It’s not the big boys you have to worry about. It’s the script kiddies. You aren’t specifically a target. But your IP:PORT is a target. There’s a website called Shodan that you can just search and see what IP addresses have what ports open. And often the service down to the version number can be identified. So someone can say “give me all the IP addresses running OpenVPN” and your IP will be in the list. You are now a target.
Your best bets are to only use certificate based authentication or a combo of certificate and password based authentication. That will thwart 99% of all attacks. They can brute force attack your system using passwords all day but if they don’t have your certificate they can’t get in.
There are lots of guides for setting up OpenVPN as securely as reasonable.
Next a good choice is Fail2Ban. This monitors log files for a certain number of failed authentication attempts and temporarily bans all connections from those IP addresses for a certain amount of time (you can configure it for permanent bans if desired).
The rest is firewall configuration and host based protection. If at all possible, configure your firewall with a whitelist of IP addresses that are permitted to connect to the OpenVPN port. That goes a very long way for reducing the attack surface, but that can also be difficult as you often can’t know them all ahead of time.
I personally recommend installing something like Tripwire to monitor your file system for unexpected changes. That can alert you to an attack. But you have to understand what files to monitor and how to tell the difference between an attack or apt running an update or something like that.
You have to audit the OpenVPN logs. You especially need to monitor for successful logins and errors. That’s going to be your first hint that there is something fishy going on.
A network based intrusion detection server like Snort can be useful as well. But it takes a lot of work to fine tune out the false alarms.
I don’t think a reverse proxy is relevant to this discussion. You can set up OpenVPN through a reverse proxy and in some circumstances it can provide some benefit, but it’s hella hard to get working right and for most home users provides little to no benefit.
And before someone else brings it up, this really isn’t an OH topic and you will find much better support and advice on other forums.
Same as above, the port must be exposed so the most secure way is to have a certificate based vpn.
If you don’t know how to do it and you are running on a raspberry pi I can suggest to use Pivpn http://www.pivpn.io/
It will automatically install an openvpn server with certificate and add easy commands to manage users.
I don’t think it’s fair to say that a well configured reverse proxy is less secure than a well configured VPN service. A reverse proxy is absolutely able to be configured just as secure. But, over all, a VPN is more flexible.
Be aware, I largely listed those services more as something to scare you. None of them except for fail2ban actually does anything. All it can achieve is to give you information. You have to have the knowledge and experience necessary to interpret that information. Snort and Tripwire doesn’t do anything for you if you don’t actively monitor it and understand what it’s telling you.
Caveats understood Ritch, thank you as always. I have much to learn with all this opensystem networks stuff, it’s a whole new world , when compared to my assembler codebased safety critical realtime embedded transputer systems, comfort zone