How can I build a secure openvpn server?
Yesterday I bought linode 512 for personal vpn usage.I am new to linux. After 3,5 hours of trying I have just installed openvpn server and connected via openvpn gui(windows 7). I browsed some websites and it was fast. But I don't know somethings about server and openvpn and would like to ask you:
I set up my server by reading Getting Started and then I installed fail2ban. After that I read and installed openvpn from "Secure Communications with OpenVPN on Debian 6 (Squeeze)" article(did all things on this article).
Is it necessary to install a firewall for more secure vps? What Can I do for more security? or it is not needed?
I think I connect my vps via UDP protocol. How can I change it to TCP protocol?
How can I know if my traffic is really encrypted or not?
Is openvpn logging by default? If yes, how can I delete them?
If there is more things to do could you please tell me how to do it?
Thanks
3 Replies
OpenVPN traffic is encrypted by default.
@Guspaz:
Performance with TCP is enormously worse, and is no more or less secure.
Performance over TCP is dependent on the quality of the link. The problem, here, is TCP congestion handling. If your underlying link works perfectly then you'll get good performance. However, if the link starts to lose packets then we get a cascading problem; the TCP tunnel will retransmit and backoff until the packet arrives. The TCP traffic over the VPN will see delays and will also potentially retransmit and backoff… so we've got delays on top of delays and performance falls through the floor.
Using UDP as your transport gets around some of these problems; UDP is designed to fail. However!!! OpenVPN, itself, will retransmit! So the TCP traffic over the VPN will still see delays and backoff. But the algorithm is different…
(TCP has a slightly greater overhead, but it's minimally impactful).
If you're on a link with (say) 5% packet loss then UDP may be better. Otherwise it's a toss-up.
My suggestion: test both and see what gives best results.
(Also note that some home NAT routers won't handle UDP tunnels too well…)
From an openVPN perspective the underlying transport (UDP or TCP) doesn't impact security; it's the same SSL encrypted traffic either way.
Also I learned answers to some questions that I had asked.
-Openvpn doesn't log by default( At least I couldn't find except /var/log/messages )
-I also confirmed that my connection is encrypted by logs of my Adsl modem. When I browse sites without vpn I can see what I have done from my modem logs but after connecting vpn the logs are empty.
Edit/
I configured my firewall to only allow connections from my ISP ip block.
Finally, after 3 days of research, I have up and running openvpn server with firewall.