How to install OpenVPN-NL instead of vanilla OpenVPN (and why you might want to)

Posted by / Sep 10, 2014 / Categories: VPN / Tags: , ,

This little document describes how to quickly setup an OpenVPN-NL client server combo. OpenVPN-NL is a derivative of the famous OpenVPN software. It basically is a slightly modified version that conforms to the security standards laid down by the Netherlands authorities in this area. Dutch government agencies are allowed to use OpenVPN-NL for certain classes of communication because the code has been reviewed by experts and certain less secure features and default setting have been disabled. The OpenSSL library has been replaced with the smaller PolarSSL which due to its smaller size and setup is easier to audit.

More in depth information can be obtained from the website

https://openvpn.fox-it.com/background.html

Why would you want to use it instead of the regular OpenVPN software? This naturally is a choice and a matter of trust. It could be that your employer demands this (i.e. you work for The Netherlands government). Alternately it could be you simply like the fact that it has been closely scrutinised by some professionals.

If you are a little paranoid that a commercial company sanctioned by the Dutch government has modified the OpenVPN code and are afraid of backdoors and such, then by all means refrain from using this or alternately have a close look at the open sourced OpenVPN-NL code and assure yourself it is fit for the secure use cases you have in mind.

So, if you decide you’d like to try OpenVPN-NL the rest of this document is for you. It consist of three step listed below which are describes in more details further on in this document.

1) First you need to prepare your system to download the openvpn-nl software.

2) Subsequently you run a script which installs and configures the software for you. This script is not originally by me. I just modified the OpenVPN install script by @Nyr7 to work with OpenVPN-NL. This entailed replacing OpenVPN path references (almost all) and changing what and how it is downloaded.

3) Finally when configuring the client you need to take into account that the default security cipher and authentication settings for OpenVPN don’t exist in OpenVPN-NL. Hence you need to explicitly select the proper ones for OpenVPN-NL (instead of leaving them default).


 

Step 1) Preparation of you system :

This consists of adapting your Debian source.list files, adding the FoxIT GPG key, and installing the apt-transport-https package.

echo "deb https://openvpn.fox-it.com/repos/deb wheezy main" > /etc/apt/sources.list.d/foxit.list

wget https://openvpn.fox-it.com/repos/fox-crypto-gpg.asc
apt-key add fox-crypto-gpg.asc

apt-get update
apt-get install apt-transport-https

Step 2) Run the openvpn-NL_install.sh script

wget https://www.bhost.net/help-scripts/openvpn-NL_install.sh

chmod +x openvpn-NL_install.sh
./openvpn-NL_install.sh

Answer the questions according to your choices and preferences. Transfer the resulting file to your client for configuration later on.

This script automates creation of certificates and uses some boring default values for country, common name and organisational unit. Changing these is not critical and beyond the scope of this document.

Step 3) Configure the client

Unpack the client configuration file somewhere. In you VPN client configuration tool of choice:

  • Import the client and server certificates and key.
  • Select LZO data compression.
  • Select AES-256-CBC as cipher to use.
  • Select SHA-256 as HMAC authentication.

(the default OpenVPN settings are not compatible with the OpenVPN-NL edition)

Appendix:

You may also want to install and configure a firewall to go together with OpenVPN-NL (or any VPN for that matter). I have used shorewall for ages and am very happy with it but switched to arno-iptables-firewall because it is a bit easier to setup.

After installation and going through the setup ‘wizard’ (dpkg-reconfigure -plow arno-iptables-firewall)

You should be able to find

/etc/arno-iptables-firewall/conf.d/00debconf.conf

Containing something like listed below:

  EXT_IF="eth0"
  EXT_IF_DHCP_IP=0
  OPEN_TCP="22 80 1194"
  OPEN_UDP="1194"
  INT_IF="tun+"
  NAT=1
  INTERNAL_NET="10.8.0.0/24"
  NAT_INTERNAL_NET="10.8.0.0/24"
  OPEN_ICMP=0

To counter brute force attacks one could additionally setup the ssh-brute-force-protection plugin. This puts a rate limit on SSH port access. Just make ENABLE=1 in the appropriate conf file.

Finally installing and running the denyhosts package offers an additional protection mechanism. It blacklists suspicious incoming IPs by automatically adding them to the the /etc/hosts.deny file after repeated failed login attempts.

About the author
Customer contributed article by Jan Rhebergen / @JayBeRayBearGun