How to set up a simple routed VPN - So, is this secure?

 

VPN networks are designed to be very secure, but of course only if they are set up properly. One detail that might go unnoticed is that if you or any of the clients of the VPN share your Internet connection with other people then you leave the door open to intruders. In that case the intruder is not even required to have VPN keys and things like that! They don't even need to waste time trying to find security holes... The following schema (click to enlarge) is quite demonstrating of the situation and how an otherwise very well secured VPN network can be compromised.

 

Of course there is some precaution measures one can take when setting up an ad hoc network or in any other way is sharing his connection with other people so as to mitigate the risk. You can use iptables to create a firewall that will isolates the VPN from other networks. In what follows let us assume that you are a VPN client with VPN  IP address 10.8.0.10 which means that the VPN network has IPs of the form 10.8.0.X. Assume that you are sharing your Internet connection having set up an ad hoc network using the interface wlan0 and with IPs of the form 10.42.43.X. Then you need to do the following:

  1. Block ANY packet forwarding from any interface and any IP address to the VPN network. This is quite simple to do using iptables. This will prohibit clients of the ad hoc network to access any VPN node or the VPN server.
  2. Block all INBOUND traffic from the ad hoc network to your VPN. This will prohibit clients of the ad hoc network to access your machine using your VPN IP address, i.e. 10.8.0.10.
  3. Block all OUTBOUND traffic from the VPN network if the source originates from the ad hoc network. This is most probably useless since all traffic is forwarded through you and not just output - but just in case.

Here is the code you should run:

# FORWARDing to the OpenTox VPN is prohibited (from any interface and 
# from any source.)
sudo iptables -A FORWARD -d 10.8.0.1 -j DROP;

# Block all INPUT traffic from the ad hoc network to the VPN
sudo iptables -A INPUT -d 10.8.0.0/24 -j DROP;

# The OUTBOUND traffic is actually FORWARDed, but just in case,
# use the following:
sudo iptables -A OUTPUT -s 10.42.43.0/24 -d 10.8.0.0/24 -j DROP;

Ask your friend(s) to give you their MAC addresses so that you do not allow any other machines to connect to your network. Of course there is MAC address spoofing (people will usually change their MAC in order to acquire access to your network, but let's not make it easy for a primary school child to hack it):

 

YOUR_FRIENDS_MAC=00:1A:88:74:15:6B;
sudo iptables -A FORWARD -m mac ! --mac-source $YOUR_FRIENDS_MAC -i wlan0 -j DROP;
sudo iptables -A INPUT -m mac ! --mac-source $YOUR_FRIENDS_MAC -i wlan0 -j DROP;

 

Finally use WPA2 security for your wireless network instead of WEP.