I’m looking to expand and further secure my home server, and I’ve been poking around at the FUTO self hosting guide, and as a result I’m looking to host OpenVPN then connect to my services through that.
However, is it safe to have the machine running OpenVPN connected to my router, with my router operating normally, but forwarding the port to the OpenVPN server?
Then once I’m into that, I’d connect to what I’d like. Unless I’m misunderstanding, this would offer me sufficient security, correct?
I do have a backup RPi that I might end up turning into a router as the FUTO guide suggests, but I’d rather not mess with my network where possible, plus I’d need to buy a switch.
I have no idea what the FUTO guide is but I would make sure to setup the openvpn server so that you connect with user+password+client certificate.
That and being able to set it up to use 443/tcp are the primary benefits to openvpn compared to wireguard in my mind.
https://wiki.futo.org/index.php/Introduction_to_a_Self_Managed_Life:_a_13_hour_%26_28_minute_presentation_by_FUTO_software
It was posted here a while back. But yeah I should have linked to it in the main post.
If you’re in a situation where you can replace your router with a pfsense or opnsense as per that guide I would definitely go for it. I’ve setup some pfsense devices with openvpn servers and it’s been one of the smoother installs imo and they make the self-signed client certificate part really easy to get right.
No idea what you mean with the port assignment. You can run either on whatever port you want. Most residential ISPs block incoming on 80/443 anyway.
I must be lucky with my ISPs then, no trouble using 443/tcp for me.
To my knowledge Wireguard runs over UDP.
edit: And the reason to use 443/tcp is because it’s a port that will be open as outgoing from wherever your client tries to call home.
This, I used to run an ovpn server to call home from restricted networks that didn’t allow for wireguard ports. I’ve since moved onto netbird, which runs wireguard under the hood and automatically syncs to a relay server when needed.