We covered OpenVPN security by configuring strong encryption cyphers, setting secure hashing for authentication and implementing Perfect Forward Secrecy. On the other end, we configured basic security settings for routers such as logging, firewall and traffic rules, port forwarding, SSH and changing default credentials. This was part of TryHackMe security engineer track, network device hardening.
Get COMPTIA Security+ Exam Notes
VPN Security (OpenVPN Server)
I started by looking at VPN security, specifically the server-side configurations for OpenVPN. I learned that the main configuration file is usually located at /etc/openvpn/server/server.conf. To harden the VPN, I focused on a few key directives:
cipher: I saw that using a strong encryption algorithm like AES-256-CBC is recommended.auth: For authentication, a robust hashing algorithm like SHA is advised.tls-crypt: This is really important because it enables Perfect Forward Secrecy (PFS). This means that if someone manages to compromise one session key, they won’t be able to decrypt all your past and future communications, which is a huge security win!
I also noted other crucial settings like the port, local IP address, protocol, and server certificate. To generate a key for tls-crypt, I saw this command:
sudo openvpn --genkey --secret /root/test.key
Router Security (OpenWrt)
Next, I moved on to router security, using an OpenWrt router as the example.
General Settings
I learned that it’s vital to ensure the correct time, hostname, and time zone settings are in place. This helps with accurate logging if any security incidents occur. Also, enabling logging is a must. If local storage is limited, forwarding logs to a central logging server (like using syslog) is a smart move.
Administration/System Access
This section was all about securing access to the router itself. I understood the importance of:
- Changing default credentials (username and password) immediately.
- Managing the router over a secure channel like HTTPS or, even better, SSH.
- Configuring the SSH port and interface.
- Using SSH keys for more secure authentication. I saw how to generate an SSH key pair and add the public key to the router using these commands:
ssh-keygenls -lacd .sshcat id_rsa.pub
Software/Packages & Startup Scripts
I was reminded to regularly review and update installed packages. Also, it’s crucial to audit startup scripts to make sure no malicious scripts have been added for persistence by an attacker.
Firewall
The firewall is essential for controlling traffic. I learned that for typical local networks without public-facing servers, it’s best to disable incoming traffic from the internet (WAN to LAN). LAN to WAN traffic is usually allowed for internet access. If you’re hosting a public server, you’d need to allow specific WAN to LAN traffic.
Port Forwarding
I understood that port forwarding should only be configured if you have a public server that needs to be accessed from the internet. An example showed forwarding traffic from WAN port 9001 to a LAN device on port 9002.
Traffic Rules
This is where you define detailed rules for traffic flow, specifying protocols and ports. I saw an example of how to allow ICMP (ping) traffic from the WAN to a device on the LAN. This is useful for things like game servers that need ping functionality. I also learned that this is a stateful firewall, meaning it tracks the state of connections.
Firmware
Finally, I was reminded to always keep the router’s firmware up to date. Some routers allow direct updates, while others require you to manually upload the firmware file downloaded from the vendor’s website.
TryHackMe Questions & Answers (Quick Review)
The video then briefly went over answering the questions in the TryHackMe room, reinforcing the concepts I just learned:
- VPN Task: I saw the command
cat /etc/openvpn/server/server.confto view the VPN server config and found flags for cipher and auth, noting the default VPN server port is 1194. - Router Task: I learned the default SSH port for OpenWrt is 22, and found details about general settings related to timing, logging buffer size (64), and startup script priority. I also identified the rule name “allow ping” for ICMP traffic from WAN and “thmaport” for port forwarding (9001 to 9002). Lastly, I found the version number of the
apkpackage (2.12.2-1) under the “Software” section.
Room Answers
A threat vector that includes disruption of critical devices and services to make them unavailable to genuine users is called?
Update the config file to use auth SHA512. What is the flag value linked with the auth directive?
As per the config file, what is the port number for the OpenVPN server?
What is the default SSH port configured for OpenWrt in the attached VM?
Go through the General Settings option under the System tab in the attached VM. The administrator has left a special message in the Notes section. What is the flag value?
What is the default system log buffer size value for the OpenWrt router in the attached VM?
What is the start priority for the script uhttpd?
What is the name of the rule that forwards data coming from WAN port 9001 to LAN port 9002?
What is the version number for the available apk package?
Video Walkthrough
