Introduction / New to OpenVPN



  • Hi

    New guy here, nice to meet you.

    I recently setup a very basic OpenVPN configuration for my home lan. The idea being, I want to be able to safetly RDP into one of my computers and access my dvr away from home using the exported client on a laptop.

    A lot of the guides online make it seem like a simple process but it has taken me a long time to get anywhere. I would love to open a discussion about what I have done so far and see what more experienced users have to say about it.

    I am going wifi router/modem (bridge mode) > pfSense box > switch > pcs/wifi router

    I initially wanted to go pfsense > wifi router > pcs but I had issues communicating from the open vpn subnet to the wifi router subnet.

    I image this is because of either the firewall, or because I would need to setup routing between the wifi gateway and the pfsense box.

    Something I don't know how to do.

    After getting rid of the double nat and using pfsense as the gateway it seems to be working.

    So far I really like pfSense and am excited to experiment more and learn about it's capabilities.

    One thing I am concerned about is the rule OpenVPN makes in the firewall.

    Is that a security concern? If I use TCP 443 are there ways people could exploit that to gain access to my openvpn subnet? Or is the pfsense authentication strong enough to keep people out?

    Also if I go to Status > System Logs every one of my logs comes up with "No Logs to Display" is that normal?

    I am experimenting with darkstat but would love to know how to tell if people are trying to break into my network and strategies for shutting them down. Any threads to search for would be great. I have only just started making my way around these forums so any must reads would be greatly appreciated.

    Any interesting stories/revelations about OpenVPN? I've heard some people use this in commercial settings. Is it really that good?

    What about ISPs do they get upset for using this type of thing?



  • I am going wifi router/modem (bridge mode) > pfSense box > switch > pcs/wifi router

    This is the preferred "best practice" for many home setups (it's what I use).

    One thing I am concerned about is the rule OpenVPN makes in the firewall.

    Is that a security concern? If I use TCP 443 are there ways people could exploit that to gain access to my openvpn subnet? Or is the pfsense authentication strong enough to keep people out?

    Holes in the firewall allowing traffic into your network are always a basic concern.  One of the big features (IMHO) of OpenVPN is removing all the other holes you may have needed for port-forwarded game units, DVR's, streaming servers, etc., etc.  OpenVPN lets you consolidate everything to one port that tunnels all the traffic you need.

    That also means the single open port becomes subject to all the external hack attempts.  In my mind OpenVPN is probably one of the best success stories for open source development and network safety.  It's been around long enough to have proven itself and is accepted as very robust and secure method of securing your network.  It's currently used in many Corporate setups as a secure means of communications, making it more than robust enough for home use.

    Port 443 is no more or less exploit "dangerous" than any other you might use.  A bigger question maybe whether or not you take a performance hit due to TCP vs UDP and/or port 443 being "assumed " to be HTTPS by some applications.

    Personally I run multiple OpenVPN servers on my home pfSense, my preferred port is 1201/UDP but I have a 443/TCP available.
    I intentionally changed my main access port off of 1194 to dodge some of the places that try and limit VPN access because they "know" about 1194 and 443 is available for the really "cranky" WiFi spots.

    Welcome to pfSense, you've already found one the best tools for learning and supporting pfSense - this Forum  ;)


  • Banned

    …heard somebody saying he uses port 22222 / UDP for the openVPN server

    Is this an advantage (sec by obscur) or a safety risk?

    Kind regards

    chemlud



  • I would say there's no more or less of a security risk by using a different OpenVPN server port than the default 1194.
    Perhaps there's a small amount of "security by obscurity", but not much.

    As far as an outsider being able to attempt some compromise of your OpenVPN setup, the port required is pretty trivial.
    The real security comes from the handshake required to authenticate a shared key/certificate/what-have you.

    As long as you're not stepping on a port used by something else, it really doesn't matter what you choose.
    For me (as I've said) I use non-standard ports in general to avoid some public WiFi spots that notice me trying to use the "standard" 1194 and blocking the traffic when I try to connect back home.

    Just my $.02


  • LAYER 8 Global Moderator

    "Also if I go to Status > System Logs every one of my logs comes up with "No Logs to Display" is that normal?"

    No that is not normal..  What pfsense did you setup, nanobsd?  Did you turn off logging?  You for sure should see your normal system log where pfsense boots up, etc.  And for sure you should see stuff in your firewall log, and yeah if connecting via openvpn, stuff in there.

    As to openvpn, there there are many companies that use it as their production vpn solution.

    As to running on ports 443 and worried about security.  As already stated, they would have to have cert.. So unless you have set it up as only password, its pretty freaking secure.  I run instance on 443 because pretty sure that is always going to be open no matter where your at, also tcp allows you bounce off a proxy if need be.  For example here at work only proxy has internet access, so its very easy to bounce my vpn through the proxy to my home network.

    I also have it running on 1194, when somewhere that is open udp is a bit faster, better performance, etc.  Not all that much but if open why not use it..

    As to isp getting upset??  What should they freaking care for?  You pay them for connectivity, what you do with that connectivity is no concern of theirs..  Now if you were trying to DDOS something and pegging your pipe 24/7/365 they might have some issues with that.  But to be honest your paying for a pipe, how you use that pipe shouldn't be port of the conversation to be honest.

    Changing the port or security through obscurity is NOT security..  It can lower your log noise a bit if that is a concern… But since you don't have any logs to view anyway, guess not a issue for you ;)



  • I was experiencing similar log issues where the web UI showed "No logs to display" for OpenVPN.

    I was able to fix this by going to the Settings tab on the logs screen and clicking "Rest log files".


Log in to reply