Public IP over VPN and security
-
pfSense is active in a site where the only connection is with LTE connection.
Unfortunately, the assigned IP is only private and therefore even with DDNS we are unable to reach the devices and servers in the DMZ.We therefore tried a different route, activating a VPN with those who are able to assign us a public and even Static IP.
Now with OpenVPN we have this IP address, but we are asking ourselves serious security doubts.We have active protections on the WAN, and none on the VPN because usually on the other end of a VPN there is a known device or PC. In this case, no.
If I register this IP on the DNS by associating it with a domain, then by calling the URL I can reach the Apache server in DMZ.
But by doing that, anyone can get in from that VPN, right?So, while waiting to find our public IP, three solutions come to mind.
- Activate all the rules present on the WAN also on the VPN.
- Find a Category 6 LTE router that is capable of activating an OpenVPN client.
- Activate another pfSense firewall to be placed between an "all open" router and the current pfSense. In this case I open the VPN on the first router and the current one would filter everything over the WAN as it already is.
With option 1 I would have only one firewall but with all the duplicate rules it seems a bit complicated to me.
Options 2 and 3 move the VPN upstream of the firewall which is left with only one configuration.
Option 3 could be accomplished by virtualizing the two firewalls.
The first has a real NIC, connected to the router, and a virtual NIC. The second has a virtual NIC, connected to the virtual one of the first firewall, and two real NICs for LAN and DMZ.
I would assign 30% memory to the first firewall and 70% to the second. There are at most half a dozen LAN users.What is your opinion?
-
You overthink this a bit.
After adding the OpenVPN Client Instance as Interface, Firewall Rules apply like for any other Interface.
With no Rules added, any traffic entering this Interface (VPN tunnel) is blocked.
If you want to allow incoming traffic, add Rule(s). If you want to Port Forward/NAT, add Port Forwards.EDIT: By the way, there is a great OpenVPN as a WAN hangout by jimp /Netgate here: https://www.youtube.com/watch?v=lp3mtR4j3Lw
-Rico
-
@whitetiger-it said in Public IP over VPN and security:
pfSense is active in a site where the only connection is with LTE connection.
Doesn't it support IPv6? I thought IPv6 was pretty much mandatory on LTE. My carrier provides it on both my cell phone and cable modem. In fact, for IPv4 sites, the phone uses 464XLAT over IPv6. Even the local phone company here, which doesn't provide IPv6 over ADSL, does on their cell network.
-
@jknott said in Public IP over VPN and security:
Doesn't it support IPv6? I thought IPv6 was pretty much mandatory on LTE. My carrier provides it on both my cell phone and cable modem. In fact, for IPv4 sites, the phone uses 464XLAT over IPv6. Even the local phone company here, which doesn't provide IPv6 over ADSL, does on their cell network.
I believe you are referring to IP6 encryption, but I don't understand what it has to do with my problem.
I enable OpenVPN not so much for a security issue as for the fact that it is the only method found to have a public IP over LTE.
After that, having to make this IP public, I am afraid that it can be used to enter my network even by those who do not have an OpenVPN client authorized by me. -
No, I'm referring to IPv6, which is supposed to replace IPv4, as a way to get past double NAT. With it, there's no need for NAT, so every device can have a public address and you'll get at least 18.4 billion, billion addresses from your ISP. The 4G cell network is supposed to provide IPv6, so it should be available with your LTE connection. Another way to get IPv6 is through a tunnel, such as available from he.net. Once you have IPv6, you can worry about the other end and go from there.
BTW, I've been running IPv6 on my network for almost 11 years.
-
@jknott
I have asked my provider for IP6, but it seems there are problems granting it. We'll see. -
You don't need your isp to use IPv6.. As mentioned already just get a free tunnel from HE.
Its FREE, and you can get a /48 from them..
https://www.tunnelbroker.net/
Takes all of a few minutes to setup with pfsense.