Looking for ideas: Limiting what VPN clients can access
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Looking for ideas: Limiting what VPN clients can access
I have an OpenVPN server running on my router (my routers Tomato firmware includes OpenVPN). When away, I connect my laptop via VPN and have access to my home LAN. All works well.
What I want to add now, is have my sons router act as a VPN client to my VPN server. That should be easy enough to set up (his router runs Tomato also, and that includes VPN client). But I want his home LAN VPN'ed to my home LAN with very restricted access. Specifically, I want him to only be be able to access the DLNA media server on one of my home computers.
I am looking for suggestions of how best to accomplish this.
I was thinking of using iptables (also included in my routers Tomato firmware). I could possibly use this to allow my laptops MAC address, and ONLY my laptops MAC address, full access to my home LAN, and block all other MAC addresses access to my LAN except to the IP/Port(s) of the DLNA media server. I'm not really worried about MAC spoofing, because before even hitting the firewall rules, you'd have to be successfully VPN'ed in already.
The reason why I'm wanting to limit access is to protect my home network from potential viruses and other malware that could existing on my sons LAN. He runs what security software I tell him on his computer, so I feel he himself is pretty safe, but he does have friends that hook up their unknown laptops to his WiFi. I known, bad idea, but it's his house and his network.
I have considered and ruled out simply opening up my DLNA server to him using port forwarding. VPN is much more secure than port forwarding.
Does anyone have suggestions for better ways to implement the connection and security I'm after? Thanks in advance!
I'm not familiar with VPN's, but using iptables should permit this
I've also minimal experience with forwarding (router) setup of iptables, but this should get you started.
Thanks for the reply Miati. I am now checking into the idea of not using the MAC address, but rather the VPN server that is used. The firmware on my router allows two different VPN servers, given interface names of "tun21" and "tun22". I can set up iptables rules based on which interface is used by the VPN client. I would use tun21 myself, and have full access to my LAN. And I would have my son (and any other VPN'ers I allow in the future) use tun22 which would have very restricted access. Anyway, I'm still deciding on the best path. But as of right now, I think I'm starting to like basing things on the interface used, not the MAC address.
why not just forward the port for your media server? You can probably do that using native router functions.
Don't get me wrong, IPTABLES is great but if you only want him getting web or one service from your LAN, why not just set a port forwarding rule to handle it?
why not just forward the port for your media server? You can probably do that using native router functions.
Don't get me wrong, IPTABLES is great but if you only want him getting web or one service from your LAN, why not just set a port forwarding rule to handle it?
There are two reasons.
(1) I don't want just anybody to get to my media server. Port forwarding would allow that. I could use iptables to provide some protection however. But VPN provides a more secure way of managing external users. Also, see (2) below.
(2) The media server I use, Plex Media Server, will require authentication if accessed from outside your LAN. This is hard coded into it. This authentication has to come from external Plex servers (owned by the company, not me). They call this a "Plex Account". I don't like a middle-man providing my security. As a matter of fact, there was a significant flaw within the last year in what Plex was doing that allowed unauthorized access. The fix was an immediate upgrade to their software. This illustrates exactly what I am afraid of when turning over security to a 3rd party. Plex is a media company, not a security company. So it is almost predictable that they would fall flat on their face regarding security issues. With VPN I can put external users on my LAN, thus bypassing the need to get Plex the 3rd party involved in authentication. My authentication is "you have to be successfully VPN'ed in the first place, and it's not easy to VPN into somebodys system that doesn't want you." Using VPN takes Plex (the 3rd party) totally out of the authentication process.
This is hard coded into it. This authentication has to come from external Plex servers (owned by the company, not me).
IMO, I don't like giving giving auth authority to external sources when controlling my own hardware!
Is there a reason you're using Plex? Seems like it's the weak-link. Perhaps use Network File System (NFS), Samba (CIFS), or good ol' SSH.
Samba would work best if anyone is using windows.
Since you're setup with coverage so that anyone trying to access would be in LAN and would otherwise be restricted, NFS & Samba would work well (SSH sftp works good anywhere )
Media servers go far beyond simple file sharing mechanisms. That's why I use Plex. It's actually quite good, except for the security part. I imagine its security is at least as good as other products, which to me, is not saying much. I prefer to control my own security. If keep up to date, I trust OpenVPN, OpenSSH, OpenSSL and ... well, I guess that's pretty much it. I do also use NoMachine NX, but that runs on top of SSH/SSL handling the security part of things.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.