First, let me state that I have only been using Untangle for about a week; and so far everything works and works well. Thanks to all of those who put this project together.

However, being new to VPN I have a few questions about OpenVPN. I have it all setup and working; but to access resources on my LAN from remote I needed to allow all traffic from the 172.16.16.0 range assigned by the VPN (as I had read in other posts). I chose the allow all approach rather than opening individual ports for all the various services that MS networking and other services require.

This leaves me with a major concern: If someone on a remote network who is setup on an identical subnet attempts to access any of those ports/services on my network will the firewall allow the traffic to pass?
I understand the 172.x subnets are not routable; but if someone is using a sophisticated scanner (say, one that allows them to set the scanning machine’s IP to whatever) or if the scans are perceived by my Untangle as coming from the 172.x subnet instead of a public IP, will the firewall allow the traffic?

I know that with some time and testing I could figure the answer out on my own. I was just wondering if anyone out there with some experience in this could give me a quick answer.

Thanks in advance for any advice.

hi metropdx.
certificates are enforced. without the openvpn key, connection will not be made no matter what virtual ip you may be using.

Thanks for the reply Richie. I re-read my question after your reply and realized, that my question is actually less about the VPN and more about the firewall.

So, just to clarify: If the firewall allows traffic from 172.16.16.x, would someone with that IP (whether they are behind a routeable IP or not) be able to access my LAN?

Sorry for my lack of knowledge on this subject; and again I appreciate the assistance. I have researched this via Google and have not found a conclusive answer.

That address range is not routable, so it will only function behind your firewall. The same goes for the 10.x and 192.168.x worlds.

Well, first off, the untangle wouldn't let those packets in from the external interface.

Secondly, the attacker would need to inject routes for 172.16.x.x into the entire Internet in order for those packets to get back to him.

Both of these are obstacles that are pretty significant, so this makes this attack vector very unappealing.

It's probably easier to drop by your office and plug in a laptop and just act like he belongs there.

To sum up, anything is possible, most things just aren't very likely.