Security Settings - georgi-dev215/openvpn-web-manager GitHub Wiki
Security Settings
Comprehensive security configuration and hardening guidelines for OpenVPN Web Manager.
Overview
Security is paramount in VPN infrastructure. This guide covers:
- Authentication and authorization
- Encryption and cryptographic settings
- Network security configurations
- Access control and monitoring
- Security best practices and compliance
Authentication & Authorization
Admin Authentication
Basic Authentication
# Default configuration
BASIC_AUTH = {
'enabled': True,
'username': 'admin',
'password': 'secure_password_here',
'session_timeout': 3600, # 1 hour
'max_login_attempts': 5,
'lockout_duration': 900 # 15 minutes
}
Multi-Factor Authentication (MFA)
# TOTP (Time-based One-Time Password)
MFA_CONFIG = {
'enabled': True,
'provider': 'totp',
'issuer': 'OpenVPN Manager',
'qr_code_generation': True,
'backup_codes': True,
'enforce_for_admin': True
}
External Authentication
# LDAP Integration
LDAP_CONFIG = {
'enabled': False,
'server': 'ldap://your-domain.com:389',
'base_dn': 'DC=yourdomain,DC=com',
'bind_dn': 'CN=service-account,OU=Users,DC=yourdomain,DC=com',
'bind_password': 'service_password',
'user_filter': '(sAMAccountName={username})',
'group_filter': 'CN=VPN-Admins,OU=Groups,DC=yourdomain,DC=com'
}
# OAuth 2.0 / OpenID Connect
OAUTH_CONFIG = {
'enabled': False,
'provider': 'google', # google, microsoft, github
'client_id': 'your_client_id',
'client_secret': 'your_client_secret',
'redirect_uri': 'https://your-domain.com/auth/callback',
'scope': ['openid', 'email', 'profile']
}
Role-Based Access Control (RBAC)
User Roles
Roles:
super_admin:
permissions: ['*']
description: Full system access
admin:
permissions:
- 'clients.*'
- 'servers.read'
- 'config.read'
- 'monitoring.*'
description: Standard administrator
operator:
permissions:
- 'clients.read'
- 'clients.create'
- 'monitoring.read'
description: Day-to-day operations
viewer:
permissions:
- 'dashboard.read'
- 'clients.read'
- 'monitoring.read'
description: Read-only access
Permission Management
# Role assignment
USER_ROLES = {
'admin': 'super_admin',
'operator1': 'admin',
'support1': 'operator',
'auditor1': 'viewer'
}
# Dynamic permissions
def check_permission(user, action, resource):
user_role = get_user_role(user)
permissions = ROLES[user_role]['permissions']
return (
'*' in permissions or
f'{resource}.*' in permissions or
f'{resource}.{action}' in permissions
)
Encryption & Cryptography
TLS/SSL Configuration
Web Interface SSL
# SSL Configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
# HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=63072000" always;
# Certificate configuration
ssl_certificate /etc/ssl/certs/openvpn-manager.crt;
ssl_certificate_key /etc/ssl/private/openvpn-manager.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Certificate Management
# Generate strong DH parameters
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
# Create self-signed certificate (development)
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
-keyout /etc/ssl/private/openvpn-manager.key \
-out /etc/ssl/certs/openvpn-manager.crt \
-subj "/C=US/ST=State/L=City/O=Organization/CN=your-domain.com"
# Let's Encrypt certificate (production)
certbot --nginx -d your-domain.com
OpenVPN Cryptographic Settings
Encryption Configuration
# Strong cipher configuration
cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
# Key sizes
rsa-key-size 4096
dh-key-size 4096
# Additional security
tls-auth ta.key 0
tls-crypt tls-crypt.key
Certificate Authority (CA) Security
# Secure CA configuration
export EASYRSA_KEY_SIZE=4096
export EASYRSA_DIGEST="sha512"
export EASYRSA_CA_EXPIRE=3650
export EASYRSA_CERT_EXPIRE=365
