On 20.10.23 05:31, Bo Berglund wrote:
Does this mean that when the client tries to access the server side gateway device (router) he will not be blocked but all other addresses will?The gateway is on the LAN and it gets traffic from the tunnel, but does it mean that its address is also open
The traffic flows through that server-side default router because its immediate neighbors know about it, usually including its *IP* (layer 3 address), and rewrite packets to be addressed to its *MAC* (layer 2 address) for the next hop. Remote endpoints do *not* need to be able to know its IP or talk to it for that.
However, there's a legit need for the endpoints being able to *receive* packets from the router IP (Path MTU Detection and other ICMPain), and anyone trying to analyze a network problem might easily want to *send* to it, too ("hey, that hop in the traceroute output looks weird, lemme ping it quick-like!"). Hence, "Internet links" usually use (globally routable) *public* IPs for transfer nets, and allow the routers to reply to probes to *some* extent.
for direct access like for the config page of the router?
Yeah, well, you want to block access to the router's *admin interfaces*, of course. Preferably with belt (client IP whitelist on the router), suspenders (having iptables filter out attemps through the VPN), *and* superglue (strong authentication mechanisms).
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
