 Hardening OpenVPN with TLS authentication. One of the important things with OpenVPN is to make sure you're wrapping the entirety of the transport in another layer when you want to have it really solid and secure. And that transport layer is referred to TLS. So we're going to go over here to OpenVPN and look at the two servers I have set up. First, we'll look at the one that has TLS authentication encryption. So this is the one that's going to have the full TLS key that we create. So as it says right here, a TLS key enhances security of OpenVPN connection by requiring both parties have a common key before they can form a TLS handshake. This layer of HMAC authentication allows control channel packets without proper key to be dropped protecting the peers from attack or unauthorized connections. And this is an important aspect. It has no effect on the actual effect of the tunnel data. It doesn't have an overhead. It doesn't slow it down. And we'll do this in a demo here. But it adds a layer of protection in two ways. One, it encrypts everything. So even though the encryption is really solid on OpenVPN, you are stopping people from knocking at the door. Because if they don't knock first with the TLS key, the connection is going to be immediately dropped. And before we dive into our content, let's take a second here to talk about one of the sponsors of the channel here, ITProTV. And they have an entire deep dive where they're going to walk you through in excellent detail all the things about setting up an OpenVPN server in Linux. And we have a offer code for you if you're a nurse and signing up for ITProTV. So it's IT training you want to watch. And if you try ITProTV free of charge for seven days when you choose a premium or standard monthly membership, you get 30% off with our offer code. Links here to this below. So if you're scrolling down there, you can check out some of the other affiliates, including ITProTV or just click the like button while you're down there, it does help the YouTube algorithm. All right, now let's dive into the content here. So I have this set up, so I have a packet capture. And we're going to walk through the actual packets getting captured when we do this. So with the TLS key, and I believe this was added in OpenVPN 2.4 and up. So as long as any modern OpenVPN client server, and this is the latest version of PF Sense running on an SG5100 that we have here, is going to support this configuration. Now, when you create the VPN, it just has a checkbox to generate the TLS key and it self-generates. You can generate your own separately if you want, but it will generate this. When I was walking through it real quick, I can give you an idea. When you're adding one, it automatically generates here, or you can, if you have one you've already established, you can paste it in. So use TLS key, then automatic generation. Now you do have to go back into the server settings to fix this. So once it's created, what actually we want the one that has the authentication, once you generate it, it will just use it for authentication. I recommend going a step further and the reason why. So the first step is authentic, is authentication, but we'll use it for everything, authentication and encryption. That means the entire T of the tunnel is 100% wrapped in this pre-shared TLS key. And without that TLS key, it starts dropping connections. This can actually help you from things like denial of service, helps mitigate them a bit because it's dropping packets that don't have this key attached to it as part of the handshake. So no TLS key, you don't even get any further. The other thing when you say TLS and authentication, it's also going to encrypt the certificate handling. So right here where it says service certificate, LTS server yes in use. Let's go over to the cert manager here. We're going to show you what's in this certificate. We have a self-signed certificate. Notice I put the location at our office here in Southgate. And don't worry for those wondering if I'm exposing anything. This is just a demo server internal in our lab. So I'm not worried about people seeing the private key for this, but I did set this up with our address and it says Southgate in here. And that's important because when we do the packet capture, I'm going to show you how we can extract the names on the certificate. So certificate name of LTS and Southgate being the destination. So this is the VPN with it on there. And we go over here to client export. And I've downloaded each of these. So I've downloaded one for no TLS and the one TLS. And when we're no TLS, it's the same exact settings that you can see the ciphers. Everything in here is the same. The only thing we're going to change is we're not going to use a TLS key. So go over here to our packet capture. Now each of these VPNs is on a different port. Kind of makes it easier to do the packet capture. So just so you're on the same page with me here. This is on port 10443. So we're going to capture this one first. So we go over here to packet capture. This is built in feature of PF Sense. Port 10443, start capture. So it's not doing any things. We're not connected, but we started the capture. So when we start sending data to 10443, it'll work. So here's our two open VPN configs, SG5100, no TLS. So we're going to go here and say open sudo. We're doing it from the command line and we're going to open VPN SG5100, no TLS. LTS is the username, put in