I'm running OpenVPN on my server using the default port 1194. To save resources, I occasionally stop the OpenVPN service (using systemctl stop openvpn) when it's not needed, with plans to restart it for example on the next day or week. I understand that open ports can potentially create vulnerabilities, but I'm unsure about the actual risks in this specific scenario. My questions are:
Is it necessary to close port 1194 in the firewall every time I stop the application, in this case OpenVPN, even if it's just temporary, assuming it is up to date? What are the actual risks of leaving the port open when OpenVPN isn't running? Since there's no application listening on that port, how could an attacker exploit it? Are there any performance or security benefits to keeping the port open vs. closing and reopening it frequently? If I should close the port, what's the most efficient way to manage this alongside starting/stopping OpenVPN?
I Right now I am running sudo ufw deny 1194 and then open it again using sudo ufw allow 1194 Is there a way to automate this process?
What do you mean with an open port?
In nmap, an open port is the port where a service is bound on, and listening; otherwise the port is not open. If there is no process listening, there cannot be traffic.
You can easily see which ports are open by running nmap on your system. A sample output could be:
Starting Nmap 7.80 ( https://nmap.org ) at 2024-10-16 07:21 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000086s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
631/tcp open ipp
3306/tcp open mysql
5900/tcp open vnc
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
On this system, there is no IP filtering at all.
You seem to think, that a port is open if it is not explicitly blocked by a firewall. If that were the case, you'd probably have close to 64k ports open on your system.
Automating can be done via simple shell scripts:
#!/bin/bash
# this is to start the vpn: vpnstart.sh
ufw allow 1194
systemctl start openvpn
and using sudo bash vpnstart.sh