Security concerns regarding client specific overrides & ip based firewall rules
-
Hey there,
when using client specific overrides to assign static IPs outside of the tunnel's DHCP-Range using "ifconfig-push staticiphere 255.255.255.0;", how secure is that in terms of exploitability?
Like, when using that for IP based firewall rules, how easy would it be for a person with a connected OpenVPN Client to change their automatically or statically assigned IP address to something else in that tunnel network, so they could access stuff they aren't supposed to access?
In a regular, local network I'd use StaticARP, however that's obviously not an option for VPNs. Is there a better way to do this or something I'm missing? -
They can only use an address within the tunnel range. So, you write your rules accordingly. If needed, you can even restrict the address range by using a longer subnet mask, to the point where there's only one address that will work. Also, if you're worried about that sort of thing, then you should be implementing other security beyond just VPN addresses. For example, if you're on a corporate network, you might be using Active Directory or similar to restrict what users can access.