the password. Initialization sequence complete. We've connected that we've done the handshake. I'm not going to go any further. I have this set up down here and I'll show you at the end that there's no speed loss between the two of them. But we did the handshake. That's all we really needed. We just want to capture just that number of packets. Stop, download capture, and here we go. So here is wire shark, open up that PCAP file. We'll walk through it, message type, client hello. Why hello there, client, look at this. Southgate, right there in the words. So we captured the LTS 5100, hence the name of the certificate. Now you're not capturing your private key, but you have more visibility. So if someone were watching this connection, they're going to learn the certificate of the server you're connecting to. So they have more information on there. And of course we can bang away at this particular port on here because if you're talking to it, it doesn't ask for a TLS key. So it'll start offering you a certificate and seeing if you have the matching, et cetera, et cetera, and start trying to negotiate connections. So you're starting to engage with the server that is exposed to the public. So you can see it walked through here and it's going back and forth here. It says it again. It's the back and forth key exchange for the offer exchange. And then we see it does Cypher and encrypt everything. So once we get back to the actual data going across, all right, we're encrypted and we're doing it properly. So let's go back over here. Actually, you make sure we kill the VPN. So back over your front page, kill this connection. So we drops. No problem, we've dropped it. 104.4 is the others. We'll start the capture on 104.4. This is the one with full TLS. We're going to start a new capture. Back over here, sg5100. And we're going to do the one with full TLS authentication encryption. Same username, same password. We're just changing how we're connecting. And we connected over port 104.4. Initialization sequence complete. So we did the handshakes and negotiation, et cetera, et cetera. But this is the one where everything was wrapped in TLS. We canceled it. Back over here to our packet capture. Stop capturing, download capture, back into Wireshark. So open VPN message type, control hard reset client, control hard reset server, ACK, data, data, data. Please note all the data fully wrapped in SSL right here. To recognize SSL, open VPN, it recognizes a couple of acts in there that are part of open VPN handshakes. But that's it, 100% encrypted. No, I still don't. Well, let's see here. Nope, all the way down. Nothing. Now granted, one thing that you're probably wondering. So there's 52 packets we captured for this one. And how many packets was it in this one? 51. One more packet. So it wasn't much more data in here. But a huge amount of information was gained. So if I'm an attacker and I'm looking, I can see these exchanges. I can see the certificates. So I know something more about who owns the server because if they signed it with their name and they put Lawrence systems on there, it's in Southgate, you have pieces of information. When you use the full TLS authentication, nothing. Just all SSL, SSL. All right, so what's the next step? Well, let's talk about, is there some overhead? Is there some disadvantage to using it? Well, the first one is you have to have a client that can support it. Like most modern clients do. You can use this on from your phone to your computers or right here, I'm using Linux. As long as you have a modern client, there is, of course, the challenge if you don't have a modern client doing this. And from here, let's do the speed test. Actually, is make sure we've canceled and drop the packets. OpenVPN stays alive for a few minutes after you do this. So you want to make sure that you're... All right, there we go. Drop into connection. So there's no errors. So let's do the one here with no TLS. And just so you know, we'll try to ping this address that I'm... There's the IPerve address we're going to go to. Just so you know, I'm not, I haven't hit connect up there. 51.14, I have no access to it. Press enter. So as it says initialized, it'll be ready to go. Initialize is quit. Now we can ping it. Now we can speed test it. Whoops, there we go. So what kind of speed are we getting? This is with no TLS. We're seeing... What do we got here? About 300 with the setting. So I'm about 309. So this is with no TLS. But of course we're, you know, comes with the risk of sending everything out and clear. So go back over here, drop the connection. Full authentication TLS, LTS. Initialization sequence complete. We're just gonna up arrow again. Now we're doing the same thing, but over a fully TLS wrapped in connection. And we're seeing the same speeds again. So we got about 309 here. And we're in the 300 here. Looks like it went just a little bit faster, which is odd, 318. There's some variation. It takes longer tests to get a more accurate result because benchmarks, you know, there's always little variations. But I think you get the concept. We did not see any speed overhead. TLS authentication is efficient. Modern systems handle it very well. So you're seeing that there's not any disadvantage to using other than connectivity loss for old client. There's one more thing I will mention. If you are troubleshooting open VPN, turn it off because when you wrap everything in there, it is a more