4. Security concerns regarding client specific overrides & ip based firewall rules

Security concerns regarding client specific overrides & ip based firewall rules

  • T

    Hey there,
    when using client specific overrides to assign static IPs outside of the tunnel's DHCP-Range using "ifconfig-push staticiphere 255.255.255.0;", how secure is that in terms of exploitability?
    Like, when using that for IP based firewall rules, how easy would it be for a person with a connected OpenVPN Client to change their automatically or statically assigned IP address to something else in that tunnel network, so they could access stuff they aren't supposed to access?
    In a regular, local network I'd use StaticARP, however that's obviously not an option for VPNs. Is there a better way to do this or something I'm missing?

    0 1 Reply

  • @Tenou

    They can only use an address within the tunnel range. So, you write your rules accordingly. If needed, you can even restrict the address range by using a longer subnet mask, to the point where there's only one address that will work. Also, if you're worried about that sort of thing, then you should be implementing other security beyond just VPN addresses. For example, if you're on a corporate network, you might be using Active Directory or similar to restrict what users can access.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy