HELP! Something's trying to connect to my openvpn server >.<
-
If you open listening ports to the internet you can always expect to catch some "noise" from random probes that people keep trying, some of them more determined than others. If it becomes a problem you can add rate limit options to the firewall rule that allows the traffic in to limit the number of connections that can be attempted over a period of time or the number of simultanious connection attempts.
-
If you use password and a solid key I wouldn't worry about it. No spot kiddies are going to bypass both.
-
@kpa:
If you open listening ports to the internet you can always expect to catch some "noise" from random probes that people keep trying, some of them more determined than others. If it becomes a problem you can add rate limit options to the firewall rule that allows the traffic in to limit the number of connections that can be attempted over a period of time or the number of simultanious connection attempts.
Alright, how do I do this? Also thanks all for the help! :D
-
In the advanced settings of your firewall rules. Max source connection rate & rates.
-
In the advanced settings of your firewall rules. Max source connection rate & rates.
pfBasic, does that work for you? I tried that to stop/slow brute force hits to a web server. No luck at all.
-
I've never used that feature, I was just pointing him in the direction of the settings for it.
I use a strong password in addition to strong keys for all of my VPN connections, so I've never paid any attention to unauthorized authentication attempts.
My assumption is that the setting works (in most scenarios).
-
Is a Key length of 2048 and Digest Algorithm SHA256 enough? I want to stream video over the VPN?
-
yes, I use RSA-4096 keys because that authentication only takes place once and the whole process only takes a couple seconds anyways.
I use SHA-224 as that has an ongoing performance impact and AFAIK SHA-2xx has no known vulnerabilities so I just go with the smallest thing that gets me into SHA-2. That being said I think that the difference between 224 & 256 are totally negligible.
Finally I use AES-128 for my server because again, AFAIK it has no known vulnerabilities so anything above that is a waste and some of my clients (smartphones) are noticeably impacted by the AES-256 performance tax.
That being said I do use AES-256 for my client on pfSense just because it's an old i5 and doesn't break a sweat even when maxing my 150/15 line so why not.In reality, if all you want to do is stream video (assume you are talking about pirated stuff?) then you can pick all of the lowest settings and disregard whatever vulnerabilities they may have. Your ISP is not going to attempt to decipher your encrypted traffic. Neither will any studio whose content you are pirating.
This really applies to most home users. If your VPN isn't used to transfer sensitive data for your job, or some sort of illicit activity that could get the attention of a government entity (read: not pirated media), then any level of encryption is almost certain to be more than enough. As long as all of your data is in CT, and you aren't on some government agencies list then it is extremely unlikely that anyone will ever attempt to decrypt your data even if it would be a trivial task due to using outdated and vulnerable ciphers.
Image the headlines if it was found out that Studio X or ISP Y was discovered deciphering someones internet traffic for any reason?
In reality though, most people who take the time to implement pfSense and/or VPN's for their network aren't going to use a cipher with known vulnerabilities after going to all that effort even if they know it probably doesn't matter for their use case. So we all end up use significant overkill in our encryption levels even if it means a performance impact.
AFAIK, IPSEC would be much faster/less resource intensive than OpenVPN in many cases. But IDK for sure since I've never used it because I don't have a performance limitation with my existing connection & hardware combo. But if I ever went to gigabit internet, I'd very likely switch to IPSEC.
-
Just to toss in my two cents about changing the port,.. I would for sure. Understandable it's security through obscurity but if someone is just scanning a block of addresses they are going to check for the most common ports people will leave default/open. If someone is scanning a block or poking for weakness for an application or protocol default ports can get caught up in that. It brings unwanted attention to your systems. So if someone wasn't targeting you specifically they would now know you're running a vpn server on the default configuration, so you start with weak passwords, sending packets to identify tcp or udp flags and go to work.
There is nothing wrong with changing the default port, it's a TCP/UDP connection that any port can handle. You either do it or don't do it, but do it because you're just trying to keep your privacy not because you think you're doing something other then changing the path you drive to work everyday. Also, if you have snort or bro or suracata running you should be using the known_compromised_host list.
-
Yeah often when someone suggest changing from default port someone else usually retorts with a speech about security through obscurity being worthless…
Security through obscurity vs "true" security is an imperfect analogy to cover vs concealment. Concealment can't physically protect you but it serves a purpose. The most commonly cited purpose is to clean up your log files, and that is certainly a valid purpose.