Disabling all logs in OpenVPN dedicated server+client?

Hiya,

I’m looking for a practical techniques to completely disable the logs on the remote dedicated server of Linux(Red hat/CentOS) and OpenVPN on that server. This include disabling logs of:

  1. Actual server OS, ReadHat7/8, CentOS7/8?
  2. Disabling the logs that created by OpenVPN as daemon when running as service?
  3. Disabling client side logs that logs on client machine and logs that created on the server-side by the request of client-app(whatever app that you use or developed yourself).?

Any practical solution for this?

Tnx and best of luck

Hi there

put into your server and client openvpn configs the following parameters:

verb 0
log /dev/null
status /dev/null

first one sets log verbosity level to only fatal errors
next two send logs in the very middle of nowhere
that’s all

thanks

3 Likes

Hiya @dmitry_t

Thanks. 1) But according to the OpenVPN3 class library, the client profile .ovpn will log some information despite setting this to ‘verb 0’ even in client side, also this is after setting all you mentioned in server configuration file. I’m a bit confused then? For client app I mean openvpn-connect. Also I’m not sure it logs a bit locally or send them to server?

Do you have any info about any of below matters by any chance please?
2- Is there anyway to prevent RAM+SSD information get protected from remote server admin? or Datacenter technician? As the LUKS/LUKS2 encryption key may be accessible to who have physical access to the remote server? And when server is running, the admin/technician can copy RAM+SSD information from remote server. Is there anyway to prevent this by any kind of real-time obfuscation technique? Thus I be the only person who can see what data is inside the remote server?
3- What country has the highest privacy for data/email stored in that country and its outside the 14 eyes and do not exchange the data to 14 eyes for financial/business cases?
4- Is SElinux required for a OpenVPN server security or its just extra process thus we can turn it off? While we blocked all ports including SSH, and only DNSsec+OpenVPN(customized port) is left open?
5- Whats the best way to backup this OpenVPN server in a single file? .tar/.tar.gz? And if I turn the server off, shall I backup from a mounted live Linux ISO or just exclude some folders that have mounted info and get the backup in the running and encrypted/LUKS server can be low quality option?
6- Is there anyway to buy a ISP looking like IP instead of Datacenter IP for the server?

Tnx and best of luck :blush:

Hi @Blonde
sorry for the delay, was busy

  1. yes it does store some info in the logs with verb 0 parameter, but only about fatal errors. Also as I stated before there are another 2 params to set

    log /dev/null
    status /dev/null

which effectively prohibit logs at all.
As you are so concerned with the matter I would recommend to dive into the source code of openvpn and find anything related to the logging.

  1. and 3. are a bit naive questions - only option you do have is to keep own equipment on own territory. Any other approaches differ only in the cost of hacking.

  2. no it is not required

  3. look to the containerization techs like docker

  4. not sure I follow - what the difference between ISP IP and DC IP ?

thanks

2 Likes

Thanks. ISP’s IP is registered under an ISP, its belongs to them. DC IP is an IP belong to that DC. Actually sometimes the DC IP is blacklisted for many possible reasons, thus if it was possible to get an IP in the ISP’s IP range would be better than a DC IP. But I couldn’t get one for myself yet, and I’m not sure if I research and buy an IP with a better range, can I connect it to my VPS or not?

Tnx and bets of luck

Thanks. Regarding this statement, I’m setting up a DNScrypt server and a private email server, if I use one or two local PC/Server/laptop or use any virtualization technologies locally to run both projects in one PC/Laptop/Server, all communication will pass through my local authority gateway, that can be one of these 14 eyes countries.

In case of private email server, all my emails will pass through the local authority gateways and as not all the email senders know how to use a highest grade PGP encryption, their communication will be exposed to local authority gateway. But I have the equipment encrypted in my house and the risk of network admin or datacenter technician accessing my files will eliminated in the cost of my communication inbound toward me will not be encrypted in case the email sender never uses the PGP with highest grade encryption. But my outbound emails will encrypted as I use a private VPS server that has proper encryption on to send my outbound emails. The only way to keep inbound emails that is not encrypted by PGP outside of local authority gateway, that as my knowledge, is to keep the VPS/Server outside of the threat model, in this case outside the 14 eyes. And this will enable the network admin, datacenter technician access to my encrypted files, e.g. LUKS, while server is running.
Thus non of these are my favorite and nor I’m able to select on on another?
How shall I address these?

Also if I run a local server to download all emails from remote private mail server instantly, can this totally prevent the network admin or datacenter technician’s attack to my emails? or even if I run a local server to download all emails, still datacenter technician or network admin can attack me by keeping a copy of all incoming emails or outgoing emails or both? As emails enter and exit the private mail server unencrypted, thus this is a possible threat/attack?

Regarding DNScrypt, if I run it locally on a local laptop/PC/Server, then as only my communication from and to the DNScrypt server is encrypted, the outbound queries of the DNS server of DNScrypt is inside the 14 eyes, thus this could be like using a non encrypted DNS server. The only way to eliminate this threat in this model, is to keep the DNScrypt server outside of the 14 eyes. But I’m not sure how to keep logs disabled for this server? As I believe dislike the private mail server, the DNScrypt server can be outside the 14 eyes on a VPS/Server and this will not expose me to network admin access or datacenter technician attacks, as if there is no logs, there is no threat?

Tnx and best of luck

using dnssec is really good! and everyone should use it!
dont forget to add extra security on the vpn server, so that noone can just login and tcpdump all traffic also your isp/datacenter can see your incoming and outgoing connections

1 Like

A nice thing to think about when picking a vpn company is

The dysfunctional myth is the idea that you can buy privacy through the denial of fear that will allow you to be happy* . Think of all vpn companies.

we wrote about the fear here
https://donottax.me/robin-hood-2020/

You will always have the attack that someone could freeze the ram and reverse engineer the memory and get all the inmemory data

1 Like