Skip to content
This repository has been archived by the owner. It is now read-only.

Kcchouette/OpenVPN-VPS

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

OpenVPN-VPS

Install OpenVPN on a new VPS and some tools (nano).

Fork

This fork includes the following features:

  • Choice for UDP or TCP (UDP is still recommended)

  • No logs

  • No comp-lzo as compression is a vector for oracle attacks, e.g. CRIME or BREACH

  • Better encryption (see below)

  • Avoid DNS leak

  • Run server in unprivileged mode, reducing risks to the system

  • Up-to-date OpenVPN thanks to swupdate.openvpn.net

  • No internal networking

  • Keep the official 180 days of certif

  • Randomized certificate name

  • Some DNS choices: FDN's DNS Servers, Nearest OpenNIC DNS Servers, Cloudflare DNS, Quad9 uncensored DNS

  • What-you-want DNS (see Recommended DNS provider)

  • TLS 1.2 only

  • TLS-auth support: it adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification thus allowing an additional level of security above and beyond that provided by SSL/TLS. source and provide a 2nd line of defense to the TLS channel.

  • tls-auth check that all incoming packets have a valid signature (using SHA512)

  • Securely negotiate a VPN connection using the PKI (Diffie-Hellman exchange with RSA key) = from 2048 to 4096 -> it allows Perfect Forward Secrecy (with Handshake). Diffie-Hellman key and RSA key are the same size because of easy-RSA

  • Authentificate SSL connection using SHA-2 family (sha-256 to sha-512)

  • Encypt data through the AES-128 or AES-256 cipher

  • Encrypt control channel (network parameters and key material for the 'data channel') using TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 or more

Note: Both NSA and ANSSI recommend at least a 3072 bits for a future-proof key. As the size of the key will have an impact on speed, I leave the choice to use 2048, 3072 or 4096 bits RSA key. 4096 bits is what's most used and recommended today, but 3072 bits is still good.

Compatibility

The script is made to work on these OS:

  • Debian 9

Installation

You have to enable the TUN module otherwise OpenVPN won't work. If the TUN module is not enabled, the script will tell you. Ask your host if you don't know how to do it.

Update your OS before running this script!

apt-get update
apt-get upgrade

Then download the script, run it and follow the assistant:

wget "https://raw.githubusercontent.com/Kcchouette/OpenVPN-VPS/master/openvpn-install.sh" --no-check-certificate
chmod +x openvpn-install.sh
./openvpn-install.sh

Once it ends, you should run it again to add users:

./openvpn-install.sh

Then give all the .ovpn to your client!

Installation of openVPN for the client

See INSTALL_OPENVPN.md

Test of how secure is your VPN

Based on: