Helllo guys,
As I wrote recently I’m using a VPN to connect remotely to my network/router in the name of a better security. There is an OpenVPN server installed on a linux server behind a mikrotik router. The Base path to the server is generally hexS → hap ac^2 → debian server with VPN. I was forwarding port 1154 to the local address of the server and everything worked good until I saw occasions of unknown IP addresses forwarded to the server. So I was thinking how to make this a bit more secure and because adding specific IP addresses to access list would limit the remote access I came up with the idea to use port knocking to add the address to a list and then to dstn only addresses in the mentioned list.
The current configuration is as follow:
Filter rules
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-st
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=!WAN protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-sta
!dstnat connection-state=new in-interface-list=WAN
add action=add-src-to-address-list address-list=port:9001 address-list-timeout=1m chain=input comme
"Port knocking A" dst-port=9005 protocol=tcp
add action=add-src-to-address-list address-list=secure address-list-timeout=1m chain=input comment=
"Port knocking B" dst-port=6000 protocol=tcp src-address-list=port:9001
Nat rules
/ip firewall nat
add action=src-nat chain=srcnat comment="SRC-NAT MainLink" out-interface=pppoe-out1 to-addresses=\
main_link_static_address
add action=src-nat chain=srcnat comment="SRC-NAT BackUp" out-interface=ether2-WAN2 to-addresses=backup_link_static_address
add action=dst-nat chain=dstnat comment="OpenVPN " disabled=yes dst-address=main_link_static_address dst-port=1194 \
in-interface-list=WAN log=yes protocol=udp src-address-list=secure to-addresses= linux_server_local_address
So fart, so good. Everything seems to work and I have 1 minute to knock on the ports and make the connection through the vpn client. However it of course only works if I disable the “drop all not coming from LAN” rule in the firewall which is normal, but it somehow worries me. I guess there is no workaround this but would it be secure enough in the current situation? Could you please advise if there could be any improvement to this configuration. I’m also using src-nat insted of masquarade since week or two and so far everything seems to work as intended with the main link and the failover. I’m yet to decide the problem with the connection to the router if it is on the backup link.