Security Settings - georgi-dev215/openvpn-web-manager GitHub Wiki

Security Settings

Comprehensive security configuration and hardening guidelines for OpenVPN Web Manager.

Overview

Security is paramount in VPN infrastructure. This guide covers:

  • Authentication and authorization
  • Encryption and cryptographic settings
  • Network security configurations
  • Access control and monitoring
  • Security best practices and compliance

Authentication & Authorization

Admin Authentication

Basic Authentication

# Default configuration
BASIC_AUTH = {
    'enabled': True,
    'username': 'admin',
    'password': 'secure_password_here',
    'session_timeout': 3600,  # 1 hour
    'max_login_attempts': 5,
    'lockout_duration': 900   # 15 minutes
}

Multi-Factor Authentication (MFA)

# TOTP (Time-based One-Time Password)
MFA_CONFIG = {
    'enabled': True,
    'provider': 'totp',
    'issuer': 'OpenVPN Manager',
    'qr_code_generation': True,
    'backup_codes': True,
    'enforce_for_admin': True
}

External Authentication

# LDAP Integration
LDAP_CONFIG = {
    'enabled': False,
    'server': 'ldap://your-domain.com:389',
    'base_dn': 'DC=yourdomain,DC=com',
    'bind_dn': 'CN=service-account,OU=Users,DC=yourdomain,DC=com',
    'bind_password': 'service_password',
    'user_filter': '(sAMAccountName={username})',
    'group_filter': 'CN=VPN-Admins,OU=Groups,DC=yourdomain,DC=com'
}

# OAuth 2.0 / OpenID Connect
OAUTH_CONFIG = {
    'enabled': False,
    'provider': 'google',  # google, microsoft, github
    'client_id': 'your_client_id',
    'client_secret': 'your_client_secret',
    'redirect_uri': 'https://your-domain.com/auth/callback',
    'scope': ['openid', 'email', 'profile']
}

Role-Based Access Control (RBAC)

User Roles

Roles:
  super_admin:
    permissions: ['*']
    description: Full system access
    
  admin:
    permissions:
      - 'clients.*'
      - 'servers.read'
      - 'config.read'
      - 'monitoring.*'
    description: Standard administrator
    
  operator:
    permissions:
      - 'clients.read'
      - 'clients.create'
      - 'monitoring.read'
    description: Day-to-day operations
    
  viewer:
    permissions:
      - 'dashboard.read'
      - 'clients.read'
      - 'monitoring.read'
    description: Read-only access

Permission Management

# Role assignment
USER_ROLES = {
    'admin': 'super_admin',
    'operator1': 'admin',
    'support1': 'operator',
    'auditor1': 'viewer'
}

# Dynamic permissions
def check_permission(user, action, resource):
    user_role = get_user_role(user)
    permissions = ROLES[user_role]['permissions']
    
    return (
        '*' in permissions or
        f'{resource}.*' in permissions or
        f'{resource}.{action}' in permissions
    )

Encryption & Cryptography

TLS/SSL Configuration

Web Interface SSL

# SSL Configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;

# HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=63072000" always;

# Certificate configuration
ssl_certificate /etc/ssl/certs/openvpn-manager.crt;
ssl_certificate_key /etc/ssl/private/openvpn-manager.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

Certificate Management

# Generate strong DH parameters
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

# Create self-signed certificate (development)
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
    -keyout /etc/ssl/private/openvpn-manager.key \
    -out /etc/ssl/certs/openvpn-manager.crt \
    -subj "/C=US/ST=State/L=City/O=Organization/CN=your-domain.com"

# Let's Encrypt certificate (production)
certbot --nginx -d your-domain.com

OpenVPN Cryptographic Settings

Encryption Configuration

# Strong cipher configuration
cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

# Key sizes
rsa-key-size 4096
dh-key-size 4096

# Additional security
tls-auth ta.key 0
tls-crypt tls-crypt.key

Certificate Authority (CA) Security

# Secure CA configuration
export EASYRSA_KEY_SIZE=4096
export EASYRSA_DIGEST="sha512"
export EASYRSA_CA_EXPIRE=3650
export EASYRSA_CERT_EXPIRE=365

