Quick threat assessment

If I port forward from my ISP router to a virtual machine running OpenVPN with public/private key authentication - what threats am I exposing myself to?

Inbound traffic goes ISP modem -> router -> wifi extender -> VM host -> OpenVPN server

Thanks!

Hit em w/ a quick follow up:

If I NAT my connection from the host comp running virtual box to the VM with OpenVPN - can I port forward from the host VM (say 192.168.1.x) to the NATd VM (10.10.10.x)?

Read Wednesday night https://www.virtualbox.org/manual/ch06.html

Looks like I have a nice small project to learn about virtual networking - cool!

You'd be pretty safe, they'd have to find some sort of exploit with openvpn to get in which is unlikely to happen to a random home server. It might be worth installing fail2ban if it can be configured to work with openvpn to detect and block brute force attacks.

I don't think it makes much of a difference if you have a single NAT or a second one on the VM host, all it will do is make it harder to access from your LAN. Having a firewall on the VM and the host machine would be more useful.

2 Likes

Thanks @Dexter_Kane! Always appreciate your insight!

What I was hoping to do by dropping it to a 10 subnet was to minimize the landscape where an attacker would have access. If someone did successfully get VPN access they'd only be on the 10 network and not my 192.

Too tinfoil?

No such thing.

Should make a thread about how you did all of it when completed!

2 Likes

It's a good idea to have it on a separate network, although if you want to access that network via the VPN it becomes more difficult. NAT by itself would still allow things behind the nat to access things outside of it, but it depends how it's configured. You will probably still want a firewall.

If you can configure routes and firewall rules on the vm host then you can have the openvpn server on a different network and route between the two networks with a firewall to restrict access only to what it needs. This would be a better way of doing it and doesn't require nat and the headaches that can come with that. But I'm not sure how easy that will be to do.

Is that something virtualbox is capable of handling or is that something that an actual hypervisor would be better at? Or is Linux (the host machine) capable of setting routes?

Any suggestions on software for an infrastructure like this?

I guess I'm not as savvy with virtual networking as I need to be for this one.

No idea to be honest, I'd say you'd be able to do it fairly easily in Linux, not sure what networking in virtual box is like. On my network I use pfsense to route and firewall between the different networks, but there's no reason that it couldn't be done with software on the host machine.