Documentation

Server 3.x

Security#

This document contains some information about the security of the software, more specifically: the configuration choices that were made.

Web Server#

By default Apache is used.

Debian / Ubuntu#

We use a template to update the TLS options.

Fedora / EL#

TBD. Look into “Crypto Policies” on Fedora/EL.

We use a template to update the TLS options.

OpenVPN#

The basic OpenVPN server (and client) cryptography configuration:

The server supports two data ciphers allowing the client to choose one of those. If the server supports hardware accelerated AES, AES-256-GCM is preferred, otherwise CHACHA20-POLY1305.

There’s no need to configure specific TLS ciphers, as all ciphers defined in the TLSv1.3 specification are secure to use.

WireGuard#

There are no configuration toggles regarding security properties, except preshared keys which is currently NOT used.

Sessions#

We use fkooman/secookie, a library to implement secure PHP sessions (and cookies).

OAuth#

We use fkooman/oauth2-server, a library to implement a secure OAuth 2.1 server.

It uses public key signatures to sign/verify the issues OAuth tokens.

CA#

The CA of the VPN service is “online” as it needs to generate valid keys/certificates on the fly. The vpn-ca software is used as CA.

Only EdDSA keys are supported.

SSH#

By default we do NOT modify the SSH configuration itself, however we do configure the firewall to allow SSH access from everywhere, including VPN clients.

You SHOULD change/update this! Look here.