Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Making the OpenVPN Server port invisible unless using cert + doubleNAT impact

    OpenVPN
    2
    5
    49
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      McDing last edited by

      Hi there :)

      I am in the process of setting up an OpenVPN server on my pfSense box to give me remote access to my network. My pfSense box is however doubleNATed as it is sitting behind my ISP's modem/router which cannot be put into bridge mode. I quickly tested port forwarding from the ISP router to pfSense and that works fine.

      I am quite wary of any misstep in my config and risking exposing my network, so if possible, I'd like to keep any ports not just closed but 'invisible' to any external scans.

      I was told I can use OpenVPN with password and cert (most secure login option) as well as a pfSense rule (or set of rules) that would essentially drop all external connections to the OpenVPN server port unless they come with my cert, therefore making my OpenVPN server invisible to anyone but me.

      1/ First of all, is that achievable and how would I need to configure these rules?

      2/ Again assuming this works, how would that setup be impacted by the doubleNAT situation? Even though any queries would be forwarded from the ISP router to pfSense, would that somehow still make the ports visible?

      Many thanks for any insights! :)

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        @McDing said in Making the OpenVPN Server port invisible unless using cert + doubleNAT impact:

        therefore making my OpenVPN server invisible to anyone but me.

        No that is not how it works... With tls-auth enabled.. udp that doesn't match signature would be dropped.. And if using tcp would be dropped sooner..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        Please don't Chat/PM me for help, unless mod related
        Read https://www.netgate.com/docs/pfsense/book/
        SG-2440 2.4.5p1 | 4x SG-3100 2.4.4p3 | SG-4860 21.05.1

        1 Reply Last reply Reply Quote 0
        • M
          McDing last edited by

          @johnpoz thanks for the quick reply!

          A further clarification to your answer if I may, but does that mean that the OpenVPN server port appears as (1) non-exisiting, (2) closed or (3) open to a potential attacker?

          Is it just that it would show as (3) open but connexions would be dropped due to the signature mismatch? Or does the port appear as (1) non-exisiting?

          Thanks

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            UDP is very hard to scan anyway - there would have to be an answer for it to show as open.. So if UDP doesn't match with the use of auth, then there would be no answer..

            But with TCP there would be syn,ack back - and yes it would show as open..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            Please don't Chat/PM me for help, unless mod related
            Read https://www.netgate.com/docs/pfsense/book/
            SG-2440 2.4.5p1 | 4x SG-3100 2.4.4p3 | SG-4860 21.05.1

            1 Reply Last reply Reply Quote 0
            • M
              McDing last edited by

              Great! Many thanks for clarifying that :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy