Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Help Verify My Setup

    OpenVPN
    1
    1
    49
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yaminb last edited by yaminb

      Hi all,

      I've got my OpenVPN setup right now. Could someone give it a quick once over to make sure it's all secure or any improvements that can be made

      Setup

      WAN ADDR-ISP Router (192.168.0.1/24)---- (192.168.0.10)Pfsense (192.168.1.1/24)------(192.168.1.X via DHCP Synology NAS)

      *added port-forwarding on ISP router (1194->Pfsense 1194)
      *used freemyip.com for dynamic DNS and set that up in Pfsense

      • I used the OpenVPN wizard to get up and running. Using Cert + pw. VPN network is 10.0.8.0/24
      • All 4096 keys, AES-256-GCM
      • Just using local users
      • I used the OpenVPN client export package to export a .ovpn package to my android smart phone using OpenVPN Connect
      • I had some issues with my phone internet, so I added "mssfix 1250;tun-mtu 1300;" into the custom commands as I found that on several threads. That seems to have resolved everything
      • I changed the firewall rule so VPN traffic can only hit the NAS (IPV4 * * * 192.168.1.X * *)
      • I confirmed this on my phone by trying to ping other LAN address, which failed correctly
      • NAS has outgoing non-LAN traffic going out another VPN, So I had to add a static route for the VPN traffic (Destination 10.0.8.0/24 Gateway 192.168.1.1 Interface LAN)

      Things I've pondered to make it more secure/robust

      • Change the vpn port from the default 1194
      • restrict VPN traffic to only be allowed on specific NAS port. I didn't see an easy way to do this with the OpenVPN firewall rules
      • freemyip was free and easy to get setup. Anyone see any issues with it?
      • adding notifications when a OpenVPN client connects (I don't have any notifications setup at all, so there's work here)
      • all the firewall rules are based on IP. The IP of my NAS could change as it's DHCP and that would kill connectivity. What's the simplest way to work this? I could give my NAS a static IP I suppose. Anyway to ensure the DHCP server gives a certain hostname an IP or have the firewall rules based on hostname?

      Thanks,

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy