Help setting up this VPN!

[wittaj]

Starting over sounds like the right approach at this time!

OpenVPN works with Windows, but you were trying to set up OpenVPN on the Windows computer thinking that is how you would connect to it, but it needs to be done in the router.

You do not need to do anything with the Windows BI computer and OpenVPN.

Here are the general steps with OpenVPN on a router that supports it:

You will need to create a DDNS as your WAN IP address is subject to change at anytime by your ISP (although most do not change often) or you can skip DDNS and pay for a static IP address if your ISP offers that.

OpenVPN is simple, but we make it way more difficult than it needs to be lol.

I was there too once with OpenVPN...tried to do all this research to find directions and got to the point I said screw it and just enabled it and kinda of followed what it was asking and it worked.

Just go to OpenVPN and enable it and see what it says - asks you to create a user/PW, DDNS name, encryption method, and create certificate. Then email that certificate to you (or connect your device to a computer and copy it over) and save the certificate on your mobile device. Then install the OpenVPN app and select the certificate and then connect whenever away from home and you are on your home network.

It really is simpler than our minds make it out to be.

While this is for an Asus, the concept is the same:

OpenVPN on a Asus router

Sept 2021 Turned off comments because of ads July 2021 Bought a new Asus router, an RT-AX86U. Loaded it right away with Merlin firmware, s...

randyshomeprojects.blogspot.com

 

[Jhonyquest97]

Got it! Thank you all, your patience and knowledge is appreciated. I ended up doing as said, started over fresh. I think two things happened. One was i was thinking that any computer that i wanted to connect to while i was out and about had to have VPN installed on it and running. Secondly, I was using the windows opvpn certs on my iphone... One last question for you guys, Does this mean if i want to say start the roomba vacuum while at work i need to connect to the vpn? Assuming i would but I am able to connect off of WiFi. Is it because of the app I’m using?

Thanks again guys, This forum has been very helpful and encouraging.

 

[wittaj]

Glad you got it worked out!

Once you VPN to your home network, it is like you are at home sitting on your couch, so anything you can do at home you can now do when away.

Plus with OpenVPN, you can connect to free wifi and have a secure connection. Comes in handy in places where cell service is bad.

 

[Mike A.]

...One last question for you guys, Does this mean if i want to say start the roomba vacuum while at work i need to connect to the vpn? Assuming i would but I am able to connect off of WiFi. Is it because of the app I’m using?

Depends on the app. If it's something that's intended to work only locally on your network then, yes, you'd need to connect to the VPN first. If it's something that works remotely from wherever tunneling back into your network using a P2P-like connection through the company's servers then no VPN connection needed. I'd guess that the Roomba probably is the latter but don't know for sure. Or it could work either/both ways depending on what and how you set things up.

 

[The Automation Guy]

I'd argue for (and do) use another port. VPNs are very secure but there are exploits at times most of which, like most good hacks, just bypass the authorization/encryption. Also, most home routers tend not to get updated often so vulnerabilities can be out there for a relatively long time. Makes things a little harder to target on a mass basis at least. Not something that most probably need to worry all that much but just as a matter of good practice I generally try to avoid defaults for anything that may be exposed in some way.

Recent Openvpn Security Vulnerabilities
OpenVPN 3 Core Library version 3.6 and 3.6.1

CVE-2021-3547 7.4 - High - July 12, 2021
OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in the verify-x509-name option in a client configuration.
authentification

OpenVPN 2.5.1 and earlier versions

CVE-2020-15078 7.5 - High - April 26, 2021
OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

If a hacker is sophisticated enough to use these exploits, they are sophisticated enough to test all ports and not just the standard VPN port. Using a non-standard port is as secure as conspicuously lining up six fake key rocks next to each other on your porch and putting your spare key in the one farthest from the door instead of the closest one.

Obviously it is personal preference in which port you want to use. But do not fool yourself into thinking that using a non-standard port is any more secure than a default port.

Edit - It's not wrong to try to add more ways to block intruders to your network. But most of the ways are easily circumvented and using a non-standard port use isn't a valid method of blocking someone, it's just playing a shell game that can be won in the matter of seconds. You can use Geo-location or other methods to add blocking layers to your network, but just understand that nothing is fool proof. For example, Geo-location blocking can be circumvented by a hacker using a VPN service to make it appear they are in your country, etc, etc, etc.

In the end, the best defense is having a firewall/router that is routinely updated to patch any known exploits. The most "at risk" networks are those that have outdated firmware running on their firewall/routers. Unfortunately, the average person never updates their firmware on their home firewall/router and worse yet, most manufactures of consumer grade routers rarely release firmware updates in the first place.

