Hi,
The RouterOS implementation of the OpenVPN server is not validating that if a client was issued an IP as part of the session, that same client is indeed sourcing traffic from the IP it was issued.
This contrasts the implementation from the OpenVPN project, where the server does validate the source (https://github.com/OpenVPN/openvpn/blob/v2.6.12/src/openvpn/multi.c#L3426).
This presents a security issue as a client can switch out their source address and start sending packets into subnets they should not be allowed to access.
Mikrotik does not view this is an issue and point out that policing the clients should be done via the firewall (SUP-159637).
I need help implementing that policing, given the following constraints:
We authenticate clients via RADIUS.
We have different groups of users who need different and limited access once authenticated, e.g. IT staff vs accounting staff.
Since we are authenticating via RADIUS all clients will end up with dynamic PPP server bindings.
Without the source check we cannot trust the client address.
I would appreciate any suggestions as to how we can effectively police the clients so they only get access to the resources they are allowed to.
Note: It is implied that when the client replaces their source address they will no longer get return traffic. However that is not protection. Many attack vectors do not depend on return data. It is also possible to replace the source address with a public IP you control. If the resource that is being targeted has internet access, some return data can be extracted.
You can assign different IP to each client or group. Take a look at https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client
Framed-IP-Address or Framed-Pool are your friends
You can assign different IP to each client or group. Take a look at > https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client
Framed-IP-Address or Framed-Pool are your friends
Hi @jprietove,
Yes we are using that feature, but that only assigns the IP to the client.
You are implying that since we can assign a client an IP, we can then police their access by source address.
That is the issue, we cannot trust the client source IP, because it is not validated, so the client is free to set any IP they want.
We are of course talking about malicious users.
I think you can achieve what you want using rp-filter=strict in IP settings
https://help.mikrotik.com/docs/display/ROS/IP+Settings
Hi,
Thank you for the suggestion, it is right in line with what is needed, but it is not granular enough as it is a global command.
We do asymmetrical routing and policy routing, its hard to see how that would play nice unless the RPF could be implemented per interface, or as a mangle match.
I appreciate the effort, as this was spot on in terms of sorting out the core issue.
Ill look if perhaps there is a way to mimic the RPF behavior and perform a route lookup and mark the packets/connections.
Alternatively we thought of hooking the PPP profile into up/down scripts that add/remove custom firewall rules. Its just ugly to make a work around like that. Each time we do, we seem to end up with race conditions when an interface is flapping rapidly.