What is more secure running openvpn on a router or on a dedicated machine behind the router?

Question

I was wondering which one of these openvpn setups would be considered more secure .

1: run openvpn server using the Netgear r7000 out of the box, the problem with this is that I don't trust Netgear to keep updating the firmware as they should .

2: run openvpn server using DD-Wrt, the installation is a bit more involved and I could break some other security settings by mistake while trying to get the server up and running .

3: run a dedicated Rapsberry Pi with an openvpn server "behind" the router.

Option 3 is my favourite ( and cheaper ) but I was wondering if running a server behind the router and therefore having to port forward from the router to the server would create more security threats .

Thank you !

Edit, to be a bit clearer

In a nutshell, would an openvpn server running on a router be more secure than one running behind a router forwarding ports ?

Answer 1

In terms of providing remote access (ingress), there are arguments favoring both approaches, but I recommend the internal server with port-forwarding. This has a couple advantages:

• The software can be upgraded/updated on a more timely basis (in general)
• Additional firewalling can be applied to the traffic as needed to more strictly confine the traffic being allowed.
• Internal Intrusion Protection systems can see and analyze the traffic.

The only situation where the router is superior, is if the VPN connection relies on UDP ports extensively. UDP can be more dangerous to allow onto the LAN, and is far more difficult to NAT. In that case, it would be advantageous to process the traffic before allowing it into the LAN.