SaferVPN employs ECDSA encryption for enhanced security. This document provides a minimal configuration guide focusing on ECDSA setup and DNS protection within a SaferVPN context. The goal is to establish a secure and private connection.
Basic configuration involves setting up the SaferVPN client with ECDSA enabled and configuring DNS settings. Here's a sample configuration snippet:
# SaferVPN Configuration
protocol = openvpn
remote = safervpn.example.com
port = 1194
cipher = AES-256-CBC
auth = SHA512
tls-cipher = TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ECDSA is implicitly used with the TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 tls-cipher. This cipher suite leverages ECDSA for key exchange.
# DNS Configuration (Prevent Leaks)
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
The update-resolv-conf script manages DNS settings, preventing leaks by pushing DNS servers provided by SaferVPN.
Proper routing is crucial for directing traffic through the SaferVPN tunnel. Ensure all traffic, including DNS queries, is routed through the VPN interface.
Verify the default gateway is the VPN interface when connected.
Use ip route to check routing tables.
Confirm DNS queries are resolved by SaferVPN's DNS servers.
To force all DNS traffic through the VPN, you can use iptables rules (use with caution):
# Example iptables rules (adjust interface names)
iptables -t nat -A PREROUTING -i ! tun0 -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i ! tun0 -p tcp --dport 53 -j REDIRECT --to-ports 53
These rules redirect all DNS traffic (UDP and TCP on port 53) that doesn't originate from the tun0 interface (the VPN interface) back to the local machine, ensuring it goes through the VPN.
Verify the setup using these tests:
DNS Leak Test: Use online DNS leak test tools to confirm your real IP address and DNS servers are not exposed.
IP Address Check: Ensure your public IP address matches the SaferVPN server's IP.
Encryption Verification: Use openssl s_client to connect to the SaferVPN server and verify the ECDSA cipher suite is in use.
Adjust configurations based on your specific SaferVPN client and server settings.
Regularly update your SaferVPN client software.
Monitor logs for any errors or unexpected behavior related to ECDSA or DNS.
Always back up your configuration files before making changes.
Consider using a firewall to further restrict access to the VPN interface.