I’ll repeat a reply I made as a top-level comment, as I think it’s a useful analogy:
Opening a port is like installing a door in what was a brick wall in a back alley, then leaving it unattended while people might try to pick the lock. Unfortunately, the internet is a crime-ridden neighborhood, and that lock will be tested, likely within minutes.
The “door” in this analogy is a port forward on your router, and the “lock” is whatever security is provided by the service you expose on that port. Some services are battle-tested and more trustworthy than others, but nearly everything has a bug in it somewhere.
I no longer leave any ports open, other than just one for Wireguard. Wireguard in general won’t reply to unauthenticated packets at all, so it’s essentially an invisible door. I can’t speak to OpenVPN, it may or may not behave similarly. Leaving an SSH server visible is an invitation for automated password-guessing.
I’ll repeat a reply I made as a top-level comment, as I think it’s a useful analogy:
Opening a port is like installing a door in what was a brick wall in a back alley, then leaving it unattended while people might try to pick the lock. Unfortunately, the internet is a crime-ridden neighborhood, and that lock will be tested, likely within minutes.
The “door” in this analogy is a port forward on your router, and the “lock” is whatever security is provided by the service you expose on that port. Some services are battle-tested and more trustworthy than others, but nearly everything has a bug in it somewhere.
I no longer leave any ports open, other than just one for Wireguard. Wireguard in general won’t reply to unauthenticated packets at all, so it’s essentially an invisible door. I can’t speak to OpenVPN, it may or may not behave similarly. Leaving an SSH server visible is an invitation for automated password-guessing.