Safety in OpenVPN

[Invizion]

Hello there,

Hope you are doing. So I have my OpenVPN configured and ready to rock (it works as intended). My next plan is to improve security after connecting to VPN.

What I have:

• Forwarded port 1194 in the router;
• FW Rules:

Code:

ipfw -q -f flushipfw -q nat 1 config if re0
ipfw -q add nat 1 all from 10.20.0.0/24 to any out via re0
ipfw -q add nat 1 all from any to any in via re0

• Additional Params:

Code:

push "redirect-gateway def1"
push "remote-gateway MY ADDRESS"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn

So, with this configuration, I can access everything inside my network, from anywhere in the world.
Since OpenVPN relies only on certificates, without authentication or another method to log in, I would like to know what you did to improve safety with your VPN.

So, my questions are:

1. Did anyone successfully restrict access only to specific NAS IP and JAILS you want to access? If so, how? I have other devices connected to the network that I don't want given access while connected to VPN;
2. It's possible to restrict access to a range of IP's from a designated country only?
3. Any other way to add another layer of authentication to OpenVPN besides certificate?

Thanks for your input!

 

[Heracles]

Did anyone successfully restrict access only to specific NAS IP and JAILS you want to access?

I sure did...

If so, how?

TrueNAS is not meant to be a VPN concentrator or a network infrastructure appliance. It is a storage appliance. For that reason, I use pfSense as a network infrastructure appliance and my OpenVPN service is provided by pfSense. That way, pfSense can apply any firewalling rule I wish on the OpenVPN interface just as easily as it does on any other.

1. It's possible to restrict access to a range of IP's from a designated country only?

Again, using pfSense, it is easy. You use pfBlockerNG for that. Not installed by default but easy to add and configure.

1. Any other way to add another layer of authentication to OpenVPN besides certificate?

Yep. OpenVPN can have a shared secret use to authenticate each and every packet as being from a managed client. Without the HMAC produced with that secret, the packet is rejected even before being decrypted. This mechanism is powerful enough to protect OpenVPN server even against exploits in OpenVPN itself, the packet being discarded before being processed whenever that HMAC is missing. In previous releases, that HMAC was for authentication only but if all your OpenVPN clients are recent, you can use it to also encrypt the command channel.

 

[Invizion]

TrueNAS is not meant to be a VPN concentrator or a network infrastructure appliance. It is a storage appliance. For that reason, I use pfSense as a network infrastructure appliance and my OpenVPN service is provided by pfSense. That way, pfSense can apply any firewalling rule I wish on the OpenVPN interface just as easily as it does on any other.

I understand your point and agree with you but would love to keep it simple and safe (as I could of course). I just have my NAS hardware with TrueNAS. The only solution would be to create a VM with pfSense and OpenVPN. I don't have enough firewalls knowledge to create such systems I believe. Sincerely I don't know pfSense, never handled it. This would be the only way to do it?

Yep. OpenVPN can have a shared secret use to authenticate each and every packet as being from a managed client. Without the HMAC produced with that secret, the packet is rejected even before being decrypted. This mechanism is powerful enough to protect OpenVPN server even against exploits in OpenVPN itself, the packet being discarded before being processed whenever that HMAC is missing. In previous releases, that HMAC was for authentication only but if all your OpenVPN clients are recent, you can use it to also encrypt the command channel.

Can you point me in some direction in where to check/start?

Thank you!

 

[Heracles]

Sincerely I don't know pfSense, never handled it. This would be the only way to do it?

pfSense is not the only VPN solution. But the principle to have a separate system for firewalling / VPN and storage would be the best way. If your OpenVPN server is a Linux system, you can use iptables to add such firewalling rules on OpenVPN's interface.

The only solution would be to create a VM with pfSense and OpenVPN.

A VM inside TrueNAS itself would not be ideal and would not be easy. The hypervisor in TrueNAS is meant to virtualize operating systems. To virtualize a firewall, you need to virtualize the networking around it. For that, you need a different hypervisor, one like ESXi.

Can you point me in some direction in where to check/start?

This page would be a good start. I was referring to the TLS Key (TLS-Auth or TLS-Crypt depending the way you use it) they describe there.

 

[Invizion]

Thank you! I will get my hands on and read the documentation and try to make something :)

Again, thanks for your help.
Any other suggestions from other members are appreciated. :)

 

[rvassar]

Turn on tls-auth.

Make sure you're using a solid cipher.

Do not store the ca.key on the server...