Security/Networking Advice: Self-Hosted OpenVPN Server

I’m looking into hosting my own OpenVPN server (mainly for educational purposes, but I do envision wanting to connect to my VPN from outside my home).

This Digital Ocean guide suggests setting up a separate, standalone machine as the certificate authority (CA), which is also recommended in the OpenVPN hardening suggestions.

While I’m sure the completely separate, completely offline machine is the most secure, I’m wondering whether running the CA in one LXC container and the OpenVPN server in a separate LXC container, though both on the same physical machine, would at least be better than running them both outside of containers on the same physical machine.

Does anyone have any thoughts or tips on this?

The quote of interest on the OpenVPN Hardening Security page:

Based on this information, it depends on your threat model. Is your adversary able to escalate privileges and escape the OpenVPN server? If so, I suggest reconsidering your idea.

Better, yes. Good enough? It depends. For most individual users, likely it is more than enough, but it does still depend on each individuals threat model.

1 Like