lee <l...@yagibdah.de> wrote: > <waben...@gmail.com> writes: > > > lee <l...@yagibdah.de> wrote: > > > >> Rich Freeman <ri...@gentoo.org> writes: > >> > >> > On Sun, Jan 17, 2016 at 6:38 AM, lee <l...@yagibdah.de> wrote: > >> >> Suppose you use a VPN connection. How do does the client > >> >> (employee) secure their own network and the machine they're > >> >> using to work remotely then? > >> > > >> > Poorly, most likely. Your data is probably not nearly as > >> > important to them as their data is, and most people don't take > >> > great care of their own data. > >> > >> That's not what I meant to ask. Assume you are an employee > >> supposed to work from home through a VPN connection: How do you > >> protect your LAN? > > > > Depends on the VPN connection. If you use an OpenVPN client on your > > PC then it is sufficient to use a well configured firewall (ufw, > > iptables or whatever) on this PC. > > The PC would be connected to the LAN, even if only to have an internet > connection for the VPN. I can only guess: Wouldn't that require to > put this PC behind a firewall that separates it from the LAN to > protect the LAN?
Of course a separate firewall is better than a firewall on the PC, because it may protect the LAN even when the PC is compromised. But if the PC is compromised and has access to the LAN through the separate firewall (what is mostly the case) then the protection is more ore less porous (depending on the firewall rules). If you don't have a separate firewall but only a firewall on the (not compromised) PC, then the LAN should be safe as long as you don't have enabled IP forwarding on the PC and as long as the VPN is configured in a way that there is only a route to your PC and not to the rest of your LAN. Even if you have enabled IP forwarding on the PC and even if the VPN has a route to the whole LAN, the LAN should nevertheless be safe when the firewall on the PC is configured to block all incoming connections. Of course the blocking of all incoming connections implies, that the PC is acting as a client only. > > If you use a VPN gateway then you could > > configure this gateway (or a firewall behind) in a way that it > > blocks incoming connections from the VPN tunnel. > > Hm. I'd prefer to avoid having to run another machine as such a > firewall because electricity is way too expensive here. And I don't > know if the gateway could be configure in such a way. All VPN gateways that I know have also a build in firewall. If your gateway hasn't, then you should ask yourself, what is more expensive - a separate firewall or a hacked LAN? But in this case I would prefer to use the PC as OpenVPN client. > > IMHO there is no more risk to use a VPN connection than with any > > other Internet connection. > > But it's a double connection, one to the internet, and another one to > another network, so you'd have to somehow manage to set up some sort > of double protection. See above. > Setting up a VPN alone is more than difficult enough already. This depends on the VPN that you (have to) use. If you set up the VPN on both sides then you probably can choose what kind of VPN you wanna use. OpenVPN isn't really difficult to set up. If you don't wanna use PSK but X509 authorization, then the most complicated thing is the creation of the certs. But with the help of Google (or DuckDuckGo), this is quick done. There are lots of information about setting up an OpenVPN connection. -- Regards wabe
