Help Verify My Setup
-
Hi all,
I've got my OpenVPN setup right now. Could someone give it a quick once over to make sure it's all secure or any improvements that can be made
Setup
WAN ADDR-ISP Router (192.168.0.1/24)---- (192.168.0.10)Pfsense (192.168.1.1/24)------(192.168.1.X via DHCP Synology NAS)
*added port-forwarding on ISP router (1194->Pfsense 1194)
*used freemyip.com for dynamic DNS and set that up in Pfsense- I used the OpenVPN wizard to get up and running. Using Cert + pw. VPN network is 10.0.8.0/24
- All 4096 keys, AES-256-GCM
- Just using local users
- I used the OpenVPN client export package to export a .ovpn package to my android smart phone using OpenVPN Connect
- I had some issues with my phone internet, so I added "mssfix 1250;tun-mtu 1300;" into the custom commands as I found that on several threads. That seems to have resolved everything
- I changed the firewall rule so VPN traffic can only hit the NAS (IPV4 * * * 192.168.1.X * *)
- I confirmed this on my phone by trying to ping other LAN address, which failed correctly
- NAS has outgoing non-LAN traffic going out another VPN, So I had to add a static route for the VPN traffic (Destination 10.0.8.0/24 Gateway 192.168.1.1 Interface LAN)
Things I've pondered to make it more secure/robust
- Change the vpn port from the default 1194
- restrict VPN traffic to only be allowed on specific NAS port. I didn't see an easy way to do this with the OpenVPN firewall rules
- freemyip was free and easy to get setup. Anyone see any issues with it?
- adding notifications when a OpenVPN client connects (I don't have any notifications setup at all, so there's work here)
- all the firewall rules are based on IP. The IP of my NAS could change as it's DHCP and that would kill connectivity. What's the simplest way to work this? I could give my NAS a static IP I suppose. Anyway to ensure the DHCP server gives a certain hostname an IP or have the firewall rules based on hostname?
Thanks,