDP is also viable and faster, so you might want to allow udp as well.
-
Clients are connecting to Win7 Pro machines in their offices.
I've never heard of RDP over UDP, I will have to check into that. -
You can probably more strictly limit the destination DNS hosts too.
-
RDP 8 came out in what 2012?? when windows 8 came out.. It was released for windows 7 around the same time I do believe. Current is 8.1 which also runs on windows 7..
-
RDP over UDP works even on W7, the RDP 8.0/8.1 updates have been available for quite some time.
https://support.microsoft.com/en-us/kb/2592687
https://support.microsoft.com/en-us/kb/2830477