@Internal-Initial-835 - eviltoast
  • 0 Posts
  • 3 Comments
Joined 1 year ago
cake
Cake day: October 17th, 2023

help-circle
  • A “top” audit company pushing their own agenda.

    OpenVPN is simple and easy to deploy on any major operating system. Pfsense or similar is easy to setup and run in a VM. That does all the hard work for you and creates a profile. Then you essentially copy or download that profile to the client machine and you’re done. It’s all done via gui or web interface so is easier for a lot of people. My sister managed it. She wouldn’t have been able to handle command line stuff.

    Like i said before though. Why not use a vpn and also harden your ssh. I can’t see a downside to that.

    It’s just my opinion and experience from working with both. You’re welcome to dissagree and do your own thing though of course :)


  • Generally speaking. VPN is easier to setup securely out of the box for most especially with limited knowledge. You can choose a random port and then have access to any server on your network. Scanners won’t usually test all ports unless they find something that’s tempting.

    Normally just the normal ports will be poked including 22. SSH can be secured well but not without jumping through a few hoops. It’s easier imho to accidentally allow access through incorrect ssh setup than vpn.

    When you think vpn has been developed with this exact purpose in mind. It’s fair to assume the protection will be better out of the box. If you have a vpn then a hacker needs to get through the vpn and then also the ssh so there’s not really any disadvantage to using a vpn and then also harden ssh if you want to.

    It’s about making things difficult. Nobody is going to spend days or weeks battering a vpn if they don’t think there’s anything useful behind it. A VPN also shows somewhat that you’ve given things consideration and are not an easy target.

    Don’t get me wrong. If somebody is determined enough and has the resources then they will find a way but given the choice between an easy target and one that’s ever so slightly more difficult, they will almost always go for the easiest.


  • In a word no. That’s not a port you want others sniffing around. Some isps actively block that port for security. IMHO a vpn is the best way. That way you get full access to your network as if you’re using a wired direct connection. You “can” use port 22 and you can make it pretty secure but I just wouldn’t feel safe directly exposing it when there are other ways. Imagine the access somebody could get if you do something slightly wrong or you miss a patch for a new vulnerability. Yep it’s unlikely but why risk it. Put it behind something on a none standard port rather than a port that every sniffer will poke at :)