Quote:
Originally Posted by lazydog
Your OpenVPN has a port that it listen on and needs to be open to the public in order to connect to it. So anyone can find that port and begin their attacks.
|
"Nope! Bzzzt! Sorry!!" This assumption, intuitively appealing though it might be, is
not correct.
By design, and by a default that you should
not override, OpenVPN communicates using the
UDP protocol a "datagram-oriented" protocol that is the "IP" lower-half of the more well-known "TCP/
IP."
Operating at the
IP level, OpenVPN is able to support secure
TCP/IP (as well as UDP) communications on behalf of its clients. But, by operating at this level, it avoids exposing itself.
At
this level of "the stack," there is no concept of an "open port"
(really, an "open socket") in the
TCP/IP sense, because, at
this level, there is
no concept of a "conversation."
At
this level, "UDP," there are only
datagrams. When you send a datagram, you have no certainty that they will be received at all, let alone of the order in which they will arrive.
(Whereas, both of these are things that are specifically guaranteed by TCP/IP, which is built on top of IP.)
Thus, at the UDP level where OpenVPN customarily operates, there
is no "open
port socket" to detect. All that you can do is to send a UDP packet, addressed to some IP-address and to some port-number at that address, and "hope that you hear something soon." If you do, it will
not be "a reply," in the
TCP/IP sense of the word: it will simply be a datagram that (maybe) shows up at somewhere you are expecting. (And, the two of you must somehow agree as to just what sort of thing that might be ... knowing in advance that, even if the other party
does hear you, his reply to you might not arrive.
C'est la guerre.)
Therefore, if you instead "receive no response at all," then
any(!) one of
three things might have gone wrong,
and, unlike TCP/IP, you cannot distinguish which one it is:- "Your datagram didn't make it to its destination." (The UDP protocol has no obligation to make sure that it did.)
- "It made it, but there was no one listening."
- "It made it, and someone was listening, but they decided not to answer you."
- (Irrelevant in this case ...) They tried to reply, but their response never arrived.
Especially(!), you cannot distinguish between alternatives #2 and #3.
If you use the
tls-auth feature of OpenVPN, the server will not answer it will simply "drop the packet"
unless in that
initial packet the client shows evidence of being in possession of a
digital certificate that is also known to the server. Only if it does so will the server respond and begin the initial handshaking.
- Thus, the server will never reveal(!) itself(!!) unless there is already an extremely-high probability that the supplicant is going to turn out to be authorized.
- And ... most critically ... unless(!) the server does elect to reveal itself, you have no way (other than third-party traffic analysis that hello, yes we are listening to you ... your tax dollars at work might do ...) to know that exists(!) (This in complete and utter contradiction to the socket-oriented world of TCP/IP.)
- - -
So, go ahead. "Put OpenVPN on your front line, properly secured by both types of certificates." Use OpenVPN in precisely the capacity that it was made for: to be "a
secure router between two subnets." Prevent your services from listening to any "outside" address: have them listen
only to the OpenVPN tunnel.
(Use firewalls to keep 'em honest.)
Watch your
"unauthorized access attempts" count drop down to
zero, and stay there ... forever. Your
authorized users will pass swiftly and surely through a secret door that no one else can even detect.
(And, should anyone be so crass as to steal a laptop, or otherwise steal a key, you can
revoke their(!) key in a matter of seconds ... thus forever denying access to
them while affecting no one else.)
- - -
You have no need for "port knocking," because your server no longer exposes any ports to the
public. If you are authorized to enter the tunnel, the ports can simply be there, without "knocking." To the outside world, there are no open ports.
The "attack-robots" that have been so vexing you
until now will ... cease entirely(!). They have no choice but to pass you by, because, so far as they can perceive, your public
TCP/IP address is now
featureless. (And, even if they're clever enough to know that "there might be an OpenVPN server out there somewhere," they are unable to detect it.)
Case Closed.