# Offline CA root key storage
# Store root CA private key offline
# Use intermediate CA for daily operations
Data Protection
Database Security
# Database encryption
DATABASE_CONFIG = {
'encryption': True,
'encryption_key': os.environ.get('DB_ENCRYPTION_KEY'),
'backup_encryption': True,
'sensitive_data_hashing': True
}
# Sensitive data handling
SENSITIVE_FIELDS = [
'passwords',
'private_keys',
'ssh_credentials',
'api_tokens'
]
Backup Security
# Encrypted backups
gpg --cipher-algo AES256 --compress-algo 1 --s2k-mode 3 \
--s2k-digest-algo SHA512 --s2k-count 65536 \
--symmetric --output backup.gpg backup.tar
# Backup verification
gpg --decrypt backup.gpg | tar -tf -
Network Security
Firewall Configuration
IPTables Rules
#!/bin/bash
# OpenVPN Manager Firewall Rules
# Clear existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH access (restrict to admin IPs)
iptables -A INPUT -p tcp --dport 22 -s ADMIN_IP_RANGE -j ACCEPT
# Web interface (HTTPS only)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# OpenVPN port
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
# Management interface (localhost only)
iptables -A INPUT -p tcp --dport 8822 -s 127.0.0.1 -j ACCEPT
# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "DROPPED: "
iptables -A INPUT -j DROP
UFW Configuration
# Simple firewall setup with UFW
ufw default deny incoming
ufw default allow outgoing
# Allow SSH from specific IPs
ufw allow from ADMIN_IP to any port 22
# Allow HTTPS
ufw allow 443/tcp
# Allow OpenVPN
ufw allow 1194/udp
# Enable firewall
ufw enable
Network Segmentation
VLAN Configuration
# Management VLAN (VLAN 100)
ip link add link eth0 name eth0.100 type vlan id 100
ip addr add 192.168.100.1/24 dev eth0.100
ip link set dev eth0.100 up
# VPN Client VLAN (VLAN 200)
ip link add link eth0 name eth0.200 type vlan id 200
ip addr add 10.8.0.1/24 dev eth0.200
ip link set dev eth0.200 up
Network Policies
NETWORK_POLICIES = {
'management_network': {
'cidr': '192.168.100.0/24',
'access_level': 'admin_only',
'allowed_protocols': ['https', 'ssh']
},
'vpn_network': {
'cidr': '10.8.0.0/24',
'access_level': 'client_access',
'allowed_protocols': ['openvpn']
},
'isolation': {
'client_to_client': False,
'client_to_management': False,
'management_to_internet': True
}
}
Access Control & Monitoring
IP-Based Access Control
Admin Access Restrictions
# Administrative access whitelist
ADMIN_IP_WHITELIST = [
'192.168.1.0/24', # Office network
'10.0.0.0/8', # Internal networks
'203.0.113.50/32' # Admin home IP
]
# Geographic restrictions
GEO_RESTRICTIONS = {
'enabled': True,
'allowed_countries': ['US', 'CA', 'GB', 'DE'],
'blocked_countries': ['CN', 'RU', 'KP'],
'action': 'block' # block, log, notify
}
Client Access Control
# Time-based access control
TIME_BASED_ACCESS = {
'business_hours': {
'days': ['monday', 'tuesday', 'wednesday', 'thursday', 'friday'],
'hours': '09:00-17:00',
'timezone': 'UTC'
},
'weekend_access': {
'enabled': False,
'emergency_override': True
}
}
# Device-based restrictions
DEVICE_RESTRICTIONS = {
'max_concurrent_sessions': 3,
'device_fingerprinting': True,
'unknown_device_action': 'notify_admin'
}
Security Monitoring
Intrusion Detection
# Failed login monitoring
SECURITY_MONITORING = {
'failed_logins': {
'threshold': 5,
'time_window': 300, # 5 minutes
'action': ['block_ip', 'notify_admin']
},
'unusual_activity': {
'multiple_locations': True,
'off_hours_access': True,
'privilege_escalation': True
}
}
Log Analysis
# Security log monitoring
tail -f /var/log/openvpn-manager/security.log | \
grep -E "(FAILED_LOGIN|UNAUTHORIZED|SUSPICIOUS)"
# Automated threat detection
./security-monitor.py --rules /etc/security-rules.yaml \
--log-file /var/log/openvpn-manager/access.log \
--action email,syslog