# Offline CA root key storage
# Store root CA private key offline
# Use intermediate CA for daily operations

Data Protection

Database Security

# Database encryption
DATABASE_CONFIG = {
    'encryption': True,
    'encryption_key': os.environ.get('DB_ENCRYPTION_KEY'),
    'backup_encryption': True,
    'sensitive_data_hashing': True
}

# Sensitive data handling
SENSITIVE_FIELDS = [
    'passwords',
    'private_keys', 
    'ssh_credentials',
    'api_tokens'
]

Backup Security

# Encrypted backups
gpg --cipher-algo AES256 --compress-algo 1 --s2k-mode 3 \
    --s2k-digest-algo SHA512 --s2k-count 65536 \
    --symmetric --output backup.gpg backup.tar

# Backup verification
gpg --decrypt backup.gpg | tar -tf -

Network Security

Firewall Configuration

IPTables Rules

#!/bin/bash
# OpenVPN Manager Firewall Rules

# Clear existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH access (restrict to admin IPs)
iptables -A INPUT -p tcp --dport 22 -s ADMIN_IP_RANGE -j ACCEPT

# Web interface (HTTPS only)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# OpenVPN port
iptables -A INPUT -p udp --dport 1194 -j ACCEPT

# Management interface (localhost only)
iptables -A INPUT -p tcp --dport 8822 -s 127.0.0.1 -j ACCEPT

# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "DROPPED: "
iptables -A INPUT -j DROP

UFW Configuration

# Simple firewall setup with UFW
ufw default deny incoming
ufw default allow outgoing

# Allow SSH from specific IPs
ufw allow from ADMIN_IP to any port 22

# Allow HTTPS
ufw allow 443/tcp

# Allow OpenVPN
ufw allow 1194/udp

# Enable firewall
ufw enable

Network Segmentation

VLAN Configuration

# Management VLAN (VLAN 100)
ip link add link eth0 name eth0.100 type vlan id 100
ip addr add 192.168.100.1/24 dev eth0.100
ip link set dev eth0.100 up

# VPN Client VLAN (VLAN 200)  
ip link add link eth0 name eth0.200 type vlan id 200
ip addr add 10.8.0.1/24 dev eth0.200
ip link set dev eth0.200 up

Network Policies

NETWORK_POLICIES = {
    'management_network': {
        'cidr': '192.168.100.0/24',
        'access_level': 'admin_only',
        'allowed_protocols': ['https', 'ssh']
    },
    'vpn_network': {
        'cidr': '10.8.0.0/24', 
        'access_level': 'client_access',
        'allowed_protocols': ['openvpn']
    },
    'isolation': {
        'client_to_client': False,
        'client_to_management': False,
        'management_to_internet': True
    }
}

Access Control & Monitoring

IP-Based Access Control

Admin Access Restrictions

# Administrative access whitelist
ADMIN_IP_WHITELIST = [
    '192.168.1.0/24',    # Office network
    '10.0.0.0/8',        # Internal networks
    '203.0.113.50/32'    # Admin home IP
]

# Geographic restrictions
GEO_RESTRICTIONS = {
    'enabled': True,
    'allowed_countries': ['US', 'CA', 'GB', 'DE'],
    'blocked_countries': ['CN', 'RU', 'KP'],
    'action': 'block'  # block, log, notify
}

Client Access Control

# Time-based access control
TIME_BASED_ACCESS = {
    'business_hours': {
        'days': ['monday', 'tuesday', 'wednesday', 'thursday', 'friday'],
        'hours': '09:00-17:00',
        'timezone': 'UTC'
    },
    'weekend_access': {
        'enabled': False,
        'emergency_override': True
    }
}

# Device-based restrictions
DEVICE_RESTRICTIONS = {
    'max_concurrent_sessions': 3,
    'device_fingerprinting': True,
    'unknown_device_action': 'notify_admin'
}

Security Monitoring

Intrusion Detection

# Failed login monitoring
SECURITY_MONITORING = {
    'failed_logins': {
        'threshold': 5,
        'time_window': 300,  # 5 minutes
        'action': ['block_ip', 'notify_admin']
    },
    'unusual_activity': {
        'multiple_locations': True,
        'off_hours_access': True,
        'privilege_escalation': True
    }
}

