Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Security concerns regarding client specific overrides & ip based firewall rules

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 405 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      Tenou
      last edited by

      Hey there,
      when using client specific overrides to assign static IPs outside of the tunnel's DHCP-Range using "ifconfig-push staticiphere 255.255.255.0;", how secure is that in terms of exploitability?
      Like, when using that for IP based firewall rules, how easy would it be for a person with a connected OpenVPN Client to change their automatically or statically assigned IP address to something else in that tunnel network, so they could access stuff they aren't supposed to access?
      In a regular, local network I'd use StaticARP, however that's obviously not an option for VPNs. Is there a better way to do this or something I'm missing?

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @Tenou
        last edited by

        @Tenou

        They can only use an address within the tunnel range. So, you write your rules accordingly. If needed, you can even restrict the address range by using a longer subnet mask, to the point where there's only one address that will work. Also, if you're worried about that sort of thing, then you should be implementing other security beyond just VPN addresses. For example, if you're on a corporate network, you might be using Active Directory or similar to restrict what users can access.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.