VPN Hardening: What It Is and How to Do It

Cybersecurity is inherently complex. It involves hardware and software, as well as the most complicated component — actual human beings. Sometimes, though, the simplest measures can make a significant difference. 

That’s the case with VPN (virtual private network) hardening.

Remote access VPN solutions were already popular with businesses of all sizes when COVID-19 hit. They make it easy for employees to securely access the company network to get the data and applications they need to do their jobs when they’re not in the office. COVID-related measures created a large population of remote employees working on home or public WiFi, and VPNs were key to maintaining productivity and business operations by enabling secure traffic sessions.

Beyond securely connecting users to a company’s internal network, and the resources that reside within that network, a VPN solution is key to maintaining the three underlying information security principles of confidentiality, integrity, and availability:

• Confidentiality: Access to sensitive data, and permission to modify it, is limited to authorized users (e.g., multi-factor authentication, digital certificates).
• Integrity: Both intentional and unintentional data modification is prevented to ensure data accuracy.
• Availability: Employees are authorized to access the resources they need, no matter where they are.

One thing to note: this article focuses on the OpenVPN tunneling protocol, not Internet Protocol Security (IPSec), Layer 2 Tunneling Protocol (L2TP), Point–to–Point Tunneling Protocol (PPTP), Secure Sockets Layer (SSL) and Transport Layer Security (TLS), or Secure Shell (SSH). 

The OpenVPN focus is due to the fact that when you look under the hood of a lot of VPNs, they've built their products on the OpenVPN open source code. It's the VPN protocol standard. But as we've seen with some recent vulnerabilities, these providers still need to be smart with their implementations. If they don't plan for security, they implement solutions with dangerous back doors. The same thing goes for how you set up your VPN for your business. While our business VPN products, OpenVPN Cloud and OpenVPN Access Server, provide strong security and encryption, the way you implement the solution in your environment can open you up to vulnerabilities. While we try to set things up securely by default, there may be factors in your environment that could introduce an issue. It's important to follow best practices. 

Thankfully, with the right tools, network administrators can deliver availability to remote workers, keep the company network strong, and stop bad actors attempting ransomware, DNS hijacking, or any number of other cyberattacks. 

What is VPN Hardening?

When employees work remotely — from home, a hotel, or any number of other locations — they send company information back and forth from their mobile devices. The convenience is great, but hackers and cybercriminals are eager to get their hands on that information. But if employees are tapping into the corporate network using a VPN connection, their internet activity is encrypted and hidden from cybercriminals, and their IP address can be concealed behind the IP address of the VPN server.

But simply having it there isn’t enough. A VPN, or any other network security measure, isn’t a set-it-and-forget-it proposition. VPNs need to be continually checked for updates and gaps, just like any other devices or programs that face the internet. And of course employees need to be reminded of the importance of using them. That’s what VPN hardening is: auditing the most basic elements of a company’s VPN to confirm they’re operating correctly and effectively. If an audit reveals vulnerabilities, defenses must be reinforced. Even better, make sure your VPN offers more than just encryption — the more security measures you have, the stronger your network will be. 

General Guidance on How to Harden VPN Devices

Hardening VPN devices is the first step in an overall hardening plan. To do this, administrators should:  

• Harden remote administration — Don’t use insecure protocols (e.g, Telnet, HTTP) to manage VPN devices; stick to SSH, HTTPS, or other encrypted protocols. Avoid using passwords alone for SSH; use SSH keys instead. For HTTPs logins, consider enabling MFA (multi-factor authentication).
• Implement authentication and authorization — Limit device management to authenticated users who are authorized to run only the appropriate, necessary commands.
• Restrict services and protocols — Restrict services and protocols running on a VPN device to the minimum needed to accept and terminate connections.
• Provide redundancy and fault tolerance — To harden against failure, implement a redundant, fault-tolerant configuration that continues to accept incoming VPN tunnels if a device fails.
• Limit access — When a VPN device needs access to resources you can choose to limit the access to just the needed resources — no need to give access to the whole network. 

Getting Specific: Hardening OpenVPN Access Server

OpenVPN Access Server users can take a variety of steps to harden their security. We have a more extensive guide here, but the overview of that is:

1. Update your OpenVPN Access Server to latest version.
2. Ensure the root user account is secured.
3. Secure the default administrative account.
4. Install a valid SSL web certificate on the web interface.
5. Harden the web server cipher suite string.

OpenVPN Open Source Community Resources for VPN Hardening

Finally, one of the best things about OpenVPN is its open source origins. That means OpenVPN products have an extraordinary amount of support information provided by a security community that’s continuously looking for security risks and ways to mitigate them. The OpenVPN Support Forum includes discussions for a number of projects and solutions, including Microsoft Windows, macOS, Android, iOS, and Linux, as well as OpenVPN Connect, our VPN client software.  

Good to Know: The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released this joint Cybersecurity Information Sheet in September. It outlines considerations for choosing a VPN and recommendations for deploying it securely. Download the report to learn more about hardening a VPN by reducing the VPN server’s attack surface by:

• Configuring strong cryptography and authentication.
• Running only necessary features.
• Protecting and monitoring access to and from the VPN.

Conclusion

Working remotely, either all or some of the time, is here to stay. The ability to work anywhere an internet connection is available provides benefits to both employees and employers, but it also requires paying extra attention to potential security issues. VPN hardening is a critical component of network security that guards a company’s resources and maintains necessary functionality for users.