Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Generic questions on locking down Open VPN

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 910 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mervincm
      last edited by

      I would like to take a few reasonable steps to make sure that I have Open VPN secured while retaining the functionality I require.

      I installed , configured and used PFblocker to drop all connections from other countries, since I do not travel internationally.  I have also added a few lists I found in the PFblocker thread.  Since I want it to work from a few ISPs, and from work, this seems to be about all all I do from a client IP perspective.
      Q) any other reasonable steps that I missed?

      I configured the OpenVPN server IPv4 Local Network/s to only include the internal networks that I want to be reachable from a VPN client.

      I am now wondering what I can or should do about locking down ports.
      most of what I have found via searching assumes linux and iptables.

      Does PFsense allow me to lock this down via GUI?  If so I am not sure where to start, maybe under firewall/NAT port forward and NAT rules using the Open VPN interface?

      I realize it will be a bit of work to do so, but I hope to identify the required ports, leave them enabled and default drop remainder.

      If I do so, what about random ports.  Apparently MS AD uses identified ports and random ones.  If I want to use MS AD, how do I have fpSense pass these.  I had a conversation with a college (that I admittedly only partially understood) but he explained that on a cisco, it can be configured to watch the conversation with the client, and as long as it was initiated on known open ports, that these randomn ports can be dynamically opened for that conversation.  Does this make sense for OpenVPN on pfSense?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        I think your over thinking it.. The only persons that would have access to the vpn would be trusted people.  Do you lock them down with what ports they can access when they are local?  Then why should you take extra steps when coming in via a trusted connection like vpn?

        To access the vpn they need both the cert and can be setup to have to auth with username and password as well, etc.  Highly unlikely someone from outside would just brute force said access.  If users machine or control of their cert is compromised - then revoke that cert, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          mervincm
          last edited by

          That may be the case.  VPN is a door inside my network, so I wanted to make sure that if it was compromised, as little as possible would be available.

          Thanks for the sanity check.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.