Log Analysis

# Security log monitoring
tail -f /var/log/openvpn-manager/security.log | \
grep -E "(FAILED_LOGIN|UNAUTHORIZED|SUSPICIOUS)"

# Automated threat detection
./security-monitor.py --rules /etc/security-rules.yaml \
    --log-file /var/log/openvpn-manager/access.log \
    --action email,syslog

Audit & Compliance

Audit Logging

AUDIT_CONFIG = {
    'enabled': True,
    'log_level': 'INFO',
    'events': [
        'admin_login',
        'client_creation',
        'client_revocation', 
        'config_changes',
        'certificate_operations',
        'cluster_operations'
    ],
    'retention_days': 365,
    'export_format': 'json'
}

Compliance Reports

# Generate compliance report
def generate_compliance_report(start_date, end_date):
    report = {
        'audit_events': get_audit_events(start_date, end_date),
        'security_incidents': get_security_incidents(start_date, end_date),
        'access_reviews': get_access_reviews(start_date, end_date),
        'certificate_status': get_certificate_status(),
        'policy_compliance': check_policy_compliance()
    }
    return report

Security Best Practices

Administrative Security

Strong Authentication

  • Use complex passwords (minimum 12 characters)
  • Enable multi-factor authentication
  • Regular password rotation (90 days)
  • Account lockout after failed attempts
  • Session timeout configuration

Secure Administration

# Secure admin practices
- Use dedicated admin workstations
- VPN-only administrative access
- Principle of least privilege
- Regular access reviews
- Segregation of duties

Certificate Management

Certificate Security

# Certificate best practices
- 4096-bit RSA keys minimum
- Annual certificate rotation
- Offline root CA storage
- Hardware Security Module (HSM) for production
- Certificate transparency logging

Key Management

KEY_MANAGEMENT = {
    'storage': 'encrypted',
    'backup': 'multiple_locations',
    'access_control': 'role_based',
    'rotation_schedule': 'annual',
    'escrow': 'enabled'
}

Operational Security

System Hardening

# System hardening checklist
- Disable unnecessary services
- Apply security updates regularly
- Configure fail2ban
- Enable SELinux/AppArmor
- Remove default accounts
- Configure log rotation
- Implement file integrity monitoring

Monitoring & Alerting

SECURITY_ALERTS = {
    'email_notifications': True,
    'syslog_integration': True,
    'webhook_alerts': True,
    'escalation_rules': {
        'critical': '5_minutes',
        'high': '15_minutes',
        'medium': '1_hour'
    }
}

Incident Response

Security Incident Procedures

Incident Classification

Severity Levels:
  P1_Critical:
    - System compromise
    - Data breach
    - Service unavailability
    Response Time: Immediate
    
  P2_High:
    - Security policy violation  
    - Unauthorized access attempt
    - Certificate compromise
    Response Time: 1 hour
    
  P3_Medium:
    - Suspicious activity
    - Configuration drift
    - Failed security controls
    Response Time: 4 hours

Response Procedures

  1. Detection & Analysis

    • Identify incident scope
    • Preserve evidence
    • Initial impact assessment
  2. Containment

    • Isolate affected systems
    • Prevent further damage
    • Maintain service availability
  3. Eradication & Recovery

    • Remove threat
    • Restore systems
    • Implement additional controls
  4. Post-Incident Analysis

    • Root cause analysis
    • Lessons learned
    • Process improvements

Emergency Procedures

Security Breach Response

#!/bin/bash
# Emergency security response script

# Immediate actions
systemctl stop openvpn-webmanager
iptables -A INPUT -j DROP  # Block all traffic
cp /var/log/openvpn-manager/* /secure/backup/  # Preserve logs

# Notify security team
./notify-security-team.sh "SECURITY BREACH DETECTED"

# Generate incident report
./generate-incident-report.sh --severity critical

Certificate Compromise

#!/bin/bash
# Certificate compromise response

# Revoke compromised certificates
./revoke-certificate.sh --client "${COMPROMISED_CLIENT}"

# Update CRL
./update-crl.sh --distribute

# Force client reconnection
./force-reconnect.sh --all-clients

# Generate new certificates if needed
./regenerate-certificates.sh --batch-mode

This completes the Security Settings documentation. Would you like me to proceed with the Monitoring & Analytics page?