S 5.148 Secure connection of an external network with OpenVPN

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

If data is transmitted using leased lines or public networks that are not under the control of the organisation, then the data needs to be adequately protected. If not protected, then it will be possible to listen in on or manipulate the transmitted data. Under certain circumstances, it will even be possible for an attacker to pretend to be an authorised communication partner or to manipulate the VPN endpoints. OpenVPN is a free software package released under the GNU GPL (General Public License) that enables virtual private networks (VPNs) to be established using encrypted TLS/SSL connections. In general, OpenVPN is suitable for establishing site-to-site VPNs, end-to-end VPNs, and remote access VPNs.

OpenVPN uses the OpenSSL program libraries for encryption and uses either UDP or TCP as the transport protocol. Using TLS/SSL as a tunnel protocol does not allow protection of the information in the IP headers of the data packets, in contrast to IPSec. One advantage of TLS/SSL when compared to IPSec, though, is that it does not have an abundance of configuration parameters that need to be specified at both ends of the connection.

Secure use of OpenVPN

Since OpenVPN is based on TLS/SSL, the recommendations provided in S 5.66 Use of SSL must be taken into account. For the secure use of OpenVPN, it is necessary to secure and harden the underlying operating system accordingly (for example by installing only those program packages absolutely needed). The cryptographic keys generated for the operation of OpenVPN must be generated securely, administered, and exchanged by the communication partners. Furthermore, secure authentication procedures and encryption procedures with sufficient key lengths must be used. More detailed information on the selection of cryptographic procedures and authentication procedures can be found in safeguard S 2.164 Selection of a suitable cryptographic procedure.

Certificate-based authentication is the most secure procedure for logging in to a system. In this case, the VPN components (e.g. the servers and clients) have private and public keys. When certificates are used, it is necessary to check the status of the certificate using a PKI during the authentication procedure. It must be guaranteed in this case that the OpenVPN server only allows connections whose certificates have been signed by a certificate authority known to the OpenVPN server. To increase security, consideration should be given to storing the certificates of the VPN users on a smart card or using some other secure token.

It is especially important to ensure that only the services required on the outer network interface of the VPN server can be accessed from the untrustworthy network. Connections should only be allowed to the necessary systems and services and no services other than the services needed must be enabled on a VPN server.

To adequately protect the VPN servers from being attacked, they need to be integrated into the security infrastructure according to S 4.224 Integration of VPN components into a security gateway.

Functional test of the VPN

As described in safeguard S 4.319 Secure installation of VPN devices, every VPN must be checked accordingly for correct operation (first and foremost the security mechanisms) before it is used in live operations. This should be checked in a separate test environment, because otherwise it is impossible to guarantee that no data will be sent unprotected from the production environment over the internet. The OpenVPN documentation can be a valuable aid in the event that the VPN does not function as desired.

Review questions:

© Federal Office for Information Security. All rights reserved.