In my previous article, I laid out a framework for building a modern, hardened OpenVPN server/client configuration. At the end, I noted there were some additional hardening steps that would be nice to take for extra security. In particular:

1. Using an additional static TLS key in the initial TLS handshake to prevent denial-of-service attacks.
2. Storing keys in hardware cryptographic devices to prevent exfiltration.
3. Using multi-factor authentication with time-based one time passwords (TOTP, AKA Google Authenticator)
4. Closing the small security hole created because OpenVPN doesn't by default check that client certificates match client usernames.
5. Instructing OpenVPN to apply additional exploit mitigation…

Since everyone is working from home for the foreseeable future, corporate IT departments are scrambling to bolster existing VPN solutions or deploy new ones as fast as possible. One of the most popular VPN solutions is OpenVPN, either used directly, or through appliances like the commercial OpenVPN Access Server or third-party VPN gateway products. Some third-party products are not quite upfront about being OpenVPN wrappers, so if you use an SSL VPN Gateway appliance, make sure to double-check the documentation to see if this guide applies to you. If it does, we’ll help you clean up your VPN configuration mess!

Why Hardening OpenVPN is Necessary

…

Windows 10 ships with two awesome features for users and developers who still work in Linux land. The first is the Windows Subsystem for Linux, which implements a subset of the Linux Kernel’s system calls to allow you to run native Linux userland utilities such as bash and friends, and ssh. It also includes a native windows build of OpenSSH, which means you don't even need to use WSL to SSH into your other machines! Unfortunately, neither option has any ssh-agent running by default, so if you have passphrase protected keys (which you should), then you'll need to enter the…

I’ve started experimenting with exposing some of my home lab services to the world without needing a VPN. Instead, I use Caddy (which is an excellent web server, and much easier to work with than Nginx) as a reverse proxy with TLS client certificates for authentication. Caddy’s built-in Let’s Encrypt functionality provides the server certificate, and my internal PKI provides the client certificates. I still want to have 2-factor authentication, though — a certificate is merely “something you have”, and I want to require “something you know,” too. Since all my PCs are recent enough to feature a TPM, I…

Two-Factor Authentication (2FA, also known as Multi-Factor Authentication, or MFA) is all the rage these days, and for good reason. Accounts secured by 2FA are much, much harder to compromise than accounts using only a single factor — so much more so that you can — sometimes — get away with an easier to type and remember (and therefore weaker) password when using it. The most common ways of implementing the second factor are SMS and TOTP (Time-Based One Time Password). When SMS is used, the site sends you a short numerical code via SMS after you enter your password…

The security of a 2FA-protected account is much greater than the security of an account protected by only one factor — in theory. In practice, there is more nuance to it than that. For 2FA, you are trusting the server to enforce the 2FA and not be compromised by hackers or compelled by law enforcement to allow them access to your data; meanwhile a service can be configured to use your password in a way that protects even against hackers or law enforcement. Understanding this nuance requires a deeper understanding of how 2FA works and how it does (or doesn’t!)…

Bloomberg published an article claiming that the US Government uncovered a hardware backdoor planted by the Chinese People’s Liberation Army in server motherboards produced by Supermicro, the world’s largest manufacturer of computer motherboards. The boards then made their way into the datacenters of US tech companies, including Apple, Amazon Web Services, and Facbeook. …

Tenable Security disclosed a proof-of-concept of a critical vulnerability in the Mikrotik RouterOS software, which powers their popular low-cost routers and wireless networking products. The vulnerability leverages a path traversal issue into full unauthenticated remote code execution; vulnerable routers can have their credential database stolen and a backdoor installed with just network access. The bug was originally disclosed as a medium-severity path traversal bug in August of 2018 and was subsequently fixed, but further research allowed Tenable to upgrade it to full remote code execution.

What is affected?

The bug affects all MikroTik-branded routers and wireless equipment running RouterOS versions below 6.42.7 or…