Help Verify My Setup



  • Hi all,

    I've got my OpenVPN setup right now. Could someone give it a quick once over to make sure it's all secure or any improvements that can be made

    Setup

    WAN ADDR-ISP Router (192.168.0.1/24)---- (192.168.0.10)Pfsense (192.168.1.1/24)------(192.168.1.X via DHCP Synology NAS)

    *added port-forwarding on ISP router (1194->Pfsense 1194)
    *used freemyip.com for dynamic DNS and set that up in Pfsense

    • I used the OpenVPN wizard to get up and running. Using Cert + pw. VPN network is 10.0.8.0/24
    • All 4096 keys, AES-256-GCM
    • Just using local users
    • I used the OpenVPN client export package to export a .ovpn package to my android smart phone using OpenVPN Connect
    • I had some issues with my phone internet, so I added "mssfix 1250;tun-mtu 1300;" into the custom commands as I found that on several threads. That seems to have resolved everything
    • I changed the firewall rule so VPN traffic can only hit the NAS (IPV4 * * * 192.168.1.X * *)
    • I confirmed this on my phone by trying to ping other LAN address, which failed correctly
    • NAS has outgoing non-LAN traffic going out another VPN, So I had to add a static route for the VPN traffic (Destination 10.0.8.0/24 Gateway 192.168.1.1 Interface LAN)

    Things I've pondered to make it more secure/robust

    • Change the vpn port from the default 1194
    • restrict VPN traffic to only be allowed on specific NAS port. I didn't see an easy way to do this with the OpenVPN firewall rules
    • freemyip was free and easy to get setup. Anyone see any issues with it?
    • adding notifications when a OpenVPN client connects (I don't have any notifications setup at all, so there's work here)
    • all the firewall rules are based on IP. The IP of my NAS could change as it's DHCP and that would kill connectivity. What's the simplest way to work this? I could give my NAS a static IP I suppose. Anyway to ensure the DHCP server gives a certain hostname an IP or have the firewall rules based on hostname?

    Thanks,


Log in to reply