IPFYI
🔒 Network Security 7 Min. Lesezeit

VPN Security Audit Checklist

A systematic checklist for auditing your VPN deployment's security posture.

Protocol and Encryption

Start your VPN audit by verifying the protocol and encryption settings:

  • Protocol: WireGuard or OpenVPN recommended. Avoid PPTP (broken) and L2TP without IPsec
  • Cipher: AES-256-GCM or ChaCha20-Poly1305. Avoid DES, 3DES, Blowfish
  • Key exchange: Curve25519 (WireGuard) or DHE/ECDHE with 2048+ bit keys
  • Hash: SHA-256 or better. Avoid MD5, SHA-1

Authentication

Verify how users and devices authenticate to the VPN:

  • Multi-factor authentication (MFA) should be required, not optional
  • Certificate-based authentication is stronger than username/password
  • API keys and tokens should rotate on a defined schedule
  • Service accounts should have minimal permissions

Leak Testing

A VPN that leaks traffic defeats its purpose. Test for:

  • DNS leaks — DNS queries should route through the VPN tunnel, not your ISP
  • IPv6 leaks — If the VPN only tunnels IPv4, IPv6 traffic may bypass it
  • WebRTC leaks — Browser WebRTC can reveal your real IP even through a VPN
  • Kill switch — Verify that internet access stops completely when the VPN drops

Logging and Privacy

Review what your VPN logs:

Log Type Acceptable? Risk
Connection timestamps Depends on use case Minimal
Bandwidth usage Acceptable for billing Low
DNS queries No High — reveals browsing
Traffic content Never Critical
Source IP addresses Depends on threat model Medium

Network Configuration

Verify split tunneling policies, ensure the VPN server is properly hardened, and confirm that the VPN concentrator receives regular security updates.

Siehe auch

SSL/TLS Certificate Glossar DDoS Glossar DNS Spoofing Glossar Encryption Glossar Firewall Glossar HTTPS Glossar Intrusion Detection System (IDS) Glossar Man-in-the-Middle Attack Glossar SSL vs TLS Vergleichen SFTP vs FTPS Vergleichen SSH vs Telnet Vergleichen IDS vs IPS Vergleichen