Security question re site to site VPN



  • I would like to set up a pfSense router in my office which has an always on openvpn connection to my home network.  My concern is that at a time when I am not physically present in the office, someone could pug a computer into the office pfSense router, which I suspect would give them unrestricted access to my home LAN. Is this correct?  If so, is there any way to stop this from happening and still maintain the router to router vpn connection?



  • Put the router in a secured rack where only authorized people have keys to gain access inside it.  That's the clear choice.  Alternatively, disable the NICs not in use such that if someone were to plug in directly then the NIC is disabled and wouldn't provide connectivity.  But, really, infrastructure should be in a secured rack or at least in a secured room in an office setting, imho.

    Of course, I'm also ignoring the fact that you want to create a tunnel between your office and your home, which seems a bit odd.  If this is for a work at home setup then I'd much rather just create a remote access vpn server on pfsense and then you can connect from home as needed instead of maintaining a site to site vpn with your home.  What happens if your home network is compromised?  If that happens, the intruder has a free pass into your office's network, which seems like a really, really bad idea.



  • That would undoubtedly be the right choice, but unfortunately it is not an option for me.  The office is a rented room in a larger office, and although I am the only user of the office (in theory), I am unable to physically secure the space (i.e. the door must remain unlocked).  Is there a software-based means of accomplishing this?



  • A quick scan doesn't seem to show me any way to disable an interface within the OS from the webui, though I guess you could do it if you just hit a shell and disable any unused interfaces.  On the other hand, all traffic on OPT interfaces is blocked by default on pfsense so anyone connecting to such ports aren't getting anywhere anyways.

    But… that's all moot because if the router isn't secured then if someone really wants in all they have to do is connect the LAN port to a switch and plug themselves into the switch and now they're on your LAN, which then would give them access to your home tunnel (and really anything else).

    I think the lesson here is find a way to secure the router if this is a concern. :)



  • That is exactly what I am afraid of.  Maybe I will see if I can lock the router in a cabinet.  Not perfect, but probably better than nothing.