Making the OpenVPN Server port invisible unless using cert + doubleNAT impact
-
Hi there :)
I am in the process of setting up an OpenVPN server on my pfSense box to give me remote access to my network. My pfSense box is however doubleNATed as it is sitting behind my ISP's modem/router which cannot be put into bridge mode. I quickly tested port forwarding from the ISP router to pfSense and that works fine.
I am quite wary of any misstep in my config and risking exposing my network, so if possible, I'd like to keep any ports not just closed but 'invisible' to any external scans.
I was told I can use OpenVPN with password and cert (most secure login option) as well as a pfSense rule (or set of rules) that would essentially drop all external connections to the OpenVPN server port unless they come with my cert, therefore making my OpenVPN server invisible to anyone but me.
1/ First of all, is that achievable and how would I need to configure these rules?
2/ Again assuming this works, how would that setup be impacted by the doubleNAT situation? Even though any queries would be forwarded from the ISP router to pfSense, would that somehow still make the ports visible?
Many thanks for any insights! :)
-
@McDing said in Making the OpenVPN Server port invisible unless using cert + doubleNAT impact:
therefore making my OpenVPN server invisible to anyone but me.
No that is not how it works... With tls-auth enabled.. udp that doesn't match signature would be dropped.. And if using tcp would be dropped sooner..
-
@johnpoz thanks for the quick reply!
A further clarification to your answer if I may, but does that mean that the OpenVPN server port appears as (1) non-exisiting, (2) closed or (3) open to a potential attacker?
Is it just that it would show as (3) open but connexions would be dropped due to the signature mismatch? Or does the port appear as (1) non-exisiting?
Thanks
-
UDP is very hard to scan anyway - there would have to be an answer for it to show as open.. So if UDP doesn't match with the use of auth, then there would be no answer..
But with TCP there would be syn,ack back - and yes it would show as open..
-
Great! Many thanks for clarifying that :)