OpenVPN Server Best Practices



  • Hi all,

    I'm relatively new to OpenVPN still and wanted to ask those with more experience setting up VPN Servers on pfSense a few questions about configuration and security best practices:

    1. pfSense OpenVPN Wizard: Is it generally ok to use the OpenVPN wizard to setup a server, or do we people prefer to set things up manually?
    2. I did notice that the wizard does not setup a virtual interface for the OpenVPN server by default. Is there any particular reason for that? In general I would think having a (virtual) interface for OpenVPN would be good for more fine grained control (e.g. setting up firewall rules, etc.)
    3. If setting up a virtual interface for the OpenVPN server, can be the OpenVPN section in firewall rules be left completely empty?
    4. Connection Port: Does it make more sense today (from a security standpoint) to use a different port for UDP connection vs. the standard port 1194?
    5. What level of encryption and digest algorithms is recommended for OpenVPN these days? AES-256-GCM or AES-256-CBC, together with SHA256 or SHA512?

    Thanks in advance for your advice and insight, I really appreciate it.


  • LAYER 8 Netgate

    @tman222 said in OpenVPN Server Best Practices:

    Hi all,

    I'm relatively new to OpenVPN still and wanted to ask those with more experience setting up VPN Servers on pfSense a few questions about configuration and security best practices:

    1. pfSense OpenVPN Wizard: Is it generally ok to use the OpenVPN wizard to setup a server, or do we people prefer to set things up manually?

    I prefer manually but if you don't know your way around all of the elements yet (like CAs, certs, etc) the Wizard works. Nothing wrong with using it, certainly.

    1. I did notice that the wizard does not setup a virtual interface for the OpenVPN server by default. Is there any particular reason for that? In general I would think having a (virtual) interface for OpenVPN would be good for more fine grained control (e.g. setting up firewall rules, etc.)

    Because it is an advanced configuration. If you know you need an assigned interface, you can just make one.

    1. If setting up a virtual interface for the OpenVPN server, can be the OpenVPN section in firewall rules be left completely empty?

    Yes. I generally remove all of the rules from the OpenVPN tab when I use assigned interfaces. There are specific reasons for this - mostly because traffic will match OpenVPN rules first and if it does so, that traffic will bot have reply-to bestowed upon it.

    1. Connection Port: Does it make more sense today (from a security standpoint) to use a different port for UDP connection vs. the standard port 1194?

    I run mine on 1194. I see no reason to change that.

    1. What level of encryption and digest algorithms is recommended for OpenVPN these days? AES-256-GCM or AES-256-CBC, together with SHA256 or SHA512?

    I personally think AES-128 and SHA-256 are plenty good enough but if you don't take a performance hit for AES-256 then why not. If both sides support it, just set AES-256/192/128-GCM in the NCP ciphers and enable them. Which will not use a hash at all as it is an authenticated cipher. You can't use AES-GCM without NCP so I hyst set AES-128-CBC and SHA256 in the server.


  • LAYER 8 Rebel Alliance



  • Thanks @Derelict and @Rico, I really appreciate the advice. And will definitely check out those videos - I had totally forgotten to check on the Youtube channel as well.

    I have one quick follow up question (and this is more opinion based): What are everyone's preferences for Dynamic DNS providers (to use with OpenVPN)? Are there some DNS services that folks prefer more than others?

    Thanks again.


  • LAYER 8 Rebel Alliance

    I use and like freedns.afraid.org very much.
    Free, no Ad stuff, good support when you need it.

    -Rico


Log in to reply