Inbound OpenVPN Server IP address range filter

[pkcouch]

Hello,

I have RT-AX3000 w/Merlin 388.2_2. My use case is a single VPN for a child at college. At one time, I had an old Synology NAS (behind the router) that served as the OpenVPN server. I could restrict the port forwarding to only the IP address range of the college, for security purposes (better than opening it up to the entire world). The Synology NAS has gone away, and I'm configuring the OpenVPN server built into the router.

Question- Is there a way to restrict use of the VPN server to a specified IP address range (like my old Synology setup)? I setup the router's OpenVPN server to require a connection with a certificate and username/password combo. Given that, do I need the inbound IP address range filter, or is it a "don't care" (due to cert/username/password requirement)? Thanks in advance to all the experts here!

 

[ColinTaylor]

If you're using certificates for your VPN there's no need to have a firewall filter as well. Just use a non-common port (i.e. not 1194, 443, 8080, etc.) to reduce the "noise" in your syslog from port scanners.

 

[Martinski]

To further mitigate the impact of incoming "noise" from scanners or probes trying to figure out who's listening in the opened port, make sure to set the "TLS control channel security" option to either "Bi-directional Auth" or "Encrypt channel" (recommended).

This way, every TLS control channel packet is signed with an HMAC signature (and encrypted if using the recommended setting), even during the initial multi-packet handshake that happens before client authentication can be established. Any incoming packets that don't have the correct signature are dropped immediately.