Audit & Compliance
Audit Logging
AUDIT_CONFIG = {
'enabled': True,
'log_level': 'INFO',
'events': [
'admin_login',
'client_creation',
'client_revocation',
'config_changes',
'certificate_operations',
'cluster_operations'
],
'retention_days': 365,
'export_format': 'json'
}
Compliance Reports
# Generate compliance report
def generate_compliance_report(start_date, end_date):
report = {
'audit_events': get_audit_events(start_date, end_date),
'security_incidents': get_security_incidents(start_date, end_date),
'access_reviews': get_access_reviews(start_date, end_date),
'certificate_status': get_certificate_status(),
'policy_compliance': check_policy_compliance()
}
return report
Security Best Practices
Administrative Security
Strong Authentication
- Use complex passwords (minimum 12 characters)
- Enable multi-factor authentication
- Regular password rotation (90 days)
- Account lockout after failed attempts
- Session timeout configuration
Secure Administration
# Secure admin practices
- Use dedicated admin workstations
- VPN-only administrative access
- Principle of least privilege
- Regular access reviews
- Segregation of duties
Certificate Management
Certificate Security
# Certificate best practices
- 4096-bit RSA keys minimum
- Annual certificate rotation
- Offline root CA storage
- Hardware Security Module (HSM) for production
- Certificate transparency logging
Key Management
KEY_MANAGEMENT = {
'storage': 'encrypted',
'backup': 'multiple_locations',
'access_control': 'role_based',
'rotation_schedule': 'annual',
'escrow': 'enabled'
}
Operational Security
System Hardening
# System hardening checklist
- Disable unnecessary services
- Apply security updates regularly
- Configure fail2ban
- Enable SELinux/AppArmor
- Remove default accounts
- Configure log rotation
- Implement file integrity monitoring
Monitoring & Alerting
SECURITY_ALERTS = {
'email_notifications': True,
'syslog_integration': True,
'webhook_alerts': True,
'escalation_rules': {
'critical': '5_minutes',
'high': '15_minutes',
'medium': '1_hour'
}
}
Incident Response
Security Incident Procedures
Incident Classification
Severity Levels:
P1_Critical:
- System compromise
- Data breach
- Service unavailability
Response Time: Immediate
P2_High:
- Security policy violation
- Unauthorized access attempt
- Certificate compromise
Response Time: 1 hour
P3_Medium:
- Suspicious activity
- Configuration drift
- Failed security controls
Response Time: 4 hours
Response Procedures
-
Detection & Analysis
- Identify incident scope
- Preserve evidence
- Initial impact assessment
-
Containment
- Isolate affected systems
- Prevent further damage
- Maintain service availability
-
Eradication & Recovery
- Remove threat
- Restore systems
- Implement additional controls
-
Post-Incident Analysis
- Root cause analysis
- Lessons learned
- Process improvements
Emergency Procedures
Security Breach Response
#!/bin/bash
# Emergency security response script
# Immediate actions
systemctl stop openvpn-webmanager
iptables -A INPUT -j DROP # Block all traffic
cp /var/log/openvpn-manager/* /secure/backup/ # Preserve logs
# Notify security team
./notify-security-team.sh "SECURITY BREACH DETECTED"
# Generate incident report
./generate-incident-report.sh --severity critical
Certificate Compromise
#!/bin/bash
# Certificate compromise response
# Revoke compromised certificates
./revoke-certificate.sh --client "${COMPROMISED_CLIENT}"
# Update CRL
./update-crl.sh --distribute
# Force client reconnection
./force-reconnect.sh --all-clients
# Generate new certificates if needed
./regenerate-certificates.sh --batch-mode
This completes the Security Settings documentation. Would you like me to proceed with the Monitoring & Analytics page?