For "a", one could limit it to the current openvpn version in the script
and print a warning about the script being out of date and possibly
dangerous if the openvpn version is higher?
On 08/16/2017 03:10 AM, open...@keemail.me wrote:
Thank you for the feedback!
a)
You're absolutely right, once the tool is not maintained anymore, it
could give a false sense of security and therefore do more harm than
good. I'll do my best to keep it up-to-date. I'm also to open-source
it on github, therefore any user suggestions will be taken into
consideration.
It will not be an online tool for now, although I've considered the
option. I've planned to release the tool via github, for anyone to
download and use it anywhere they want - as some servers may not be
publicly accessible. Depending on the usage of the tool, an online
service would also make sense. However, with the online service, I
want the user data to be handled with in a privacy respecting manner,
so that will require some more work.
b)
Precisely. The tool can not decide such situation depending options.
Many of which, I've implemented as an informative text, with an
explanation what the option does exactly (e.g. --client-to-client,
which may be a threat or may be very much intended). Other
cryptography based options (e.g. --cipher or --tls-cipher) may also be
deliberately configured in a less secure manner, to achieve a better
compatibility with older devices. The user will be informed about the
less secure options (with an information about the compatibility
trade-off), but in the end the user has to decide what is right for
their specific setup.
Kind regards
16. Aug 2017 08:43 by a...@unstable.cc <mailto:a...@unstable.cc>:
Hello,
On 16/08/17 14:21, open...@keemail.me <mailto:open...@keemail.me>
wrote:
Hello,
I've developed a Python script to grade OpenVPN server
configurations considering the security.
The tool mainly focuses on: auth, cipher, tls-cipher, prng,
tls-auth, tls-version-min/max, no-replay, no-iv, key-method,
ncp-ciphers, ncp-disable, tls-crypt and key-direction.
The result is a grade between F and A+ and suggestions on how
to enhance the security of the OpenVPN setup.
I've tested it with various OpenVPN server configurations, I
found online, but I would like to gather some feedback from
the community and update the tool accordingly, before
releasing it.
This tool is intended for server operators, but I'm about to
complete a second tool, intended for OpenVPN users.
The goal is to help operators to enhance the security of their
OpenVPN servers and to help users determine the security of
the server they're using.
If you're interested in testing the tool and would like to
provide some valuable feedback, or have any other questions
about the project, please contact me.
I am no expert here, but my personal opinion is that such a tool
can be
a bit dangerous. Here are some thought that just came to my mind:
a) you have to be sure you keep it up to date, because a good option X
today, might become a bad option tomorrow (i.e. due to a bug being
found). Is the tool an online tool? otherwise this means that people
having different versions might get different results (due to the
previous point). Without talking about when the tool won't be
maintained
anymore (like what happens to today with thousands of openvpn outdated
resources online)
b) certain options can be good or bad depending on the situation/setup
and I doubt the tool can take that into account, although I guess you
can lean towards a "safer" or "stricter" ranking approach...
Anyway, this is just my opinion :) I might be wrong here, therefore
don't be torn down by my statements.
For sure it's nice to see effort being put in improving the average
server configuration out there.
Cheers,
Thank you and kind regards.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
<mailto:Openvpn-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
Antonio Quartulli
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
