Recommended configuration, was: Re: OpenVPN security model

[John Locke <mail@xxxxxxxxxxxx>]

Hello,

I've successfully deployed OpenVPN for a small business, supporting
Linux, Mac OS X, and Windows clients. It's working great! Lots of little
technical hurdles to get through to get there (mostly because of my
unfamiliarity with Mac OS X). 

So now I've been looking at the other options in OpenVPN, and wondering
what the recommended configuration would be.

Right now I have one beefy workstation set up as a server inside the
LAN. It's a Red Hat 9 box. The firewall forwards a range of UDP ports to
this server. I have set up 4 bridged tap devices and 6 tun devices. I'm
using the sample init.d script to bring up all the configurations in
/etc/openvpn, slightly modified to bring up the tap devices and bridge
first.

I expect no more than two or three remote VPN connections up at any one
time. How much overhead do the waiting, unused openvpn daemons use,
compared to changing to the xinetd configuration? Does it really matter
at this low level of use? Which would you say is more scalable?

It seems to me that the xinetd configuration might be a little more
reliable, since a process that somehow dies would automatically start up
at the next connection. Has anyone had OpenVPN daemons die?

On Sat, 2003-12-13 at 11:58, James Yonan wrote:

> (2) OpenVPN has several options including --user, --group, and --chroot to
> lock down the OpenVPN process into an unprivileged state, so that if some
> vulnerability led to a code insertion exploit, the exploit would be contained
> and unable to elevate its privilege to root.
> 

I have not enabled the user, group, or chroot options. I have set up the
daemons with --ping-restart 60 --ping-timer-rem. Will the daemons
restart correctly when run under a non-privileged user account?

Thanks for some great software!

Cheers,
-- 
John Locke
Open Source solutions for small business problems
http://freelock.com