Lockdown OpenVPN on OpenHabian

Appreciate the docs do not go into the subject topic, https://www.openhab.org/docs/installation/security.html#vpn-connection

However, can one of the gurus suggest what to install to lock down my openvpn , because I am exposing a port on the WAN side of my router.

I will google how to seup the security, so if you could recommend a set of packages/tools that I need to install .

Granted if someone wants to get in they will, but I guess the bigboys are after companies and not a sad old Brit with nothing exciting or money making material on his LAN.

Use a reverse proxy so the client is directed to the correct server.

You mean the official documentation is good for something?? :wink:

2 Likes

Yes, I didn’t add a link b/c OP had the same link and reverse proxy is just below cloud service (2 down from VPN). :wink:

1 Like

Sorry, I have them blocked.

2 Likes

It’s not the big boys you have to worry about. It’s the script kiddies. You aren’t specifically a target. But your IP:PORT is a target. There’s a website called Shodan that you can just search and see what IP addresses have what ports open. And often the service down to the version number can be identified. So someone can say “give me all the IP addresses running OpenVPN” and your IP will be in the list. You are now a target.

Your best bets are to only use certificate based authentication or a combo of certificate and password based authentication. That will thwart 99% of all attacks. They can brute force attack your system using passwords all day but if they don’t have your certificate they can’t get in.

There are lots of guides for setting up OpenVPN as securely as reasonable.

Next a good choice is Fail2Ban. This monitors log files for a certain number of failed authentication attempts and temporarily bans all connections from those IP addresses for a certain amount of time (you can configure it for permanent bans if desired).

The rest is firewall configuration and host based protection. If at all possible, configure your firewall with a whitelist of IP addresses that are permitted to connect to the OpenVPN port. That goes a very long way for reducing the attack surface, but that can also be difficult as you often can’t know them all ahead of time.

I personally recommend installing something like Tripwire to monitor your file system for unexpected changes. That can alert you to an attack. But you have to understand what files to monitor and how to tell the difference between an attack or apt running an update or something like that.

You have to audit the OpenVPN logs. You especially need to monitor for successful logins and errors. That’s going to be your first hint that there is something fishy going on.

A network based intrusion detection server like Snort can be useful as well. But it takes a lot of work to fine tune out the false alarms.

I don’t think a reverse proxy is relevant to this discussion. You can set up OpenVPN through a reverse proxy and in some circumstances it can provide some benefit, but it’s hella hard to get working right and for most home users provides little to no benefit.

And before someone else brings it up, this really isn’t an OH topic and you will find much better support and advice on other forums.

3 Likes

Same as above, the port must be exposed so the most secure way is to have a certificate based vpn.
If you don’t know how to do it and you are running on a raspberry pi I can suggest to use Pivpn
http://www.pivpn.io/
It will automatically install an openvpn server with certificate and add easy commands to manage users.

1 Like

Thanks guys.
Really well documented advice.
Indeed, my VPN is from a pivpn
install so that’s heart warming.
a VPN is supposed to be , intrinsically, the most secure way certainly over reverse proxy.

I did raise another thread on the forums.about 2FA on openvpn but from comments above it would appear that pivpn does the certificate stuff quite well.

I.will certainly adopt Ritchs advice on supplemental services that i should setup to monitor and adjust other access services.

“scriptkiddies” …very funny
cheers

arf arf arf :roll_eyes::grin::grin::wink:

I don’t think it’s fair to say that a well configured reverse proxy is less secure than a well configured VPN service. A reverse proxy is absolutely able to be configured just as secure. But, over all, a VPN is more flexible.

Be aware, I largely listed those services more as something to scare you. None of them except for fail2ban actually does anything. All it can achieve is to give you information. You have to have the knowledge and experience necessary to interpret that information. Snort and Tripwire doesn’t do anything for you if you don’t actively monitor it and understand what it’s telling you.

Caveats understood Ritch, thank you as always. I have much to learn with all this opensystem networks stuff, it’s a whole new world , when compared to my assembler codebased safety critical realtime embedded transputer systems, comfort zone

:+1: