Got OpenVPN server running. Looking for an "audit" of my configuration

Hi everyone. I am a software guy attempting to put a little more thought into my home network, as I am now running some servers that are public to the world at home. I've been using LEDE/OpenWRT for years now, but have only done very basic configuration beyond OOTB setup - Port Forwards, DynamicDNS, Static DHCP Leases etc.

As part of this hardening of my network, I want to run an OpenVPN server on my router so:

  • I don't have to expose SSH or RDP on my servers to the world.
  • When I am on untrusted networks (like public wifi) I can tunnel my laptop/phone traffic through my home internet connection.

I have tried and failed to achieve this goal a few times, but recently I saw a new tutorial showed up in the user guide and with this one I was finally able to get things working! But of course, things didn't work initially, so I had to make a few changes from what is in the scripts in the tutorial. And being a networking rookie, I have no idea if I've compromised my security in some way. So I was hoping some of you wizards could help explain to me some of the things I did, if they were a bad thing to do, and if so, how to do it better.

So with that said, here are the changes I made beyond what was in the tutorial:

First, in my OpenVPN configuration (/etc/config/openvpn) I had to add the line list push 'route 192.168.1.0 255.255.255.0' so that when my client connects, it could reach all of the devices on my lan. Before adding this line, I could start the OpenVPN connection successfully, but was unable to SSH/RDP into any of my boxes on my lan. After adding this line, I could SSH/RDP in from my OpenVPN client, using the IP addresses of the servers. But the hostnames of the servers would not resolve.

Second, I went into the DHCP/DNS settings in LuCI and unchecked the Local Service Only checkbox on the General Settings tab. This got hostname resolution working!

The first change I made, I think that just sets up a route from the subnet my OpenVPN server operates on to my lan's subnet. I think this is required, and isn't a terrible thing to do security-wise. But the second I am unsure about. Since I am no longer restricing DNS queries to my lan's subnet, am I opening up a security hole?

I can upload all of my full configurations if it would help add context to these changes. I want to learn the why behind what I did.

No to your question, and you may find the OpenVPN man page helpful

1 Like

Cool. That makes me feel better. Why is DNS restricted to your LAN subnet by default? What is it protecting against?

There's no reason to disable local service only, as it should be configured to "Limit DNS service to subnets interfaces on which we are serving DNS."

  • IIRC, this prevents local hostname lookup from being forwarded onto WAN side DNS servers (google, opendns, comodo, etc.).
    • For example, its generally easier to access devices on a LAN via their localhostname.localdomain
      • Local domain is set via the router, and for OpenWrt, is set in /etc/config/dhcp
        • On clients, the localdomain should be echoed as the wrokgroup name
      • Local hostname for the router is set in /etc/config/system

I meant to mention it before, but if you had to disable local service only to get local hostname resolution working, either your VPN config is missing options and/or your clients and router are not configured correctly to route local DNS names correctly.

Also, if you're not looking to route your LAN traffic through the VPN when you're behind the router, remove the two push directives for gateway redirect. I'm not sure why a lot of OpenWrt writers insist on making that a part of their default config write up, as most users have no use for gateway redirect, and, when utilized, will massively throttle internet traffic.

  • Because OpenWrt uses fw3 for the firewall, this simplifies things for the user... all that needs to be added for VPN clients to access the internet are pushing WAN DNS server addresses in the VPN server config and adding a forwarding rule in the firewall config for VPN --> WAN

  • /etc/config/openvpn
        # Pushed Routes # 
    #------------------------------------------------
        list    push            'dhcp-option    DNS 208.67.222.123'
        list    push            'dhcp-option    DNS 208.67.220.123'
        list    push            'dhcp-option    NTP 129.6.15.30'
    

  • /etc/config/firewall
        # OpenVPN #
    #---------------------------------------------------
    config forwarding
        option  dest            'wan'
        option  src             'vpn'
    

@JW0914 - Thanks for the details. They are super helpful.

So first, an update - I finally got to sit down and take another look at this. I rechecked the checkbox in LuCI to reenable local service only, and strangely enough things are still working. Nothing else changed, so I don't know what caused local DNS resolution to not work originally. But it seems to be working now.

Also, if you’re not looking to route your LAN traffic through the VPN when you’re behind the router, remove the two push directives for gateway redirect. I’m not sure why a lot of OpenWrt writers insist on making that a part of their default config write up, as most users have no use for gateway redirect, and, when utilized, will massively throttle internet traffic.

I'm a bit confused by this statement. If I'm behind the router, I am at home on my LAN and I won't be using the VPN. I will be using the VPN outside of my LAN to connect to my LAN, and as such I do wish to tunnel all the traffic of my device connected to the VPN through my home internet connection. One of my use cases will be connecting to my VPN on my Android device when I am on unsecured public wifi, so my device's traffic will be encrypted on the unsecured public network.

So how exactly will all my LAN traffic be routed through the VPN when I'm behind the router?

On clients, the localdomain should be echoed as the wrokgroup name

My local domain is still set to the LEDE default, lan. Does this mean I should be going to all of my Windows clients/samba servers and setting them to the workgroup "lan"? I assume we're talking about NETBIOS here.

See Redirect Gateway (OpenVPN HowTo)

  • Redirect Gateway causes all client traffic, including web traffic, to be routed through the VPN.
    • Because of fw3, OpenWrt does not require this, so if you want VPN clients to have internet access, simply add the following to /etc/config/firewall
      config forwarding
          option  dest            'wan'
          option  src             'vpn'
      

This is required for NetBIOS, but even with NetBIOS disabled, in order for networking issues (such as accessing a PC by it's hostname.localdomain [say windows.lan], network shares, etc.) to not occur, the workgroup name should be set to the localdomain of the router.

  • If you already have the same workgroup name assigned to your PCs, and it's not the default "workgroup", you could change the router's localdomain to that.
    • For example, I have over 20 different devices and 3 IPMI interfaces on my LAN, so I personally prefer something simple and short (I use "WRT" as my localdomain)