OpenVPN as many parameters that we can play with.
I will put here some configuration tips that I've used. I traditionnaly use a Debian to set up my OpenVPN server.
We can choose to set configurations wherever we want. The main difference is that we need to add the push keyword on the server side, and it will of course be applied to all clients.
Let's see the difference if we want to set a same configuration on each side. Exemple here with a DNS entry.
dhcp-option DNS 192.168.0.200
push "dhcp-option DNS 192.168.0.200"
dhcp-option DNS 192.168.0.200 dhcp-option DOMAIN domain.local
It could be useful to only authorize some network flows on our VPN.
root@host:~# iptables -A FORWARD -o enp4s0 -p tcp --dport 3389 -j ACCEPT root@host:~# iptables -A FORWARD -i enp4s0 -p tcp --sport 3389 -j ACCEPT root@host:~# iptables -A FORWARD -o enp4s0 -p tcp --dport 53 -j ACCEPT root@host:~# iptables -A FORWARD -o enp4s0 -p udp --dport 53 -j ACCEPT root@host:~# iptables -A FORWARD -i enp4s0 -p udp --sport 53 -j ACCEPT root@host:~# iptables -A FORWARD -i enp4s0 -p tcp --sport 53 -j ACCEPT root@host:~# iptables -A FORWARD -o enp4s0 -j DROP
If we want to enable routing.
net.ipv4.ip_forward = 1
root@host:~# sysctl -p /etc/sysctl.conf
root@host:~# iptables -t nat -A POSTROUTING -s 10.50.8.0/24 -o ens192 -j MASQUERADE
route 192.168.1.0 255.255.255.0
Here a case where 192.168.0.251 and 192.168.0.250 will be reachable through the VPN, the rest of 192.168.0.0/24 network will reach via LAN default gateway. Particulary useful when the Client and the Server are on the same subnet.
route 192.168.0.251 255.255.255.255 route 192.168.0.250 255.255.255.255 route 192.168.0.0 255.255.255.0 net_gateway
To prevent Portscanning, DOS attacks on the OpenVPN UDP port, SSL/TLS handshake initiations from unauthorized machines and any eventual buffer overflow vulnerabilities in the SSL/TLS implementation (source) we can add the HMAC key protection.
root@host:~# openvpn --genkey --secret /etc/openvpn/pki/issued/ta.key
tls-crypt /etc/openvpn/pki/issued/ta.key 0
tls-crypt ta.key 1
OpenVPN add the capacity to avoid possible Man-in-the-Middle attack. If not set, you should see this message from the client log : WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info..
remote-cert-tls server
status /var/log/openvpn-status.log
root@host:~# cat /etc/openvpn/openvpn-status.log
Contact :