OpenVPN Port Forwarding Question

[yorgi]

The only concern I have is keeping forwarded/exposed ports to an absolute minimum, and if one doesn't control both ends of the VPN tunnel, assume that it's the same as having the ports exposed on the public internet at large.

Be very careful here...

I have to agree with you.
I too find that these VPN servers already have to many ports open and don't think its a wise idea to allow people to open up ports for remote desktop etc.
It would be cool if connected to a VPN server that the router would allow a back door so I can do a remote desktop from my buddies place or wherever I am in the world. I know team viewer works but i like a full screen experience as in remote desktop.
but I know its a security thing so I won't start because I understand perfectly how things work with those servers
This is why I was impressed that he forwarded ports via IP tables which in my mind was impossible. But I then realized I was stuck on the notion of being able to remote desktop to my PC while I was connected to a VPN server and I let my imagination go.
At the end of the day it was a VPN server setup at home
In my perfect world I would have routers do things the way I want them to and it would not be via scripting or even a GUI,
I would want to speak to my router and it will do what I tell it to do or out in the alley it would go.
LOL

 

[sfx2000]

One of the other risks of port forwarding into a tunnel, if one is concerned about privacy, is that it may cause a situation where your primary/public IP can get disclosed - esp. if you get hair-pinned in the tunnel endpoints (local or remote). Doesn't happen all the time, but a DNS entry for the primary can do this..

Just as an FYI..

 

[yorgi]

yorgi, in the weeks of research I was doing, I did come across one paid VPN service that allows you to log in and set certain ports to be forwarded. AirVPN https://airvpn.org/

Thanks Tydyn but like sfx2000 says its to risky to be opening ports when on a VPN tunnel that is a Paid service.
I like the notion of connecting to a VPN server and being able to use my remote desktop but I know its not a good idea,
but thanks for the link
In your case you have your own VPN and want to secure yourself by opening up some ports for your laptop when not at home.
I would still think its risky because if you are in a cafe and there is some kid hacking everyone, you may at risk as well.

 

[sfx2000]

If you see something like this, you know you're in trouble

Folks have gotten pretty clever about hiding these - the board can be fit into an external HD box, external battery case, or even inside a DVD bay inside a laptop...

And one doesn't need a pineapple - Kali on a laptop, using the onboard wifi and an external USB nic is more than enough - and it's pretty easy to do a MitM attack against OVPN

I've done it against my own OVPN server as one of my test cases... I'm not going into how it was done, as it's not appropriate to the forum.

 

[yorgi]

If you see something like this, you know you're in trouble

View attachment 6598

Folks have gotten pretty clever about hiding these - the board can be fit into an external HD box, external battery case, or even inside a DVD bay inside a laptop...

And one doesn't need a pineapple - Kali on a laptop, using the onboard wifi and an external USB nic is more than enough - and it's pretty easy to do a MitM attack against OVPN

I've done it against my own OVPN server as one of my test cases... I'm not going into how it was done, as it's not appropriate to the forum.

This is why I never go on any public internet access..I use my phone to give internet to my surface when I need it. Safer that way. I see all kinds of people in cafes, doing away with their business, when in fact they should really be concerned because it doesn't take much to hack someone, even if they are on a
MAC lol. That is the biggest joke. people who say that they have no concerns for getting hacked or virus because they are on a MAC
since windows has become a bullet proof system which even hackers themselves admit they would rather hack an Android phone or a MAC then try a windows PC, but no one is safe with wi fi and this pineapple box proves it
I use my VPN to download and so far no issues but the fact that all those ports are open on a server and someone in the tunnel can have good enough tools to hack my box makes me reconsider everything. Although PIA claims everyone in their tunnel is secure from others who try to attach ones PC, I don't honestly believe them and reading their terms and conditions one has to really wonder.

 

[sfx2000]

I'm not trying to scare people - please understand that.

VPN, of any kind, is a very useful tool to have - I think where most folks get things wrong is that there is no real privacy in a VPN, and it does depend on trust -

By owning/controlling both ends, I know I can trust my private VPN, and I can trust my employer's VPN, as again, both ends are known (they own the laptop config and the remote end).

Public VPN providers - one is just shifting an endpoint from being at the coffee shop or whatever, to the Provider's point of presence, after that, it's back on the internet - so it's not guaranteeing privacy so much, but that tunnel is fairly secure if you're on an Open WiFi network for example - again, the coffee shop or hotel...

 

[yorgi]

I'm not trying to scare people - please understand that.

VPN, of any kind, is a very useful tool to have - I think where most folks get things wrong is that there is no real privacy in a VPN, and it does depend on trust -

By owning/controlling both ends, I know I can trust my private VPN, and I can trust my employer's VPN, as again, both ends are known (they own the laptop config and the remote end).

Public VPN providers - one is just shifting an endpoint from being at the coffee shop or whatever, to the Provider's point of presence, after that, it's back on the internet - so it's not guaranteeing privacy so much, but that tunnel is fairly secure if you're on an Open WiFi network for example - again, the coffee shop or hotel...

I have to agree with Private VPN's being more secure and trusted.
And if one is on a wi fi in a cafe any VPN is better than nothing
And private VPNs are good for leeches who download movies and mp3s, at least they get their ISP;s of their back and I really doubt that any movie or music company is going to spend millions of dollars to go after an entire VPN company just to get one guy who downloaded the latest Madonna Tune hahaha
So for now I think VPN paid services have their place but not sure for how long.
And the 3 letter agency really doesn't care for these matters. I think they have way more pressing issues to worry about

 

[sfx2000]

And if one is on a wi fi in a cafe any VPN is better than nothing

Yes indeed... and it's really simple to set one up that goes back to the home network these days...

Just treat that VPN connection with respect - one wouldn't pull down the firewall on one's WAN side connection at home, so treat that VPN connection the same way.

Just be careful - all I ask...

 

[yorgi]

Yes indeed... and it's really simple to set one up that goes back to the home network these days...

Just treat that VPN connection with respect - one wouldn't pull down the firewall on one's WAN side connection at home, so treat that VPN connection the same way.

Just be careful - all I ask...

If you are on a public wi fi using win 10 laptop with Avast anti virus and windows built in firewall using a paid VPN server is a safe move.
A safer move would be all of the above with the exception of having a VPN server at Home where you know you fully secured it

 

[yorgi]

oh and lets not forget, a decent bandwidth