unorthodox OpenVPN setup - advice please

[domuhe]

Advice would be appreciated on an unorthodox (I think) openvpn setup!

We have an unorthodox network layout here: The office LAN has a public address range (e.g. 14.9.2.0/24) and although the office LAN if firewalled to the outside there is no NAT. We also have an instrument LAN with a private address subnet (10.0.0.0/24). Also, I have no control of the external router as we are tenants in the building.
Still, I would like to setup an OpenVPN for 3 types of users
1) staff; full tunnel, full access to office LAN and instruments on intrument LAN
2) developers; split tunnel, access to instruments on instrument LAN
3) guests; split tunnel, access to certain FileServers on office LAN

    14.9.3.1
external router
   (x)                    14.9.2.10
    | 14.9.2.1            FileServer
    |                       |               office LAN 14.9.2.0/24
------------------------------------------------------------------
         |                               |
         |                               |  14.9.2.7
14.9.2.6 |          | VPNclient         (x) Instrument
VPN    (x)---------| LAN2               |  router
router  |          | 10.2.0.0/24        | 
         |                             --------------
  ----------------                      Instrument LAN
  VPNclient LAN1                         10.0.0.0/24
  10.1.0.0/24

So I can't configure anything on the external router, but I'm thinking I can achieve this by configuring the VPNrouter (RT-AC87U) for TUN and:
for 1) enable forwarding and NAT for VPN clients on 10.1.0.0/24
for 2) enable forwarding for 10.2.0.0/25 and add static route on instrument router and file servers pointing to the VPN router
for 3) enable forwarding for 10.2.0.128/25 and add static route on relevant file servers pointing to the VPN router

So, is there anything wrong with this setup (is it secure)? And am I right in thinking that even if clients ignore the split tunnel, they could not force a full tunnel, as their VPNclient LAN is not NATed at the VPN router and therefore the external router should drop any packets going out, even if they guess and set a default gw?

Cheers!

 

[L&LD]

Your file server is not secure in the least. The other nodes are questionable too, imo.

Why is this setup like this (underlying reasons)? Why not have everything behind a NAT and firewall?

 

[domuhe]

When you say the file server is not secure in the least, do you mean if we introduce the openvpn? If you mean now, I don't understand. The firewall on the external router blocks all incoming traffic to the office LAN.
We are tenants on site and have to use the network access as given to us by the site. The external router and network switches that our wall ports are patched into are out of my jurisdiction.

 

[L&LD]

It seems to have a public IP address? That is not secure. (14.9.2.10).

Even if it is behind a firewall/NAT, still seems like a bad way to setup a fileserver to me.

 

[domuhe]

Having a public IP address is not a security problem as such. This is what a firewall is for. The purpose of NAT is to represent an unregistered private IP address range with a single registered public IP address to save precious limited public IP address space. NATed private IP addresses without a firewall would be just as visible as public ones. Having said that, I think it is still a pain in the neck that our office LAN has a public IP range because all consumer appliances default to a private IP range setup. If it wasn't that the site was lucky enough to have been allocated a large chunk of public IP addresses in the dim past we wouldn't be in the situation.

 

[L&LD]

Of course it's a problem.

Just knowing that a fileserver is behind that address is enough for some.

Firewalls are made to be breached, not respected (by hackers).