My firewall rules are designed to grant/deny access to the VPN users based on their statically assigned IP addresses. Example:
Address 10.11.12.101 is always assigned to username001.
Code: Select all
/ppp secret add local-address=10.11.12.1 name=username001 password=abcabcabc profile=PROFILE_PPP_OPENVPN remote-address=10.11.12.101 service=ovpn
Lately I am concerned that after connecting a user can change (spoof) its IP address and basically make the firewall rules useless.
1. Do you know if this is actually possible? Are there any technical limitations that would prevent client with spoofed IP from sending/receiving traffic?
2. If this is possible how would you improve the security?
As you know having firewall rules filtering based on dynamic interface names like <ovpn-username001> doesn't work. May be having a ppp profile up&down scripts that are adding firewall rules based on dynamic interface names is one possible solution. Any other ideas?
Thank you in advance!