Security improvements - How/where config Openvpn if there's no option in GUI

I want to change --cipher and auth-nocache option. Thank You for any advice.

There are no such options inside the web interface, but you can do it by using a template-custom:

mkdir -p /etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf/

Then create a file named /etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf/90custom with your preferred editor and put your options inside it.

To apply the configuration, change something from the web interface or execute:

signal-event nethserver-openvpn-update
1 Like

Thank You, it works another question is I want to add:
remote-cert-tls server to each vpn user witch is downloaded via Nethserver web interface so where should i put a proper “key usage” and when or how certificates for server and existing users will be recreated (https://openvpn.net/index.php/open-source/documentation/howto.html#mitm)?
Also i’ve added
dh /var/lib/nethserver/certs/dh2048.pem
to my custom-template but now in host-to-net.conf there are two such options the mine and the default one:
dh /var/lib/nethserver/certs/dh1024.pem
how to prevent this? Cheers

You can’t right now, the script is not extensible, sorry.

In this case you need to overwrite an existing fragment.
See: http://docs.nethserver.org/projects/nethserver-devel/en/v7rc/templates.html

Ok, but do You plan to add a few options to certificates/vpn module mainly i mean:
-optional dh2048
-remote-cert-tls server (to avoid mitm atack)
-auth-nocache
-cipher AES-256-CBC (or AES-128-CBC) (because of BF weekness)
to work them with Nethserver webadmin as they are security improvements.
When/how existing user and server certificates are recreated (are they? cron?)
Instead of changing existing files maybe an overide key word can be used inside user templates or separate overide files (even better).
Where .ovpn options are stored to manualy change options of generated configurations?
Thank You for Your reply, I also appreciate great job You’re doing while Nethserver is already a great piece of software. Cheers

OpenVPN use the built-int certificate (yes, we use cron):
http://docs.nethserver.org/projects/nethserver-devel/en/v7rc/certificate_management.html

These files are generated on-the-fly: nethserver-openvpn/root/usr/libexec/nethserver/openvpn-local-client at master · NethServer/nethserver-openvpn · GitHub

Nobody requested these options, your’re the first one (for now :wink: ).
If many users request these changes, we will be happy to improve the OpenVPN module :slight_smile:

3 Likes