Configuring OpenVPN with Ed25519 certificates and TLS 1.3

Creating certificates with Elliptic Curves: 

Requirements: OpenSSL 1.1.x, OpenVPN 2.5.x, EasyRSA 3.0.x

Initializing PKI environment

# easyrsa init-pki

Creating the Certificate of Authority (CA)

# easyrsa --use-algo=ed --curve=ed25519 build-ca

Creating Certificate Request

# easyrsa --use-algo=ed --curve=ed25519 --req-c=BG --req-city=Gabrovo --req-org=Horizon9 --req-email=geroy@horizon9.org --dn-mode=org gen-req horizon9

Singning the CA request

# easyrsa sign-req server horizon9

Creating OpenVPN server keys

# easyrsa build-server-full horizon9 nopass

Creating OpenVPN client keys

# easyrsa build-client-full client1 nopass

 

OpenVPN config file:

local 10.1.1.1 # put your IP address here
port 1194
proto tcp
dev tun
ca /path/to/ca.crt
cert /path/to/horizon9.crt
key /path/to/horizon9.key
server 10.1.11.0 255.255.255.0 # your OpenVPN network IP addresses
push "route 10.1.12.0 255.255.255.0" # your local network here
push "dhcp-option DNS 10.1.12.1"
keepalive 5 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 4

#data channel cipher
cipher AES-128-GCM

#don't negotiate ciphers, we know what we want
ncp-disable

# TLS 1.3 encryption settings
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

# TLS 1.2 encryption settings
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

#disable static Diffie-Hellman parameters since we're using ECDHE
dh none

# use this curve
ecdh-curve secp384r1

#this tells OpenVPN which side of the TLS handshake it is
tls-server

#tls-client # uncomment this on the client side

How to filter 99.99% of ssh brute force attacks

Recently I've decided to experiment with ssh ciphers / key exchange algorithms to raise the security of my servers. This is the /etc/ssh/sshd_config I've got:

HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org

If you don't have HostKey for Ed25519 generate it:

# ssh-keygen -t ed25519

You need to use recent version of ssh / pyTTY to be able to login to this server.
It seems that using only this Cipher/Kex filters all brute force scanners probably because they do not support it. I see only this kind of messages:

Feb 13 14:41:39 horizon9 sshd[22849]: SSH: Server;Ltype: Version;Remote: xxx.x.xx.xxx-53810;Protocol: 2.0;Client: libssh2_1.7.0
Feb 13 14:41:39 horizon9 sshd[22849]: fatal: ssh_dispatch_run_fatal: no matching cipher found [preauth]

More information about ciphers/algorithms read here:

https://cr.yp.to/ecdh.html#curve25519-paper
https://en.wikipedia.org/wiki/Salsa20
https://en.wikipedia.org/wiki/Poly1305

Compiling and using PyNaCl on Windows 7

Step-by-step how to compile PyNaCl Python package on win32.

Requirements:
Python 2.7.x for Windows - download it from here.

libsodium-1.0.2-msvc - download precompiled binaries from here.
Microsoft Visual C++ Compiler for Python 2.7 - you can download MS C++ compiler for Pyhton from here.

This guide is based on https://github.com/pyca/pynacl/issues/100 and and is a focused reiteration of it.

Python for Windows is compiled with MSVC and because of that it is not possible to compile extensions with MinGW/MSYS. The main problem is with CFFI (Common Foreign Function Interface) and most probably if you succeed with compiling, the lib will not work (will hang if trying to use its functions)

1. Download and install Python for Windows

2. Download and install Microsoft Visual C++ Compiler for Python 2.7 

3. Install python setuptools (needed for MSVC++ Python) with pip:

C:> pip install setuptools

4. Download libsodium latest release with -msvc at the end. Unzip it in C:\work\libsodium-1.0.2-msvc

5. Go to C:\work\libsodium-1.0.2-msvc\Win32\Release\v120\dynamic and rename libsodium.lib to sodium.lib. On 64bit Windows use this dir: C:\work\libsodium-1.0.2-msvc\x64\Release\v120\dynamic

6. Download PyNaCl source and unzip it to C:\work\PyNaCl-0.3.0

7. Start the MSVC++ Python shell: Start -> All Programs -> Microsoft Visual C++ Compiler Package for Python 2.7 -> Visual C++ 2008 32-bit Command Prompt

8. Set these 3 variables in cmd prompt:

set INCLUDE=%INCLUDE%C:\work\libsodium-1.0.2-msvc\include
set LIB=%LIB%C:\work\libsodium-1.0.2-msvc\Win32\Release\v120\dynamic
set SODIUM_INSTALL=system

on 64bit Windows change:
set LIB=%LIB%C:\work\libsodium-1.0.2-msvc\Win32\Release\v120\dynamic
to:
set LIB=%LIB%C:\work\libsodium-1.0.2-msvc\x64\Release\v120\dynamic

9. Probably you will need these two files when compiling:

http://msinttypes.googlecode.com/svn/trunk/stdint.h
http://msinttypes.googlecode.com/svn/trunk/inttypes.h 

Download and copy them to: C:\work\libsodium-1.0.2-msvc\include

10. Start the building process:

C:\>cd C:\work\PyNaCl-0.3.0
C:\work\PyNaCl-0.3.0>python setup.py build

11. If everything is ok, then install it:

C:\work\PyNaCl-0.3.0>python setup.py install

12. Finally, copy the original libsodium.dll in PyNaCl install dir:

C:>copy C:\work\libsodium-1.0.2-msvc\Win32\Release\v120\dynamic\libsodium.dll C:\Python27\Lib\site-packages\PyNaCl-0.3.0-py2.7-win32.egg\nacl\_lib

Here is a test program (from doc examples https://pynacl.readthedocs.org/en/latest/public/) slightly modified:

import nacl.utils
from nacl.public import PrivateKey, Box

skbob = PrivateKey.generate()
pkbob = skbob.public_key  

skalice = PrivateKey.generate()

pkalice = skalice.public_key 

bob_box = Box(skbob, pkalice)
message = b"Kill all humans"
nonce = nacl.utils.random(Box.NONCE_SIZE)

encrypted = bob_box.encrypt(message, nonce)
print "Encrypted Message:", encrypted
alice_box = Box(skalice, pkbob)

plaintext = alice_box.decrypt(encrypted)
print "Plaintext Message:", plaintext

If it works, you should see something like:

C:\work>python nacltest.py
Encrypted Message: ₧╫fαIé├l(α▀W¬½♥↔≈‼╟  üRδD≈é☻'^∞v√oòΣls╣8,ƒ   ↓ü↓╓+ô╓è╣=§╣
Plaintext Message: Kill all humans
C:\work>

DNSCurve, NaCl, CurveCP - съвременен поглед върху защитата на данните в интернет.

This summary is not available. Please click here to view the post.