# Need to firewall an internal OpenVPN server



## Davsjo (Oct 23, 2012)

I've got an OpenVPN server on my internal network and a commercial firewall between the internal and external network. The firewall does NAT translation for udp port 1194 on the firewall to the internal vpn server, but doesn't allow any other traffic in. Should I be running a firewall on the vpn server as well or is that overdoing it? What's a good and safe setup in a case like this?

Thanks,
David


----------



## kpa (Oct 23, 2012)

No need for a firewall on the VPN server unless you want to do something that the commercial firewall can not do, maybe limiting connection rates? OpenVPN on UDP transport doesn't need much extra protection though, it's very robust and not easy to attack with a denial of service attack.


----------



## gkontos (Oct 23, 2012)

It really depends on what you want to protect and from whom. If your VPN server is sitting in a different zone and both incoming / outgoing traffic is being filtered by the firewall then a host based firewall is pretty much useless.

But if your VPN server is inside your internal network then it is not protected from your internal hosts. In that case a host based firewall would make some sense.


----------



## mamalos (Oct 25, 2012)

Moreover, it depends on WHAT you wish to protect by setting up a firewall. If your OpenVPN server runs nothing other than the specific service, then you probably don't need to run a firewall anyways, since you don't have any other services you wish to "hide".


----------



## gkontos (Oct 25, 2012)

@Mamalos,

99% of the problems in corporate environments is caused by inside threats.


----------



## mamalos (Nov 13, 2012)

gkontos said:
			
		

> @Mamalos,
> 
> 99% of the problems in corporate environments is caused by inside threats.



gkontos,

sorry for the late answer, but I only now saw your reply. So, even if your numbers are true, what I wrote in my post was that if the only service Davsjo is running on this box is OpenVPN, then there is no serious need to "protect" it with a firewall, except, of course, if he doesn't want his localnet to use it.


----------



## _martin (Nov 13, 2012)

@gkontos made a very good point. Enemy within is the worst thread when it comes to security. Your VPN server might be a "devel" station with no confidential data but it might be used as a hop to the "_real thing"_, i.e. point of entry to the network and production systems.


----------



## gkontos (Nov 13, 2012)

@mamalos,

I was referring to what matoatlantis just mentioned. I also believe that security devices should only be accessed by  dedicated workstations in a different vlan ideally. I could keep going on regarding authentication, authorization and accounting. Those technologies are not so difficult to implement even with open source software.


----------



## mamalos (Nov 14, 2012)

@gkontos,

I agree with everything you wrote. What I failed to communicate with my initial post was that many people think that by setting up a firewall their network-security has been established. I have witnessed many times people believing that their public web server is safe just because they added a firewall rule allowing incoming access to port 80 and disallowing any other incoming connections, even though port 80 was the only open port anyway. Having that in mind, if somebody who is running only *publicly available* services that she wants everybody to have access to asked me if she needed a firewall on her box, then I wouldn't advise her that she really needs it.

Of course in this specific case (where we're talking about a VPN machine that allows real IPs connect to the local network), there is obviously no need for localnet to access this service, so yes I would too recommend to setup a firewall rule disallowing this traffic .


----------



## gkontos (Nov 14, 2012)

@mamalos,

The most disturbing part is that you see some system administrators having no knowledge at all of the different OSI layers. Their profile is mostly typical. No basic understanding of TCP/IP and in most cases they run Windows servers.

I had one of them trying to convince me that a UDP port was being blocked by the firewall because when he was using... telnet <ip> <udp_port> he could not get a response.

You often see them having a "paranoid" incoming filtering policy with no outbound filtering whatsoever.


----------



## mamalos (Nov 16, 2012)

gkontos said:
			
		

> ... telnet <ip> <udp_port> he could not get a response.
> 
> You often see them having a "paranoid" incoming filtering policy with no outbound filtering whatsoever.



 I know exactly what you mean...


----------

