{"id":17258179,"url":"https://github.com/caligatio/paranoid-openvpn","last_synced_at":"2025-10-23T21:02:35.662Z","repository":{"id":57450757,"uuid":"350319770","full_name":"Caligatio/paranoid-openvpn","owner":"Caligatio","description":"Hardening script for OpenVPN client profiles","archived":false,"fork":false,"pushed_at":"2021-03-30T20:01:38.000Z","size":130,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-02T08:42:56.111Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Caligatio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":"Caligatio","custom":"https://www.buymeacoffee.com/caligatio"}},"created_at":"2021-03-22T11:35:35.000Z","updated_at":"2022-03-10T13:12:28.000Z","dependencies_parsed_at":"2022-09-26T17:31:33.751Z","dependency_job_id":null,"html_url":"https://github.com/Caligatio/paranoid-openvpn","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Caligatio%2Fparanoid-openvpn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Caligatio%2Fparanoid-openvpn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Caligatio%2Fparanoid-openvpn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Caligatio%2Fparanoid-openvpn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Caligatio","download_url":"https://codeload.github.com/Caligatio/paranoid-openvpn/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245622894,"owners_count":20645677,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-15T07:19:43.481Z","updated_at":"2025-10-23T21:02:35.614Z","avatar_url":"https://github.com/Caligatio.png","language":"Python","funding_links":["https://github.com/sponsors/Caligatio","https://www.buymeacoffee.com/caligatio"],"categories":[],"sub_categories":[],"readme":"# Paranoid OpenVPN\n\nParanoid OpenVPN hardens OpenVPN profiles and provides additional optional\nprovider-specific fixes (e.g. Private Internet Access).\n\n## Usage\n\nWhen installed, Paranoid OpenVPN provides the `paranoid_openvpn` executable\nwhich comes with built-in help.  These are the common options:\n\n```console\n$ pip install paranoid-openvpn\n$ # usage: paranoid_openvpn [--min-tls {1.0,1.1,1.2,1.3}] [--pia] source dest\n$ # Process a remote zip file of OpenVPN profiles and apply PIA fixes\n$ paranoid_openvpn --pia https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip /path/to/output_dir\n$ # Process one profile and allow TLS 1.2 (default is 1.3)\n$ paranoid_openvpn --min-tls 1.2 /path/to/input/profile.ovpn /path/to/output/hardened.ovpn\n```\n\n`source` above can be a remote zip, remote single profile, local zip, local\nsingle file, or local directory.\n\n## Hardening OpenVPN\n\nMost OpenVPN users are aware of the `cipher` and `hash` settings but that is\nusually the extent of security options that people modify. OpenVPN, however,\nhas two distinct channels that each have their own security settings: the\ncontrol and data channel. The `cipher` and `hash` settings apply only to the\ndata channel but OpenVPN exposes settings for the control channel as well.\nThe control channel is used to exchange keys that are then used to encrypt\nyour traffic in the data channel.\n\nParanoid OpenVPN tries to match the security of the data channel to the control\nchannel. In broad terms, OpenVPN has options for \u003c128-bit, 128-bit, 192-bit,\nand 256-bit ciphers for the data channel. Paranoid OpenVPN will configure the\ncontrol channel to match these protection levels, with an absolute minimum of\n128-bits.\n\n## Cryptographic Reasoning\n\nWhere cryptographic judgement calls needed to be made, these rules were followed:\n\n  * [AEAD ciphers][aead] are always preferred over non-AEAD ciphers\n  * At the 256-bit security level, AES-GCM was preferred over CHACHA20-POLY1305\n    (for no particular reason).\n  * The 192-bit security level is rounded up to 256-bit as there are no 192-bit\n    TLS ciphers.\n  * At the 128-bit security level, CHACHA20-POLY1305 was the preferred fallback\n    for AES-128-GCM instead AES-128-CBC because it is an AEAD cipher.\n    AES-128-CBC is then the fallback for CHACHA20-POLY1305.\n\n[aead]: https://en.wikipedia.org/wiki/Authenticated_encryption\n\n## Provider-specific Fixes\n\nMost VPN providers work fine with \"normal\" OpenVPN profiles but some providers\nbenefit from a few tweaks.\n\n### Private Internet Access (PIA)\n\nPIA's provided OpenVPN profiles seemingly only support AES-128-CBC and\nAES-256-CBC as the `cipher` option.  However with a little coaxing, PIA will\nconnect using AES-256-GCM and AES-128-GCM. Use the `--pia` flag to allow\nyour client to client with these AEAD ciphers.\n\n## Donations\n\nIf you use this project and feel it's worth a donation, check out\n[GitHub Sponsors][ghs] or [Buy Me a Coffee][bmac].\n\n[ghs]: https://github.com/sponsors/Caligatio\n[bmac]: https://www.buymeacoffee.com/caligatio\n\n## Credit\n\nA lot of inspiration for this project was taken from https://blog.securityevaluators.com/hardening-openvpn-in-2020-1672c3c4135a.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcaligatio%2Fparanoid-openvpn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcaligatio%2Fparanoid-openvpn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcaligatio%2Fparanoid-openvpn/lists"}