OpenVpn help

[macster2075]

@elorimer you're saying to NOT have OpenVpn run on default port 1194?

 

[macster2075]

now Im getting paranoid haha

 

[Tech9]

So if it works fine without DMZ, something is doing the port forwarding for you and you don't know what.

UPnP on the modem/router?

@elorimer you're saying to NOT have OpenVpn run on default port 1194?

Yes, better run it on a non-standard port. Keep in mind this forum has 500 posts limitation per thread.

 

[macster2075]

oh wow.. didn't know that.. Well I got almost 400 more to go lol. - and yes, this router as Upnp enabled by default. - so I can choose any port at all? can I make up my own set of numbers and if so, how long can they be?

but, back to the previous question I had.. whatever port I choose, if let's say DMZ is required... by forwarding that specific port in the ISP modem, whichever port may be...wouldn't that be better than opening all ports?

 

[Tech9]

DMZ is not required, open port is. How you are going to do it - your choice. Your router is designed to be Internet facing device. DMZ or modem in bridge mode is the same thing for security. Most folks will advice disabling UPnP. In theory, malicious software can open ports through UPnP without you knowing. Non-standart port is preferable for dumb scanners. More advanced ones will know your open ports in few hours.

 

[macster2075]

hmm... Based on what I'm reading on the UpnP description, it needs to be enabled if you want to remotely control smart bulbs and whatnot.
So then based on what you said about DMZ is the same as putting the modem in bridge mode.. does that mean that regular standalone modems like cable modems, they all have all ports open and the only firewall is the router if there is one connected to it?

 

[Tech9]

Modems only don't have firewalls. They are bridges, the router gets the external IP from ISP DHCP. I don't have any "smart" bulbs. I can't help you with this technology.

 

[macster2075]

Modems only don't have firewalls. They are bridges, the router gets the external IP from ISP DHCP. I don't have any "smart" bulbs. I can't help you with this technology.

Oh no no.. I was just saying I think the UpnP may be used for that purpose.. I have smart bulbs and fans, power outlets... all work great.. makes us very lazy by controlling everything with our smartphones instead of just walking to the device and turning it off

 

[elorimer]

can I make up my own set of numbers and if so, how long can they be?

Below 1024 is assigned by IANA and you can't use. 1024 up to 65535 is available unless something else is using it, in which case the VPN server won't start.

I run Openvpn on a non-standard port, and I get about 20 connection attempts a day from unauthorized parties who have somehow not been blocked by Skynet which blocks thousands. In a different location I get between 2 and 10 invalid connection attempts a day. So I think whatever one does to harden the setup is worthwhile.

So yes, non-standard port, but also certificates + user/password +encrypting the control channel. And looking at the log every morning. Plus no DMZ and knowing exactly what ports are open (exactly 2). And more.

 

[elorimer]

I have smart bulbs and fans, power outlets... all work great.. makes us very lazy by controlling everything with our smartphones instead of just walking to the device and turning it off

Set up a guest network for those IoT things so they don't have access to your LAN, period.

 

[dosborne]

I just wanted to add to this long as convoluted thread, with various opinions on setup, more detailed justification for not running any DMZ and UPNP.

While in some cases is it easier and more convenient to enable these options, **I** do not, nor would I recommend it for the following reasons.

DMZ is basically automatic forwarding of any and all inbound ports to your secondary router. By NOT doing that, you introduce a second (or actually first) firewall which must be penetrated before getting "inside" your home network. You essentially have a "lock" on a screen door that you are not using by not enabling it thereby allowing people to knock on your inner door directly. If DMZ is disabled, and therefore the primary router is running defenses, then both your routers will have to be hacked before accessing any real system. Overkill? Maybe, but you already have the equipment so you should consider using it. There may be a small hit on performance running 2 firewalls, but most people would accept this for the added security....unless you are a serious gamer. By opening only the ports that YOU choose to forward to your second router you are limiting the risk of an exploit or vulnerability and you are in control. Having a slightly more secure network could mean the difference of a hacker (or bot) moving on to next slightly less secure network.

Similarly, UPNP is a lazy way to allow outbound traffic to open ports that you are not explicitly in control of. In rare cases, usually due to poorly written code, you may not have an option, but any decent software should allow you to pick ports putting you in control.

Along these lines, running dual routers, and dual NAT, can give you a whole range of options. For example, it your less-secure IOT devices on your ISPs router directly. If they are hacked or compromised, then only your other IOT devices are vulnerable. Put your VOIP phone in this same intermediary zone for performance reasons so your phone quality isn't affected when you run a big file copy job across your internal network (or whatever).

Your secondary router can be your extra private and secure network where your computers and secure devices reside.

For me, the big advantage of doing it this way was to isolate my internal secure network from my ISP. I could easily switch providers and replace their modem/router with virtually no changes required to my inner network.

Opinions obviously vary, and security gains may be minimal, performance differences are likely minimal, etc but the point is you have options and only you can decide what is worth the learning curve.

 

[macster2075]

Thanks.. I have lots to learn and yes I understand this internet security is a big animal and everyone's brain is their own world.
What about TrendMicro protection thing that comes with these Asus routers... some say enable it, some are skeptical... I've had it enabled since I got these Asus routers, but to be honest.. the only thing I know is that it's supposed to protect from attacks...but how well they do or what's going on behind the scene... I have no idea.

So TrendMicro is another of sort a firewall besides the router's firewall?

 

[Tech9]

And looking at the log every morning.

Really? You have issues.

 

[macster2075]

I know this post has been very long.. just last question on this...if an attacker can just go in once they find an open port.. what's the point of having a username and password on the vpn?

 

[Tech9]

if an attacker can just go in once they find an open port

Relax. They can't just go in.

 

[chongnt]

I know this post has been very long.. just last question on this...if an attacker can just go in once they find an open port.. what's the point of having a username and password on the vpn?

Here is my old logs, this happen when I use standard port 1194. During that time I keep getting this errors from different source IP, whether they are just do port scanning or trying to break in. Following the forum advice, I have change to other ports and don't see such logs anymore. By the way, I don't see the logs every morning.

Dec 6 05:45:21 openvpn[2588]: 185.200.118.83:38289 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 6 05:45:21 openvpn[2588]: 185.200.118.83:38289 TLS Error: TLS handshake failed
Dec 6 07:28:48 openvpn[2588]: 167.248.133.22:53448 TLS: Initial packet from [AF_INET]167.248.133.22:53448, sid=4d658221 07fcfd52
Dec 6 07:29:04 openvpn[2588]: 167.248.133.39:50915 TLS: Initial packet from [AF_INET]167.248.133.39:50915, sid=00136074 dae9ce00
Dec 6 07:29:48 openvpn[2588]: 167.248.133.22:53448 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 6 07:29:48 openvpn[2588]: 167.248.133.22:53448 TLS Error: TLS handshake failed
Dec 6 07:30:04 openvpn[2588]: 167.248.133.39:50915 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 6 07:30:04 openvpn[2588]: 167.248.133.39:50915 TLS Error: TLS handshake failed
Dec 6 11:17:37 openvpn[2588]: 146.88.240.4:53722 TLS: Initial packet from [AF_INET]146.88.240.4:53722, sid=12121212 12121212
Dec 6 11:18:37 openvpn[2588]: 146.88.240.4:53722 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 6 11:18:37 openvpn[2588]: 146.88.240.4:53722 TLS Error: TLS handshake failed

 

[elorimer]

By the way, I don't see the logs every morning.

I dust it and straighten its antennas every morning too. Make sure its power is nice and clean.