🔒 Network Security
7 menit baca
VPN Security Audit Checklist
A systematic checklist for auditing your VPN deployment's security posture.
Protocol and Encryption
Start your VPN audit by verifying the protocol and encryption settings:
- Protocol: WireGuard or OpenVPN recommended. Avoid PPTP (broken) and L2TP without IPsec
- Cipher: AES-256-GCM or ChaCha20-Poly1305. Avoid DES, 3DES, Blowfish
- Key exchange: Curve25519 (WireGuard) or DHE/ECDHE with 2048+ bit keys
- Hash: SHA-256 or better. Avoid MD5, SHA-1
Authentication
Verify how users and devices authenticate to the VPN:
- Multi-factor authentication (MFA) should be required, not optional
- Certificate-based authentication is stronger than username/password
- API keys and tokens should rotate on a defined schedule
- Service accounts should have minimal permissions
Leak Testing
A VPN that leaks traffic defeats its purpose. Test for:
- DNS leaks — DNS queries should route through the VPN tunnel, not your ISP
- IPv6 leaks — If the VPN only tunnels IPv4, IPv6 traffic may bypass it
- WebRTC leaks — Browser WebRTC can reveal your real IP even through a VPN
- Kill switch — Verify that internet access stops completely when the VPN drops
Logging and Privacy
Review what your VPN logs:
| Log Type | Acceptable? | Risk |
|---|---|---|
| Connection timestamps | Depends on use case | Minimal |
| Bandwidth usage | Acceptable for billing | Low |
| DNS queries | No | High — reveals browsing |
| Traffic content | Never | Critical |
| Source IP addresses | Depends on threat model | Medium |
Network Configuration
Verify split tunneling policies, ensure the VPN server is properly hardened, and confirm that the VPN concentrator receives regular security updates.