• about
• apt
• arduino
• autoconf
• awk
• aws
• bind
• c++
• cassandra
• chef
• chromium
• common-lisp
• cron
• curl
• daemontools
• diff
• docker
• dtrace
• emacs
• exiftool
• forth
• git
• glibc
• haproxy
• hipchat
• ld
• lisp
• llvm
• logrotate
• lsof
• man
• mdadm
• memcached
• minicom
• mod security
• mtr
• mutt
• mysql
• nasm
• ncdu
• netstat
• nginx
• nmap
• nss
• offlineimap
• openldap
• operations checklist
• oracle ilom
• osslsigncode
• pacman
• patch
• phusion passenger
• pkgin
• pkitool
• procedural content generation
• procfs
• qemu
• qmake
• rabbitmq
• radare2
• rinetd
• rpm
• rsync
• ruby
• rust
• scheme
• sed
• ssh
• strace
• stunnel
• sudo
• sysbench
• tangle
• tar
• tcpdump
• telnet
• tmux
• transport layer security
• vim
• wget
• windows
• yum
• zfs
• american fuzzy lop
• android
• apache http server
• apache spark
• apk alpine
• arp
• ascii art
• bash
• binary coded decimal
• binary hacks
• binary visualization
• blackberry
• books
• c
• cisco
• cobol
• concepts
• console fun
• core war
• couchdb
• cvs
• databases
• data structures
• debugging
• demoscene tricks
• dns
• email
• epub files
• firefox
• flynns taxonomy
• fortran
• gcc
• gdb
• github
• gnome
• gnu screen
• go
• gocd
• google
• gpg
• graphviz
• grub
• hardware
• heroku
• http
• imagemagick
• ios (apple)
• java
• journal
• kafka
• kotlin
• kubernetes
• latex
• linux
• lldb
• lua
• lvm
• macos
• makefile
• mesos
• meta
• microsoft - excel
• ml
• mongodb
• multimedia
• Mutt
• nagios
• networking
• nfs
• node.js
• objective-c
• odbc
• openbsd
• openpgp
• openssl
• openvpn
• operating systems
• orientdb
• people
• perl
• phones
• php
• postfix
• postgresql
• pretotyping
• processors
• prolog
• python
• reconnoiter
• red hat
• refactorings
• restructuredtext
• riak
• samba
• scapy
• sdl
• security
• smalltalk
• smartos
• solaris
• sphinx
• spinnaker
• sql
• sqlite
• supercomputers
• svn
• swift
• systrace
• tcl
• tcp wrappers
• telcos
• tensorflow
• terraform
• to do
• tvos (apple)
• unix
• vagrant
• vault
• veles
• virtualbox
• virtual reality
• vnc
• watchos
• weberp
• Web Programming
• web programming
• web services
• wise installer
• xml
• x windows
• zookeeper

OpenVPN

Setting up an OpenVPN server

::

# Set up a cert. authority
cd /etc/openvpn/easy-rsa/
# Edit the vars file
. ./vars
./clean-all
./build-ca
# Create server certs
./build-key-server server
# Create client certs
./build-key client1
# Build Diffie Hellman parameters
./build-dh

Hardening

• Explicitly set the server `cipher`, `tls-cipher` and `auth`
• Use at least 2048-bit keys
• Use `tls-auth` to mitigate DDoS
• Keep CA PKI secure. If the CA key is compromised, you'll need to reissue
• Generate private keys on the target system
• Use strong key passphrases
• Avoid sharing keys across targets
• Generate a CRL at the creation of a VPN
• Use Diffie-Hellman parameters of 2048-bit+
• Set the `script-security` level to what is appropriate
• If you've got servers+clients greater than OpenVPN 2.3.2, set `tls-version-min` to 1.2

CLI misc

::

# See list of supported ciphers
openvpn --show-ciphers
# See list of supported HMACs
openvpn --show-digests
# See list of supported TLS cipher-suites
openvpn --show-tls

Using a static key

::

# generate static key
openvpn --genkey --secret static.key

In configuration files:

::

secret static.key
# or
<tls-auth>
Key contents
</tls-auth>