Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Security consideration (blocking internet access)

    OpenVPN
    3
    8
    4733
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mazzz86 last edited by

      Hye,

      I have a working configuration of OpenVPN on a 1.2.3 pfSense and I have two questions about security :

      1°/
      Once a windows client is connected to the VPN, he can access the whole LAN defined in the server "Local Network" option. But he still can access to internet from his computer. So if the computer is infected by a trojan or any malware, it's is making this computer a gateway from internet to the LAN :(, an easy access way for a hacker. Is there a method to block internet access (modifying routing table or something else…) while the client is connected to the VPN ?

      2°/
      In the log of the pFsense box in the openVPN tab, I get this message "openvpn[393]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."
      On my client computer, I have only CA and client certificates. It seems weired to me that there is no server certificate. Am I wrong ?

      Thanks for the help.
      Bye

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        For point #1, there are two ways to accomplish blocking Internet access on OpenVPN - first would be to just remove any outbound NAT rules you have that allow OpenVPN subnets to reach the Internet – if you are on auto, switch to Manual Outbound NAT and only specify rules for LAN subnets and such.

        The other method, which may be better is to block traffic for OpenVPN clients except the traffic you want (e.g. allow all protocols from OpenVPN client subnet to LAN). This isn't built into 1.2.3, but it is possible. (It will be available in 2.0 by default). The process is described here: http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3

        I'm not sure about point #2. Someone else may have to comment more in depth on that.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • Cry Havok
          Cry Havok last edited by

          #2 relates entirely to the server side setup, it has nothing to do with clients.  Have you provided the OpenVPN server with the CA certificates?

          1 Reply Last reply Reply Quote 0
          • M
            mazzz86 last edited by

            Thanks again jimp for your answer.
            But I think you didn't understand what i wanted to say in the first point. My english is far to be perfect, so excuse me.

            I don't want to filter traffic into the tunnel, but I want to do the opposite Oo
            I want that all traffic goes on the VPN while a client is connected.

            Actually, when I'm connected from home, I can do both access my enterprise LAN and surfing the web.
            I'm a gateway between internet and my LAN. If somebody can control my computer from internet with any malware, he can do whatever he wants on my enterprise network !!!!

            To avoid that, I would like to make surfing unavailable when a client is connected.
            I think something like routing all traffic to the VPN should be an idea, but how ?!?

            For havok,
            Yes the server has the CA certificate. But when you configure a client, you put only CA certificate and you create client certificate. I just don't understand why you don't need the server certificate to connect ? CA is just the authority that sign the server certificate, you just need it to be sure that the server certificate is the good one. But once you know that, you need the server certificate to be sure that you are talking to the good computer when you are connecting.
            There is obviously something that I don't understand. Maybe you can help me (if my sentences are understandable ^^)

            Thx to you guys

            1 Reply Last reply Reply Quote 0
            • Cry Havok
              Cry Havok last edited by

              That's how SSL works - same for your web browser.  You don't have a copy of every public server certificate to compare against, you have the key of the authority who signed their keys, that's how you check you're connecting to the right server.

              1 Reply Last reply Reply Quote 0
              • M
                mazzz86 last edited by

                Ok you're right Havok. I didn't think about that point when I wrote my post ;)

                And do you got an idea for the first point ?

                Thx

                1 Reply Last reply Reply Quote 0
                • Cry Havok
                  Cry Havok last edited by

                  What - forcing all traffic to go by the VPN?

                  That's nicely covered in the OpenVPN documentation ;)  The setting you're looking for is redirect-gateway.

                  Of course, if malware has control of your system it can do anything it wants.  If you're already infected it can still do whatever it wants on your enterprise network.

                  1 Reply Last reply Reply Quote 0
                  • M
                    mazzz86 last edited by

                    Thanks for the directive.

                    Of course virus will go on my enterprise network if the client is already infected.
                    But if someone can have a remote control of the client, at least he couldn't do it while the client is connected to the VPN.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post