Commands
Learn how to configure OpenVPN Server on Ubuntu 24.04 for secure remote access. Step-by-step guide with configuration examples, firewall setup, and troubleshooting tips. Table of
Learn about hardening OpenVPN security on RHEL 9 and CentOS 9 with best practices for authentication, encryption, firewall rules, logging, and intrusion detection.
OpenVPN is a powerful open-source VPN solution used for securing remote connections and private networks. However, deploying OpenVPN on RHEL 9 and CentOS 9 requires additional security configurations to protect against potential threats. This guide covers best practices for hardening OpenVPN security on RHEL 9 and CentOS 9, ensuring a more robust and resilient VPN deployment.
Why Harden OpenVPN Security? |
Securing OpenVPN is critical to preventing unauthorized access, data breaches, and network compromise. The following benefits highlight the importance of security hardening:
Enhanced Data Protection – Prevents unauthorized interception of VPN traffic.
Mitigates Attack Vectors – Reduces the risk of brute force attacks, DoS attacks, and exploits.
Compliance Readiness – Meets security standards required for regulatory compliance.
Before applying security hardening techniques, ensure the following prerequisites:
| Requirement | Description |
|---|---|
| RHEL 9 or CentOS 9 Server | A fully updated RHEL 9 or CentOS 9 instance |
| OpenVPN Installed | Installed via the EPEL repository or manually compiled |
| Root/Sudo Access | Required for configuration changes |
| FirewallD or iptables | A firewall service must be enabled |
Photo by admingeek from Infotechys
Use TLS Authentication |
Enable TLS authentication to prevent unauthorized connections:
openvpn --genkey --secret /etc/openvpn/ta.key
Modify the OpenVPN server configuration (/etc/openvpn/server.conf):
tls-auth /etc/openvpn/ta.key 0
Modify the client configuration:
tls-auth ta.key 1
Implement Multi-Factor Authentication (MFA) |
Use MFA to add an extra layer of security by integrating OpenVPN with Google Authenticator:
sudo dnf install google-authenticator
Run the setup script:
google-authenticator
Enable MFA in the OpenVPN authentication script.
Enforce Strong Encryption Algorithms |
Edit /etc/openvpn/server.conf and use AES-256-GCM encryption:
data-ciphers AES-256-GCM
Ensure TLS security with:
tls-version-min 1.2
Disable Weak Protocols |
Explicitly disable outdated protocols:
cipher none
auth none
Configure Firewall Rules |
Allow only VPN traffic and drop unnecessary traffic:
sudo firewall-cmd --permanent --add-port=1194/udp
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --reload
Implement IP and User Restrictions |
Use the client-config-dir option to restrict access based on IP:
client-config-dir /etc/openvpn/ccd
Define per-user IP restrictions in /etc/openvpn/ccd/client1:
ifconfig-push 10.8.0.2 255.255.255.0
Enable OpenVPN Logging |
Modify /etc/openvpn/server.conf to enable logging:
log /var/log/openvpn.log
verb 3
Analyze Logs for Anomalies |
Use journalctl to review OpenVPN logs:
journalctl -u openvpn --no-pager | tail -n 50
Set Up Log Rotation |
Prevent logs from consuming too much space:
echo "/var/log/openvpn.log {
weekly
rotate 4
compress
missingok
notifempty
}" | sudo tee /etc/logrotate.d/openvpn
Perform Regular Scheduled Updates |
Ensure OpenVPN and system packages remain up to date:
dnf update -y
Restart OpenVPN After Updates |
sudo systemctl restart openvpn
Run the following command to ensure an automatic restart after rebooting your machine:
sudo systemctl enable --now openvpn
Install Fail2Ban |
Protect OpenVPN from brute force attacks:
sudo dnf install fail2ban -y
Create a new Fail2Ban filter:
sudo tee /etc/fail2ban/filter.d/openvpn.conf <<EOF
[Definition]
failregex = TLS Error: incoming packet authentication failed from \[.*\]:\d+
EOF
Enable and start Fail2Ban:
sudo systemctl enable --now fail2ban
Prevent DNS leaks by using secure DNS resolvers:
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
Learn how to configure OpenVPN Server on Ubuntu 24.04 for secure remote access. Step-by-step guide with configuration examples, firewall setup, and troubleshooting tips. Table of
Learn how to install and configure IPA/IdM on RHEL 9 and CentOS 9. This comprehensive guide covers prerequisites, step-by-step installation, user management, and enabling 2FA
Learn how to install Apache Guacamole on RHEL 9 or CentOS 9 using Ansible roles for automated, secure, and efficient remote desktop access. Step-by-step guide