Generic questions on locking down Open VPN



  • I would like to take a few reasonable steps to make sure that I have Open VPN secured while retaining the functionality I require.

    I installed , configured and used PFblocker to drop all connections from other countries, since I do not travel internationally.  I have also added a few lists I found in the PFblocker thread.  Since I want it to work from a few ISPs, and from work, this seems to be about all all I do from a client IP perspective.
    Q) any other reasonable steps that I missed?

    I configured the OpenVPN server IPv4 Local Network/s to only include the internal networks that I want to be reachable from a VPN client.

    I am now wondering what I can or should do about locking down ports.
    most of what I have found via searching assumes linux and iptables.

    Does PFsense allow me to lock this down via GUI?  If so I am not sure where to start, maybe under firewall/NAT port forward and NAT rules using the Open VPN interface?

    I realize it will be a bit of work to do so, but I hope to identify the required ports, leave them enabled and default drop remainder.

    If I do so, what about random ports.  Apparently MS AD uses identified ports and random ones.  If I want to use MS AD, how do I have fpSense pass these.  I had a conversation with a college (that I admittedly only partially understood) but he explained that on a cisco, it can be configured to watch the conversation with the client, and as long as it was initiated on known open ports, that these randomn ports can be dynamically opened for that conversation.  Does this make sense for OpenVPN on pfSense?


  • LAYER 8 Global Moderator

    I think your over thinking it.. The only persons that would have access to the vpn would be trusted people.  Do you lock them down with what ports they can access when they are local?  Then why should you take extra steps when coming in via a trusted connection like vpn?

    To access the vpn they need both the cert and can be setup to have to auth with username and password as well, etc.  Highly unlikely someone from outside would just brute force said access.  If users machine or control of their cert is compromised - then revoke that cert, etc.



  • That may be the case.  VPN is a door inside my network, so I wanted to make sure that if it was compromised, as little as possible would be available.

    Thanks for the sanity check.


Log in to reply