Security/Networking Advice: Self-Hosted OpenVPN Server

taylor-williamc · June 9, 2023, 12:21am

I’m looking into hosting my own OpenVPN server (mainly for educational purposes, but I do envision wanting to connect to my VPN from outside my home).

This Digital Ocean guide suggests setting up a separate, standalone machine as the certificate authority (CA), which is also recommended in the OpenVPN hardening suggestions.

While I’m sure the completely separate, completely offline machine is the most secure, I’m wondering whether running the CA in one LXC container and the OpenVPN server in a separate LXC container, though both on the same physical machine, would at least be better than running them both outside of containers on the same physical machine.

Does anyone have any thoughts or tips on this?

FranklyFlawless · November 26, 2023, 3:45am

The quote of interest on the OpenVPN Hardening Security page:

Based on this information, it depends on your threat model. Is your adversary able to escalate privileges and escape the OpenVPN server? If so, I suggest reconsidering your idea.

OpojOJirYAlG · November 26, 2023, 4:23am

Better, yes. Good enough? It depends. For most individual users, likely it is more than enough, but it does still depend on each individuals threat model.