VPN Hardening (ciphers/encryption & config parameters)

[ETES-Stuttgart]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

Well, not a problem as such right now, but it might become one, I guess.

1. When creating a CA for our SSL VPN (and also server- and client-certificates), we would like to explicitely not use RSA any more to be on the future-proof side. Also we know about the potential issues with the (unnamed) Elliptic Curves prime256v1 and secp521r1 and builtin backdoors (I know there's not proof for that, anyway we'd like to evade using those). Why can't I use ed25519 for the CA and certificates? I guess the openssl under the hood of the OPNsense does support the generation with something like openssl genpkey -algorithm ed25519 -out ... -aes256 ....

2. After creating the VPN connection (using the new OpenVPN Instances) we had a look at the generated *.ovpn-config via the CLI. Is there any change to alter specific parameters, add some et al.? We'd like to have settings like this:

   ca ca.crt
   cert server.crt
   key server.key
   dh none
   ecdh-curve #optional
   tls-crypt ta.key
   tls-version-min 1.3
   tls-ciphersuites TLS_AES_256_GCM_SHA384
   tls-groups X25519
   auth SHA512
   cipher AES-256-GCM

3. Within the OpenVPN-config as is, I could not identify which encryption algorithm is used exactly? Do I understand this correctly, that it's auto-negotiated and always uses the best encryption both sides (server & client) support? Is there a list about the order the algorithms are ranked? Is there a required minimum?

Describe the solution you like I tried generating the CA, server- and user-certificates on a CLI using ed25519. Afterwards I imported the certificates in our OPNsense and used them for my SSL VPN. It works, but it is cumbersome.

Describe alternatives you considered Of course we could settle on more doubtful settings and reconsider them every now an then, and regenerate every certificate which stronger settings when available... Beyond that we will be doing the reconsidering anyway, we'd really appreciate to be able to use stronger settings we feel more safe/comfortable with from the very beginning.

Additional context Since the technologies under the hood (OpenVPN and OpenSSL) do support our prerequisites, it should be more a GUI-thing as far as I can judge. If it is "too much" for the GUI, we'd appreciate something like an "advanced" tab where you can see the actual OpenVPN config and alter it we you please.

--

Thank you in advances & best regards Patrick

[AdSchellevis]

Questions to add specific options for OpenVPN are best opened in separate tickets (unless a set is needed for a single feature).

For 24.7 a revamp for the trust section is scheduled, certificate generation is handed via PHP’s openssl_pkey_new(), I haven’t checked which other algorithms it supports, but to avoid complexity we should try to use standard php functions where possible.