0

I have server (vpn) with public IP. This server also connected to the local network and provides access to this network for users connected via openvpn (openvpn hosted on this server). Let's say this server configured with sysctl net.ipv4.ip_forward=1 (since it's vpn server), command ip a (simplified) shows something like this:

eth0: inet 192.168.10.12/24
eth1: inet 142.250.184.206/26

Local network 192.168.10.0/24 should not be accessible from the internet.

Is this possible for a potential attacker to set my server as a gateway or force traffic through my public IP (142.250.184.206) to access my local network?

Improve this question
0

2 Answers 2

Reset to default
2

Yes and no. A lot depends on your setup, but a few statements may help.

Provided the server where 142.250.184.206 (ill call it VPN box) and it would take an extremely targetted attack compromising your devices another way to force the traffic through the vpn box if it has not been set up someone on the LAN - to the extent your network is so compromised that access via the vpn makes almost no difference.

If the VPN box is compromised it can be used to access, subvert and reroute your traffic. While it is quite practical to secure this box (indeed this is fairly analogous to most soho routers) because the box has a world accessible IP on it it is a target. At a minimum you want a strong firewall on it, both for services on the box and traffic being forwarded through the box.

Improve this answer
2
  • thanks! I guess it's possible to setup firewall to pass only openvpn (and ssh for mgmt) traffic?
    – Demiler
    Commented Feb 3, 2023 at 1:15
  • 1
    Yes but the specifics on how to do that depend on information not in the question. Also, if its listening on the WAN interface SSH, if compromised, is a big threat, as it has lots of forwarding/proxy functionality built in. You definately can set SSH up to be secure - start by ensuring you only allow key based (not password based) access to it - and consider running fail2ban to prevent brute force attacks on it.
    – davidgo
    Commented Feb 3, 2023 at 1:24
1

I won't say the common sentence 'nothing is really safe' even if it is absolutely true. Doing this isn't much of an issue and is perfectly doable.It depends on the trust you have over you VPN server and the use you'll make of it, there is a lot of bot that will try default password and common attacks on any open ports over public IPs. So you'd need to make sure your server is updated, and make sure your passwords are safe enough. You are opening a gate to your local network so you must make sure that this gate is secure.

only the VPN port should be opened and not on the default port, you should make sure your VPN version doesn't have any security breach. If it is just a way to access your local network, I would recommend having your vpn behind your router so you can manage the traffic and easily change port redirection for example your VPN would only have an IP inside your network and have only one interface. then your router would redirect from a random port you choose, toward your VPN. then you could treat your VPN like an unsafe machine (using IDS for example) to secure your local network.

Improve this answer
1
  • So, what you saying is: if my server doesn't have stupid security holes like login/password access root/root. I'm mostly fine? (I've configured openvpn to be accessible only with certificates generated by me).
    – Demiler
    Commented Feb 3, 2023 at 1:13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .