Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Help Verify My Setup

    OpenVPN
    1
    1
    58
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yaminb last edited by yaminb

      Hi all,

      I've got my OpenVPN setup right now. Could someone give it a quick once over to make sure it's all secure or any improvements that can be made

      Setup

      WAN ADDR-ISP Router (192.168.0.1/24)---- (192.168.0.10)Pfsense (192.168.1.1/24)------(192.168.1.X via DHCP Synology NAS)

      *added port-forwarding on ISP router (1194->Pfsense 1194)
      *used freemyip.com for dynamic DNS and set that up in Pfsense

      • I used the OpenVPN wizard to get up and running. Using Cert + pw. VPN network is 10.0.8.0/24
      • All 4096 keys, AES-256-GCM
      • Just using local users
      • I used the OpenVPN client export package to export a .ovpn package to my android smart phone using OpenVPN Connect
      • I had some issues with my phone internet, so I added "mssfix 1250;tun-mtu 1300;" into the custom commands as I found that on several threads. That seems to have resolved everything
      • I changed the firewall rule so VPN traffic can only hit the NAS (IPV4 * * * 192.168.1.X * *)
      • I confirmed this on my phone by trying to ping other LAN address, which failed correctly
      • NAS has outgoing non-LAN traffic going out another VPN, So I had to add a static route for the VPN traffic (Destination 10.0.8.0/24 Gateway 192.168.1.1 Interface LAN)

      Things I've pondered to make it more secure/robust

      • Change the vpn port from the default 1194
      • restrict VPN traffic to only be allowed on specific NAS port. I didn't see an easy way to do this with the OpenVPN firewall rules
      • freemyip was free and easy to get setup. Anyone see any issues with it?
      • adding notifications when a OpenVPN client connects (I don't have any notifications setup at all, so there's work here)
      • all the firewall rules are based on IP. The IP of my NAS could change as it's DHCP and that would kill connectivity. What's the simplest way to work this? I could give my NAS a static IP I suppose. Anyway to ensure the DHCP server gives a certain hostname an IP or have the firewall rules based on hostname?

      Thanks,

      1 Reply Last reply Reply Quote 0
      • First post
        Last post