 

[Mike A.]

If a hacker is sophisticated enough to use these exploits, they are sophisticated enough to test all ports and not just the standard VPN port. Using a non-standard port is as secure as conspicuously lining up six fake key rocks next to each other on your porch and putting your spare key in the one farthest from the door instead of the closest one.

Obviously it is personal preference in which port you want to use. But do not fool yourself into thinking that using a non-standard port is any more secure than a default port.

Sure. Never said that it was any more secure per se or a defense against a determined intruder. It simply helps to avoid being caught in the automated mass-blast searches that target zero-day and other exploits known to be running on default ports for targeted services. That's all that it does. But that's also what most more commonly face as intrusion attempts/ransomware/worms/etc.

 

[The Automation Guy]

Sure. Never said that it was any more secure per se or a defense against a determined intruder.

Umm, that's exactly what you were implying in your post.

 

[Mike A.]

Umm, that's exactly what you were implying in your post.

I don't know how you think "hacking" like this works. It's not a team of hackers huddled over their computers manually scanning machines all over the world with a limited amount of time and resources. This is all done by bots and while they might have a group of bots scanning default ports, they sure as hell have another set of bots doing full scans. If you feel more comfortable changing from default ports, that's great! But don't tell people it is more "secure" because it is not.

Nope, I said nothing about it making anything more secure and did not imply any added security through obscurity. You jumped to using "secure" and talking about "blocking" things on your own. If you want to dispute that, then quote my post and point to where I said anything about it being any more secure. Specifically what I said was that it makes things a little harder to target on a mass basis.

I know very well how it works. Anyone who looks at their edge logs understands that virtually every port gets tested these days. But probing of that sort is a different thing vs wide-scale attacks against specific targeted services running on default ports. A recent case being the QNAP ransomware targeting an exposed default port 5000. Many other examples.

 

[The Automation Guy]

Nope, I said nothing about it making anything more secure and did not imply any added security through obscurity. You jumped to using "secure" and talking about "blocking" things on your own. If you want to dispute that, then quote my post and point to where I said anything about it being any more secure. Specifically what I said was that it makes things a little harder to target on a mass basis.

You are talking out of both sides of your mouth. You say you didn't say anything about making your network more secure and then admit you said you are trying to make your network harder to be targeted. That is by definition an effort to make your network more secure. It is an attempt at security through obscurity. Only an unreasonable person can't see this and I shouldn't have to "prove" my point any further than that. But you asked for a quote, so here it is - the exact same quote I used the first time.....

I'd argue for (and do) use another port. VPNs are very secure but there are exploits at times most of which, like most good hacks, just bypass the authorization/encryption. Also, most home routers tend not to get updated often so vulnerabilities can be out there for a relatively long time. Makes things a little harder to target on a mass basis at least.

You start by saying you would argue for a non-standard port. You then lay out your argument by talking about how VPNs do have exploits from time to time and how you think using a non-standard port "makes things a little harder to target on a mass basis at least". Again, if you can't see that trying to make your network "a little harder a target on a mass basis" is the same thing as trying to make your network "a little more secure", then I don't know what to say. There is no point in trying to reason with someone who can't be reasonable.

If we can agree on this point, then we can move on to the merit of using a non-standard port...... I actually like the phrase you used in the last post, "security through obscurity." This is EXACTLY what you are trying to do by using non-standard (i.e. "obscure") ports which is why I'm so confused why you said you didn't imply it. It's actually not a bad concept if the internet provided obscurity. However, my argument is that with all the automated bots probing ports on the internet, there is no obscurity and therefore there is no "security through obscurity." Without obscurity, using a non-standard port doesn't make a network harder to target and worse yet, it can provide a false sense of security to those employing the technique.

What you are trying to "hang your hat" on is the concept that attacks using a known exploit are very focused and therefore the internet does provide some obscurity. You mentioned the recent case being the QNAP ransomware targeting an exposed default port 5000 as an example. My counter is this, sure a hacker is going to set up a bot that scans just for default ports, but for every bot that is scanning for QNAP default ports there is a bot scanning for non-default QNAP ports too. It's just a matter of time before your non-default port is found as well. Not only that, but due to the the scale and seemingly randomness of port scanning, there is no guarantee that my standard port will be found before your non-default port either. In other words, using a non-standard port doesn't put you "at the end of the line" for potential hacks.

I'll say it again, all you are doing by using a non-default port is giving yourself a false sense of security.