Paranoid OpenVPN hardens OpenVPN profiles and provides additional optional provider-specific fixes (e.g. Private Internet Access).
When installed, Paranoid OpenVPN provides the paranoid_openvpn executable
which comes with built-in help. These are the common options:
$ pip install paranoid-openvpn
$ # usage: paranoid_openvpn [--min-tls {1.0,1.1,1.2,1.3}] [--pia] source dest
$ # Process a remote zip file of OpenVPN profiles and apply PIA fixes
$ paranoid_openvpn --pia https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip /path/to/output_dir
$ # Process one profile and allow TLS 1.2 (default is 1.3)
$ paranoid_openvpn --min-tls 1.2 /path/to/input/profile.ovpn /path/to/output/hardened.ovpn
source above can be a remote zip, remote single profile, local zip, local
single file, or local directory.
Most OpenVPN users are aware of the cipher and hash settings but that is
usually the extent of security options that people modify. OpenVPN, however,
has two distinct channels that each have their own security settings: the
control and data channel. The cipher and hash settings apply only to the
data channel but OpenVPN exposes settings for the control channel as well.
The control channel is used to exchange keys that are then used to encrypt
your traffic in the data channel.
Paranoid OpenVPN tries to match the security of the data channel to the control channel. In broad terms, OpenVPN has options for <128-bit, 128-bit, 192-bit, and 256-bit ciphers for the data channel. Paranoid OpenVPN will configure the control channel to match these protection levels, with an absolute minimum of 128-bits.
Where cryptographic judgement calls needed to be made, these rules were followed:
Most VPN providers work fine with "normal" OpenVPN profiles but some providers benefit from a few tweaks.
PIA's provided OpenVPN profiles seemingly only support AES-128-CBC and
AES-256-CBC as the cipher option. However with a little coaxing, PIA will
connect using AES-256-GCM and AES-128-GCM. Use the --pia flag to allow
your client to client with these AEAD ciphers.
If you use this project and feel it's worth a donation, check out GitHub Sponsors or Buy Me a Coffee.
A lot of inspiration for this project was taken from https://blog.securityevaluators.com/hardening-openvpn-in-2020-1672c3c4135a.
FAQs
Hardening script for OpenVPN client profiles
We found that paranoid-openvpn demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.