Securing OpenVPN

Discussion in 'Tomato Firmware' started by gawd0wns, Apr 13, 2009.

  1. gawd0wns

    gawd0wns Network Guru Member

    I want to enable replay-persist in openvpn though I don't know where I should put the file. Any suggestions?

    I also want to enable chroot... Would it be a good idea to chroot /dev/null? I don't use client-ccd-config, so I don't need to maintain any files in the chroot directory.

  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    It depends on how long you want it to be persisted. If you place it in /etc/openvpn/server1 it will be deleted every time the server is manually stopped. If you place it anywhere else, it will be deleted on the next reboot. If you place it in JFFS or CIFS then it will not be deleted. I would think any of those three would be sufficient.
    It will probably need to access the replay-persist file, so keep that in mind.

    I would suggest putting the replay-persist file and chrooting to /etc/openvpn/server1. Though, I've never used either option...
  3. gawd0wns

    gawd0wns Network Guru Member

    Thanks for the info.. I enabled jffs2 and created a new folder with the replay file, and also set it as my chroot dir. I personally prefer not setting my chroot dir to the server1 folder, since the server private key is stored there.
    I also set the server to run as "nobody", and it seems to be working fine. I guess it should be ok as long as I can write to the replay file, so I'll chmod 666 the replay file.
    The only reason I'm taking these precautions is that I will backing up to my NAS from many remote sites, so the vpn server port (udp) will be open to all addresses.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice