OpenVPN Security

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
lmipbtr
OpenVpn Newbie
Posts: 12
Joined: Mon Dec 05, 2022 9:47 am

OpenVPN Security

Post by lmipbtr » Sun Jan 29, 2023 9:18 pm

I have just got my first OpenVPN server and 2 clients working. The server is hosted on an old Windows 10 laptop in my home network. I tried to get a Raspberry Pi but was unable to source one, delivery delay of up to 1 year expected.

I built two different clients on my own laptop and tested them both by connecting the laptop to my mobile hotspot and then connecting to the server. All seems to be working, including routing of specific URLs over the VPN while the rest of my traffic is routed normally.

My problem is that I am worried about exposing my home network to the big bad internet. I have used port forwarding to allow the VPN traffic through the router and on to the server host. I think this means my port is open, right? I tested it using Nmap and it says it is Open/Filtered which I think means that it is not 100% sure if it is open or not? If it is open, then isn't it true that my entire network is vulnerable?

I tried isolating the server host by connecting it to the Guest WiFi but when I tried to port forward to the address of the server host, the router rejected it as an invalid address. Presumably this was because it was in a different subnet than that defined in the router.

Is my reasoning correct? Is my network vulnerable due to the port forwarding? If so, is the only way around this to buy a router with OpenVPN capability to act as the server?

lmipbtr
OpenVpn Newbie
Posts: 12
Joined: Mon Dec 05, 2022 9:47 am

[SOLVED] OpenVPN Security

Post by lmipbtr » Tue Feb 28, 2023 7:40 am

I understand that use of the TLS-Auth option (ta.key).

"With the tls-auth option enabled, OpenVPN will use
a second level of authentication by creating an HMAC key for use in the TLS
handshake process. This feature does incorporate some administrative
overhead as all connecting machines must have this extra pre-shared secret, but
it provides a high level of protection against attacks like the buffer overflows we
found last year in OpenSSL. With tls-auth enabled, an attacker scanning the
Internet for SSL enabled devices will not even be able to initiate a TLS
handshake without the proper HMAC signature."

Post Reply