OPNsense Forum

English Forums => General Discussion => Topic started by: ressurex on July 25, 2018, 11:12:34 am

Title: VPN server on static IP - secure??
Post by: ressurex on July 25, 2018, 11:12:34 am
Currently running happy on my new box, purchased from Ali. -> description.

Well then:
One simple question before I dive in the world of VPN/networking, which is NOT my area of expertise. My IPS doesn’t support dyndns, something with sharing a IP in a quadrant and one wan, double NAT etc etc.. I won’t get into this. But discuss the static fixed public IP VPN solution instead.

If I want to connect to my LAN from the outside world through a static public IP, running as a VPN server. what exactly do I need to do to not expose my LAN to the internet.
I only have one thing in mind connecting to a private VPN server and that is access to our windows 7 NAS drives with nextcloud etc. ( dropbox alternative )

Before I order a static IP from our ISP, fire it up, port forwarding the VPN server port on my cisco cable modem to the opnsense VPN server. Etc. Is there ANY!! Way such a solution can be a threat to my home LAN, exposing it to the internet. If I set some values wrong or something… I’m in a bit of a grey zone here in terms of knowledge.

I was advised NOT to do a VPN server brigde on an outside VPS like Digital Ocean since the owner of the service could access my LAN this way. I’m not a VPN expert as you can tell. But I get the basics.

Does a VPN server service running on my opnsense in any way create a threat to my existing LAN ? if not configured in a stringent way, and does this fora have a specific guide how to do this setup ? 

I want to use my OPNsense for several things, small things like cutting LAN access for android/IOS mobile units and vice versa for LAN only units, geo blocking/ ads / privacy / VPN and what else I find interesting. Overall just the feeling on regaining control of my own network at home, upping the standard security sort of speak. Coming from an Asus WRT Merlin build, opnsense Is a exiting new world. But what I don’t want is to lower the security.
Title: Re: VPN server on static IP - secure??
Post by: bartjsmit on July 25, 2018, 03:41:06 pm
A VPN increases security by reducing your attack surface through moving services from public to private networks. The time that you have a public IP address has little bearing on that. You need a dynamic DNS record to reach the VPN server anyway, and there is no security in obscurity.

TL;DR: static IP for VPN is not more insecure

Bart...
Title: Re: VPN server on static IP - secure??
Post by: ressurex on July 25, 2018, 04:27:21 pm
thankz for the reply.
Title: Re: VPN server on static IP - secure??
Post by: ressurex on July 25, 2018, 04:33:11 pm
A VPN increases security by reducing your attack surface through moving services from public to private networks. The time that you have a public IP address has little bearing on that. You need a dynamic DNS record to reach the VPN server anyway, and there is no security in obscurity.

TL;DR: static IP for VPN is not more insecure

Bart...

thanks for the reply Bart. So even if my cisco cable modem gets an fixed IP = the VPN servers IP, i still need to have some dynamich DNS setup in the opnsense firewall ?

Title: Re: VPN server on static IP - secure??
Post by: bartjsmit on July 25, 2018, 10:43:27 pm
If you have a fixed IP address, you can configure your clients with that; no need to use an FQDN.

What I meant was, even if you have a variable IP address you still have to have some constant to reliably connect to your VPN; i.e. a dynamic DNS service.
Title: Re: VPN server on static IP - secure??
Post by: ressurex on July 25, 2018, 11:06:55 pm
yep i agree.

thanks for the input though.

Title: Re: VPN server on static IP - secure??
Post by: chunky on July 30, 2018, 12:06:51 am
if you want to connect to your lan from the public internet, there is minimal precautions to setup like :
- change the default vpn port
- use udp tun
- use certificates
- follow some vpn setup guides based on security
- limit vpn users to some services you need, don't open the firewall to all ports
- you can also, like me, block vpn access from others country except yours
- use AES 256 cipher with 4096 bit
there is certainly others things I forgot, but keep in mind there is always a risk, all we can do is limit the penetration vectors.

General security measures :
As a rule of thumbs, don't trust apps blindly. Block all your outbound traffic and use a proxy (squid for exemple) with authentication for surfing the web dedicated to the browser, not system wide. That's why you should not use chrome or internet explorer or edge or any browser that doesn't have it's own proxy settings. I use firefox for this and won't change anytime soon (I know chrome can also use specific proxy via the launch parameters but it's well hidden to regulars users, plus it phone home google servers)

I've choosed an open firewall like opnsense to have full control of the settings, unfortunately, there is some settings hidden from us, which are available on regular pf firewall like for exemple the ability to control rules based on users running a service. I'm thinking of moving back to a regular freebsd for my internet facing firewall.
Title: Re: VPN server on static IP - secure??
Post by: ressurex on August 03, 2018, 06:29:35 pm
thanks!