difficult to troubleshoot. So for testing purposes, for example, when you're trying to figure out why it doesn't work, if it doesn't work out of the box, I recommend trying it out of the box. If everything you followed one of my tutorials or went in depth with it and said, okay, everything is working fine out of the box, great. But you will find the negotiations are harder to decipher where the problem is because if they gave an error that there's a problem with a cipher, would you know if it's the TLS cipher or the other one? It can be a little bit harder to troubleshoot. And there's an article over on the open VPN community wiki and it right here kind of talks about that. Open VPN 2.4 and newer limits to default cipher lists earlier versions did. This makes it prudent to harden your configuration using the TLS cipher, which we discussed. Also be aware it is very easy to create hard to debug connections and failures when using TLS cipher incorrectly. So if you play with it, there can be problems. That said, further limiting the number of ciphers does reduce the attack surface. This is what they're talking about here is using ones in the TLS auth. So, and the TLS auth uses a pre-shared key static that must be generated in advance among all peers feature extra protection to the TLS channel by requiring that incoming packets have a valid signature generated by the key. If this key is ever changed, it must be changed in all peers at the same time. There's no support for rollover. And one of the things I will point out and let's close all these windows and we'll just look at it real quick. Oh, people always ask, how do I split the windows T-Mux in case you're wondering? So VIM SG 5100, actually we'll go with the TLS one, 100 TL, there we go. It has both the cert and the TLS in here. So this is the one with full TLS. You can see that it's in here and there's that static key that gets generated. That's gonna be the same just so you know it's there. So if you do have to change anything, if you're doing an inline configure everything in one file, it's easy, you would change it here. But with the nice thing about PF Sense is when you use the download, it downloads that with it. I didn't have to do anything there, but please note, if you did the full install, you may have to make sure it removes those files if you reset up like on a windows computer, when you download the certificate because it's gonna split the certs, make sure if it did that and you do change it, you know where to change it at or you could just uninstall, reinstall and it doesn't find two, but just an FYI in that. So that just helps, hopefully people understand why it's important to use a TLS auth and one last thing I'll add to this because this does come up. What about obfuscating the VPN from DPI? You can kind of do that, but there's some limitations to it. So the TLS implementation almost looks like but not quite the same implementation that your standard website would use. So if you were to do two things, and go over here, open VPN, you can convert this and we'll do it real quick right here. If we switch this UDP and moved it over to TCP, for example, if you were to set this up as a TCP connection and have TLS auth, it may, depending on the type of firewall that is being used by the people doing this, it may allow you to use open VPN on a network that supports high DPI that tries to block it because if you use TLS authentication and you moved it not to 104.4 here, but 4.4.3, it might get by there. And I say might and the reason why is even if you did this layer right here and it makes the traffic look more like normal TLS traffic, you may run into the problem as I understand it from certain blocking mechanisms that they check the website you're going to to see if there's a website there. And so even though you've done all the right things in terms of making, masking the data essentially and encrypting it to make it look like a standard, you know, website type traffic that shouldn't be blocked because blocking 4.4.3 were pretty much block internet access. If it's a firewall system that's more advanced that does try to see if there's even a valid website it's going to fail and then block your connection to it. So this question just comes up a lot. I get a lot of people messaging like this because they're trying to use OpenVPN to get back to another service and wherever they're at, whatever services they're using block access to OpenVPN this might get you by it, but it's still no guarantee. It's a step further, but it depends on the level of advancement of the high DPI or deep packet inspection systems that are being used by the network that you're on. So I just want to throw that in there as you know, a little bit of side note for those wondering. All right, if you want to know more about the different ciphers, I have another video that I'll link to that I just did on that the speed of the GCM versus CBC ciphers and this SG-5100 was thankfully provided by the folks over at PF Sensities I'm testing on and a review of which I have links to as well. If you have questions, comments, head over to the forums and let's carry on discussion about this and thank you. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general even suggestions for new videos that are accepted right there on our forums which are free. Also, if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again, thanks for watching and see you next time.