Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Generic questions on locking down Open VPN

    OpenVPN
    2
    3
    574
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mervincm last edited by

      I would like to take a few reasonable steps to make sure that I have Open VPN secured while retaining the functionality I require.

      I installed , configured and used PFblocker to drop all connections from other countries, since I do not travel internationally.  I have also added a few lists I found in the PFblocker thread.  Since I want it to work from a few ISPs, and from work, this seems to be about all all I do from a client IP perspective.
      Q) any other reasonable steps that I missed?

      I configured the OpenVPN server IPv4 Local Network/s to only include the internal networks that I want to be reachable from a VPN client.

      I am now wondering what I can or should do about locking down ports.
      most of what I have found via searching assumes linux and iptables.

      Does PFsense allow me to lock this down via GUI?  If so I am not sure where to start, maybe under firewall/NAT port forward and NAT rules using the Open VPN interface?

      I realize it will be a bit of work to do so, but I hope to identify the required ports, leave them enabled and default drop remainder.

      If I do so, what about random ports.  Apparently MS AD uses identified ports and random ones.  If I want to use MS AD, how do I have fpSense pass these.  I had a conversation with a college (that I admittedly only partially understood) but he explained that on a cisco, it can be configured to watch the conversation with the client, and as long as it was initiated on known open ports, that these randomn ports can be dynamically opened for that conversation.  Does this make sense for OpenVPN on pfSense?

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        I think your over thinking it.. The only persons that would have access to the vpn would be trusted people.  Do you lock them down with what ports they can access when they are local?  Then why should you take extra steps when coming in via a trusted connection like vpn?

        To access the vpn they need both the cert and can be setup to have to auth with username and password as well, etc.  Highly unlikely someone from outside would just brute force said access.  If users machine or control of their cert is compromised - then revoke that cert, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        Please don't Chat/PM me for help, unless mod related
        Read https://www.netgate.com/docs/pfsense/book/
        SG-2440 2.4.5p1 | 4x SG-3100 2.4.4p3 | SG-4860 21.05

        1 Reply Last reply Reply Quote 0
        • M
          mervincm last edited by

          That may be the case.  VPN is a door inside my network, so I wanted to make sure that if it was compromised, as little as possible would be available.

          Thanks for the sanity check.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy