mad_ady
Regular Contributor
Hello all,
I've setup on OpenVPN server on my AsusWRT router running RMerlin's firmware and I'm pretty happy with it - thanks for the effort.
However, there are two things that I'm not sure about:
1. I have enabled OpenVPN over TCP (using port 445) so that it is accessible from behind restrictive firewalls that do layer 7 inspection. However, I wonder if I've killed performance, because I'm tunnelling TCP over TCP (http://sites.inka.de/bigred/devel/tcp-tcp.html) and I expect problems when the traffic encounters congestion. I haven't done any performance tests (lack of time), but does openvpn's tun implementation over TCP notify the upper layers of packet loss, or not?
I will consider going over UDP, but can anyone suggest a UDP port that is likely open on most firewalls and where encrypted traffic can pass inspection? I doubt going over port 53 would work...
2. Up to this point I had used ssh tunnels to get into my network and I protected the ssh server with a port-knocker. I would send the correct 3 packet sequence and the port-knocker would open the (non-standard) port from my current IP. It's security by obscurity, I know, but it protects you from all the scanners from China (no offense!). Should I employ a similar technique for OpenVPN? Can a client connect without the ovpn file? I am using long random passwords, but I'd like the service to be as low-profile as possible.
So, my question is - if I leave it as is, how can an attacker know it's talking to an OpenVPN isntead of a HTTPS server (scanning for banners with nmap shows nothing)?
I've setup on OpenVPN server on my AsusWRT router running RMerlin's firmware and I'm pretty happy with it - thanks for the effort.
However, there are two things that I'm not sure about:
1. I have enabled OpenVPN over TCP (using port 445) so that it is accessible from behind restrictive firewalls that do layer 7 inspection. However, I wonder if I've killed performance, because I'm tunnelling TCP over TCP (http://sites.inka.de/bigred/devel/tcp-tcp.html) and I expect problems when the traffic encounters congestion. I haven't done any performance tests (lack of time), but does openvpn's tun implementation over TCP notify the upper layers of packet loss, or not?
I will consider going over UDP, but can anyone suggest a UDP port that is likely open on most firewalls and where encrypted traffic can pass inspection? I doubt going over port 53 would work...
2. Up to this point I had used ssh tunnels to get into my network and I protected the ssh server with a port-knocker. I would send the correct 3 packet sequence and the port-knocker would open the (non-standard) port from my current IP. It's security by obscurity, I know, but it protects you from all the scanners from China (no offense!). Should I employ a similar technique for OpenVPN? Can a client connect without the ovpn file? I am using long random passwords, but I'd like the service to be as low-profile as possible.
So, my question is - if I leave it as is, how can an attacker know it's talking to an OpenVPN isntead of a HTTPS server (scanning for banners with nmap shows nothing)?