Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Server Best Practices

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tman222
      last edited by

      Hi all,

      I'm relatively new to OpenVPN still and wanted to ask those with more experience setting up VPN Servers on pfSense a few questions about configuration and security best practices:

      1. pfSense OpenVPN Wizard: Is it generally ok to use the OpenVPN wizard to setup a server, or do we people prefer to set things up manually?
      2. I did notice that the wizard does not setup a virtual interface for the OpenVPN server by default. Is there any particular reason for that? In general I would think having a (virtual) interface for OpenVPN would be good for more fine grained control (e.g. setting up firewall rules, etc.)
      3. If setting up a virtual interface for the OpenVPN server, can be the OpenVPN section in firewall rules be left completely empty?
      4. Connection Port: Does it make more sense today (from a security standpoint) to use a different port for UDP connection vs. the standard port 1194?
      5. What level of encryption and digest algorithms is recommended for OpenVPN these days? AES-256-GCM or AES-256-CBC, together with SHA256 or SHA512?

      Thanks in advance for your advice and insight, I really appreciate it.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @tman222 said in OpenVPN Server Best Practices:

        Hi all,

        I'm relatively new to OpenVPN still and wanted to ask those with more experience setting up VPN Servers on pfSense a few questions about configuration and security best practices:

        1. pfSense OpenVPN Wizard: Is it generally ok to use the OpenVPN wizard to setup a server, or do we people prefer to set things up manually?

        I prefer manually but if you don't know your way around all of the elements yet (like CAs, certs, etc) the Wizard works. Nothing wrong with using it, certainly.

        1. I did notice that the wizard does not setup a virtual interface for the OpenVPN server by default. Is there any particular reason for that? In general I would think having a (virtual) interface for OpenVPN would be good for more fine grained control (e.g. setting up firewall rules, etc.)

        Because it is an advanced configuration. If you know you need an assigned interface, you can just make one.

        1. If setting up a virtual interface for the OpenVPN server, can be the OpenVPN section in firewall rules be left completely empty?

        Yes. I generally remove all of the rules from the OpenVPN tab when I use assigned interfaces. There are specific reasons for this - mostly because traffic will match OpenVPN rules first and if it does so, that traffic will bot have reply-to bestowed upon it.

        1. Connection Port: Does it make more sense today (from a security standpoint) to use a different port for UDP connection vs. the standard port 1194?

        I run mine on 1194. I see no reason to change that.

        1. What level of encryption and digest algorithms is recommended for OpenVPN these days? AES-256-GCM or AES-256-CBC, together with SHA256 or SHA512?

        I personally think AES-128 and SHA-256 are plenty good enough but if you don't take a performance hit for AES-256 then why not. If both sides support it, just set AES-256/192/128-GCM in the NCP ciphers and enable them. Which will not use a hash at all as it is an authenticated cipher. You can't use AES-GCM without NCP so I hyst set AES-128-CBC and SHA256 in the server.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • RicoR
          Rico LAYER 8 Rebel Alliance
          last edited by

          Your focus is Remote Access?
          I recommend you to definitely watch the hangouts by @jimp as they are very clear and meaty. ☺
          https://www.netgate.com/resources/videos/remote-access-vpns-on-pfsense.html
          https://www.netgate.com/resources/videos/remote-access-vpns-on-pfsense-part-2.html
          https://www.netgate.com/resources/videos/advanced-openvpn-on-pfsense-24.html

          -Rico

          1 Reply Last reply Reply Quote 1
          • T
            tman222
            last edited by

            Thanks @Derelict and @Rico, I really appreciate the advice. And will definitely check out those videos - I had totally forgotten to check on the Youtube channel as well.

            I have one quick follow up question (and this is more opinion based): What are everyone's preferences for Dynamic DNS providers (to use with OpenVPN)? Are there some DNS services that folks prefer more than others?

            Thanks again.

            1 Reply Last reply Reply Quote 0
            • RicoR
              Rico LAYER 8 Rebel Alliance
              last edited by

              I use and like freedns.afraid.org very much.
              Free, no Ad stuff, good support when you need it.

              -Rico

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.