Security improvements - How/where config Openvpn if there's no option in GUI

dj_marian · January 18, 2017, 11:52pm

I want to change --cipher and auth-nocache option. Thank You for any advice.

giacomo · January 19, 2017, 2:16pm

There are no such options inside the web interface, but you can do it by using a template-custom:

mkdir -p /etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf/

Then create a file named /etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf/90custom with your preferred editor and put your options inside it.

To apply the configuration, change something from the web interface or execute:

signal-event nethserver-openvpn-update

dj_marian · January 19, 2017, 7:04pm

Thank You, it works another question is I want to add:
remote-cert-tls server to each vpn user witch is downloaded via Nethserver web interface so where should i put a proper “key usage” and when or how certificates for server and existing users will be recreated (https://openvpn.net/index.php/open-source/documentation/howto.html#mitm)?
Also i’ve added
dh /var/lib/nethserver/certs/dh2048.pem
to my custom-template but now in host-to-net.conf there are two such options the mine and the default one:
dh /var/lib/nethserver/certs/dh1024.pem
how to prevent this? Cheers

giacomo · January 20, 2017, 8:48am

You can’t right now, the script is not extensible, sorry.

In this case you need to overwrite an existing fragment.
See: http://docs.nethserver.org/projects/nethserver-devel/en/v7rc/templates.html

dj_marian · January 20, 2017, 12:00pm

Ok, but do You plan to add a few options to certificates/vpn module mainly i mean:
-optional dh2048
-remote-cert-tls server (to avoid mitm atack)
-auth-nocache
-cipher AES-256-CBC (or AES-128-CBC) (because of BF weekness)
to work them with Nethserver webadmin as they are security improvements.
When/how existing user and server certificates are recreated (are they? cron?)
Instead of changing existing files maybe an overide key word can be used inside user templates or separate overide files (even better).
Where .ovpn options are stored to manualy change options of generated configurations?
Thank You for Your reply, I also appreciate great job You’re doing while Nethserver is already a great piece of software. Cheers

giacomo · January 20, 2017, 3:48pm

OpenVPN use the built-int certificate (yes, we use cron):
http://docs.nethserver.org/projects/nethserver-devel/en/v7rc/certificate_management.html

These files are generated on-the-fly: nethserver-openvpn/root/usr/libexec/nethserver/openvpn-local-client at master · NethServer/nethserver-openvpn · GitHub

Nobody requested these options, your’re the first one (for now ).
If many users request these changes, we will be happy to improve the OpenVPN module