I am not sure what makes an OpenVPN client "very vulnerable", but I suppose OpenVPN is only as secure as the end user wishes it to be. Just be sure to create a strong Diffie-Hellman key (4096 bit is preferable). You should also create an HMAC key file which drops unsolicited tls packets at the server. You can google "OpenVPN hardening" and find all sorts of info on ways to make OpenVPN extra secure.
This is my OpenVPN server config from my FreeBSD server:
Code:
local 192.168.3.160
port 1199
proto udp
dev tun
remote-cert-tls client
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key
dh /usr/local/etc/openvpn/keys/dh.pem
tls-auth /usr/local/etc/openvpn/keys/ta.key 0
auth SHA512
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.30.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option PROXY_HTTP 192.168.3.1 3128"
push "dhcp-option DNS 192.168.3.1"
;push "dhcp-option DNS 8.8.8.8"
;push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 120 3600
#engine aesni
cipher AES-256-CBC
comp-lzo
max-clients 5
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
;mute 20
Here is an example of my OpenVPN unified file iOS client config:
Code:
client
dev tun
proto udp
remote example.duckdns.org
port 1199
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
remote-cert-tls server
key-direction 1
auth SHA512
cipher AES-256-CBC
comp-lzo
verb 3
;mute 20
<ca>
put ca here
</ca>
<cert>
put cert here
</cert>
<key>
put key here
</key>
<tls-auth>
put tls static key here
</tls-auth>
I think you can get a general idea how to setup your OpenVPN config by looking at these settings. They may not be perfect, but I spent a fair amount of time searching various sources online to find good security practices for my OpenVPN server.
