I got into setting up OpenVPN for my business needs and looked into what ways I can implement to make it more secure. Granted there’s no IPSec set up going on (thankfully for my needs), OpenVPN still allows a lot of options: PAM, certificate, user/password pair, etc… Even more so when you consider OpenVPN’s authentication system is plugin-based so you can in theory have an unlimited options for this.
What I ended up doing is setting up two OpenVPN servers, one a little less strict than the other. One runs on the standard port (1194) while the other runs on 1195. The standard-port install is what I like to call “security dungeon”. The current set up consists of:
- Server certficate
- User certficate and key
- System username
- System password
- Google Authenticator
So, in a way I have 5-factor authentication for an OpenVPN set up. The user needs the first 4 to even be considered, and the authenticator token is prepended to the password when you type it in. However, the one that runs on port 1195 requires only the first 2.
Why did I set these up this way? Well, the standard port instance has sort of become a dev config install. Its easy enough to work on and edit but its mostly intended for testing purposes. The 1195 instance was spawned off to allow my mobile phone to connect to it (using the authenticator on it is just too much hassle). So for those times where I’m connecting my phone to a local McDonald’s WiFi I have nothing to worry about.
Is there really a point to having this much in-depth security, though? Who is going to really sit there and try to highjack my OpenVPN that really isn’t connected to anything within my business’ network? Its just sitting there looking pretty and running in an LXC container.