Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Making the OpenVPN Server port invisible unless using cert + doubleNAT impact

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 566 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      McDing
      last edited by

      Hi there :)

      I am in the process of setting up an OpenVPN server on my pfSense box to give me remote access to my network. My pfSense box is however doubleNATed as it is sitting behind my ISP's modem/router which cannot be put into bridge mode. I quickly tested port forwarding from the ISP router to pfSense and that works fine.

      I am quite wary of any misstep in my config and risking exposing my network, so if possible, I'd like to keep any ports not just closed but 'invisible' to any external scans.

      I was told I can use OpenVPN with password and cert (most secure login option) as well as a pfSense rule (or set of rules) that would essentially drop all external connections to the OpenVPN server port unless they come with my cert, therefore making my OpenVPN server invisible to anyone but me.

      1/ First of all, is that achievable and how would I need to configure these rules?

      2/ Again assuming this works, how would that setup be impacted by the doubleNAT situation? Even though any queries would be forwarded from the ISP router to pfSense, would that somehow still make the ports visible?

      Many thanks for any insights! :)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        @McDing said in Making the OpenVPN Server port invisible unless using cert + doubleNAT impact:

        therefore making my OpenVPN server invisible to anyone but me.

        No that is not how it works... With tls-auth enabled.. udp that doesn't match signature would be dropped.. And if using tcp would be dropped sooner..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          McDing
          last edited by

          @johnpoz thanks for the quick reply!

          A further clarification to your answer if I may, but does that mean that the OpenVPN server port appears as (1) non-exisiting, (2) closed or (3) open to a potential attacker?

          Is it just that it would show as (3) open but connexions would be dropped due to the signature mismatch? Or does the port appear as (1) non-exisiting?

          Thanks

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            UDP is very hard to scan anyway - there would have to be an answer for it to show as open.. So if UDP doesn't match with the use of auth, then there would be no answer..

            But with TCP there would be syn,ack back - and yes it would show as open..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              McDing
              last edited by

              Great! Many thanks for clarifying that :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.