Security vulnerability?

  • I would value opinions from more experienced pfSense users about my setup and whether there are vulnerabilities that I need to tighten up.

    I am using pfSense on a home network.  I use openVPN to access my network from outside, using certificate + user name/password authentication for openVPN.  User name/password is authenticated against the pfSense local database only.  The VPN user account (which is only me) for OpenVPN is not the pfSense admin, and does not have admin privileges on the firewall, but can access the LAN when connected via OpenVPN. However, once connected via OpenVPN, the user (again, only me) can access the pfSense web UI and log in using admin credentials (different from the credentials used for OpenVPN).  Also, anyone on the LAN (locally, which includes users other than me) can access the web UI, but only I have the admin credentials (which uses a 40+ character random string as a password).

    I am wondering:

    • how possible is it for an outside attacker to gain access to my LAN via Open VPN? I am thinking they would need to obtain both the user cert and the password (which is a long random string, not easily guessable) for the user.  Is this enough security?  Or do I need to add second factor authentication to the Open VPN access to make outside use even harder for unauthorized users?
    • within my LAN itself, am I leaving admin access to the firewall too vulnerable by using only a user name and password (albeit a very long/complex password that would not be feasible to brute force in any reasonable amount of time)?  Should I switch to RADIUS based authentication for the admin account, and enable 2 factor authentication to further secure admin access within my LAN?

    Opinions/thoughts/comments re: best practices would be appreciated.

    Thanks in advance.

  • only I have the admin credentials (which uses a 40+ character random string as a password

    You gain no practical additional security after 20 characters. 20 chars of all 96 commonly type-able keyboard chars is the point at which you reach 128bits of strength.  It is no longer the weakest link in this Universe.

  • Makes sense.  Aside from this though, I am interested in the vulnerability/threat surface in general.  Any comments on that?

  • Rebel Alliance Developer Netgate

    From the outside over OpenVPN, someone would have to obtain your personal certificate, VPN settings, username, and password. Highly unlikely they'd get all of them (bar something like a key logger + data grabber on a laptop/mobile device).

    From the inside, pfSense will reject brute force logins. If a person fails 15 times in 5 minutes, they get locked out for an hour. If you are worried about internal access, lock down the GUI to only allow access from a management workstation on specific static IP addresses. Or even better, make a dedicated management network and disallow access to the GUI from users on LAN entirely.

  • Thanks for that - your answer provides a lot of reassurance that my vulnerability is pretty limited. I had no idea that the web UI locked out brute force login attempts - good to know.

  • Guys, apologies for the lack of info. It's just that I lost focus in trying to figure the issue since this was a rush project but luckily in the middle of my overtime research, I've found the solution. Apologies for the initial post, though I know in asking for assistance, I should've provided more details. Ok, here what happens.

    I've  setup pfsense for the first time, followed an article in setting it up. I was successful and setup internal and external IP's

    What happened was in the middle of the setup, I've discovered that the only thing that reaches the internet was the pfsense server as I used diagnostics. So this shortened my troubleshooting by focusing on the "firewall rules"

    Later I've discovered that when I created the rule, it was set to TCP instead of any for the moment since I was doing troubleshooting. After that everything went online.

Log in to reply