Would Ubuntu make a good secure server for VPN server?

[BirdDad]

I have PIA and made a small ITX PC that I want to use for VPN for my families entire network. I had built it for pfSense but it did not work out well, I could not follow the instructions as they no longer applied to the newer version that I had. I could not get pfSense to work with anything other than Blowfish128 and what I want is AES256. It can run Windows 8.1 and PIA's proprietary client without any noticeable slowdown, however I consider Windows insecure and was wondering if Ubuntu with PIA's proprietary client for Linux would be hard to set up, also I wanted to know if Ubuntu has drivers for my board as I had to download drivers to get the encryption engine to work on windows.
Here is the board that I have:
http://www.newegg.com/Product/Product.aspx?Item=N82E16813157626
I am a Linux newbie and find it difficult to work in terminal-I prefer a GUI.
Thanks

 

[gus6464]

We use OpenVPN virtual appliance at work for VPN and it's nothing but a barebones Ubuntu install. No complaints in the entire time we've had it.

The initial config of the box has to be done via CLI but the config of the actual VPN is done via GUI through the web interface.

 

[Red Squirrel]

I would use CentOS over Ubuntu for a server. Ubuntu will work though, if that's what you feel more comfortable with.

 

[TheRyuu]

PIA now support AES256 over the default OpenVPN client now on certain ports[1]. Some quick googling found a guide for pfsense[2] as well, not sure if you've tried this route or not.

[1] https://www.privateinternetaccess.c...stock-openvpn-with-strong-encryption-settings
[2] https://www.privateinternetaccess.c...-setup-pfsense-with-strong-encryption-aes-256

 

[Fallen Kell]

Out of the box, no. In fact I wouldn't run really any linux distro out of the box connected directly to the internet (too many known security vulnerabilities due to insecure default configurations. So unless you know every piece of software that is open and running on the box and know how to secure it properly, I would pass on this).

Some of the BSD's would be a much better choice as they tend to have proper secure default settings out of the box. Someone already mentioned pfsense, which would be the one I recommend as well for this type of thing as it was specifically designed to act as a firewall and vpn server with an extremely good out of the box configuration due to it being a well known security device used as a first line of defence for protecting networks.

 

[hasu]

Out of the box, no. In fact I wouldn't run really any linux distro out of the box connected directly to the internet (too many known security vulnerabilities due to insecure default configurations. So unless you know every piece of software that is open and running on the box and know how to secure it properly, I would pass on this).

Some of the BSD's would be a much better choice as they tend to have proper secure default settings out of the box. Someone already mentioned pfsense, which would be the one I recommend as well for this type of thing as it was specifically designed to act as a firewall and vpn server with an extremely good out of the box configuration due to it being a well known security device used as a first line of defence for protecting networks.

Is there a place to find a list of all the known vulnerabilities and its remedies?

 

[A5]

Is there a place to find a list of all the known vulnerabilities and its remedies?

There's the NIST NVD, but it isn't really necessary for home users to monitor: https://nvd.nist.gov/

AFAIK, Ubuntu will install most current security updates as part of the installer (if it's online).

We're not talking about a Windows 98 "get owned in 5 minutes on the public internet" style issue here. Like any other OS, just make sure to check for updates regularly and don't install any server daemons that you don't need.

 

[Fallen Kell]

Is there a place to find a list of all the known vulnerabilities and its remedies?

Not a single place. In terms of hardening an out of the box config, I would start with STIGs (https://www.stigviewer.com/stigs). You then should look at CVEs (https://cve.mitre.org/cve/). After that you should also be looking at the different vulnerability releases, zero-days, etc...

But that is only the tip of the surface. The STIGs are mainly designed to limit your exposure and log everything needed to attempt to discover a breach, but that only works if you are then actively reading those logs and following up on questionable activity found in the logs. Telling you how to identify questionable activity would take about 2 years of training.... And even then, a really good breach is very difficult to detect as they would attempt to cover their tracks (which is one of the reasons why the STIGs recommend having a remote log system so that a bot/person who breaches the machine can't cleanup the logs behind it to remove the offending activity as they would need to also breach the remote log server, which is hopefully firewalled off with only the syslog and similar ports open through the firewall).