Hi everyone. I am a software guy attempting to put a little more thought into my home network, as I am now running some servers that are public to the world at home. I've been using LEDE/OpenWRT for years now, but have only done very basic configuration beyond OOTB setup - Port Forwards, DynamicDNS, Static DHCP Leases etc.
As part of this hardening of my network, I want to run an OpenVPN server on my router so:
- I don't have to expose SSH or RDP on my servers to the world.
- When I am on untrusted networks (like public wifi) I can tunnel my laptop/phone traffic through my home internet connection.
I have tried and failed to achieve this goal a few times, but recently I saw a new tutorial showed up in the user guide and with this one I was finally able to get things working! But of course, things didn't work initially, so I had to make a few changes from what is in the scripts in the tutorial. And being a networking rookie, I have no idea if I've compromised my security in some way. So I was hoping some of you wizards could help explain to me some of the things I did, if they were a bad thing to do, and if so, how to do it better.
So with that said, here are the changes I made beyond what was in the tutorial:
First, in my OpenVPN configuration (
/etc/config/openvpn) I had to add the line
list push 'route 192.168.1.0 255.255.255.0' so that when my client connects, it could reach all of the devices on my lan. Before adding this line, I could start the OpenVPN connection successfully, but was unable to SSH/RDP into any of my boxes on my lan. After adding this line, I could SSH/RDP in from my OpenVPN client, using the IP addresses of the servers. But the hostnames of the servers would not resolve.
Second, I went into the DHCP/DNS settings in LuCI and unchecked the Local Service Only checkbox on the General Settings tab. This got hostname resolution working!
The first change I made, I think that just sets up a route from the subnet my OpenVPN server operates on to my lan's subnet. I think this is required, and isn't a terrible thing to do security-wise. But the second I am unsure about. Since I am no longer restricing DNS queries to my lan's subnet, am I opening up a security hole?
I can upload all of my full configurations if it would help add context to these changes. I want to learn the why behind what I did.