Address 10.11.12.101 is always assigned to username001.
Lately I am concerned that after connecting a user can change (spoof) its IP address and basically make the firewall rules useless.
Do you know if this is actually possible? Are there any technical limitations that would prevent client with spoofed IP from sending/receiving traffic?
If this is possible how would you improve the security?
As you know having firewall rules filtering based on dynamic interface names like doesn’t work. May be having a ppp profile up&down scripts that are adding firewall rules based on dynamic interface names is one possible solution. Any other ideas?
I did the test below and I can confirm that spoofing is possible and works very well.
(Please, correct me if “spoofing” is not the right term for this.)
From a Win10 PC with an OpenVPN client I connected to my VPN router. I got the address 10.11.12.101 (the one statically assigned for username001 in /ppp secrets).
Then on the Win10 command prompt I changed the address of my TAP VPN interface:
netsh interface ip set address "Ethernet" static 10.11.12.50 255.255.255.0
My router’s firewall rules allow full access from 10.11.12.50. At this moment the access to the internal resources didn’t work. The reason is that there was no routing for 10.11.12.50.
Once I added a routing for 10.11.12.50 via interface everything worked like a charm.
Consequently if the spoofed IP is a public IP address and the firewall rules are not well designed there is possibility a spoofed request to come from a VPN interface and the reply to be routed via the WAN interface to the public IP of the attacker.
So this brings me to the conclusion that the firewall rules must explicitly accept requests from the VPN interfaces that are only originating from the VPN pool.
VPN works well not because of IP addresses, but because of high security of hash and encrypting protocols like DF key exchange and aes flow encryption. Before attacker will have your IP address he have to break this key and data encr. If these IPs exist in broadcast network, you have to defend yourself on switch level.
Correct regarding protection from 3rd party attacks, but sometimes you need to restrict where even legal VPN clients can get in your network. Whereas e.g. an l2tp server can be set up to link a static interface name to a particular user name, such possibility does not exist for openvpn server, so the only client-related information you can refer to in firewall rules is the IP address assigned to the client. And if the client can replace the assigned address by another one, the firewall rules will see that forged address. It is actually not much of a problem given that such “semi-insider attacker” would have to modify the routing on the server in order to start receiving the response packets, but it does expose some attack surface to exploit some possible vulnerability.
@sindy, thank you for confirming what I’ve discovered and was worrying me: a legitimate VPN user to start messing around.
A guy from the scripting section of the forum pointed me out that in every ppp profile there are many options to be used so that the ppp interface is dynamically added to an interface list, address list, incoming, outgoing filters. It is up to the firewall policy how this tools can be used. For me this are the tools to mitigate the risk.