Jump to content
Not connected, Your IP: 18.117.151.127
Sign in to follow this  
plexvpn

Do I have a security problem? (DD-WRT / Nginx / port-forwarding)

Recommended Posts

Hi all,

 

Please rate my setup. I'll do my best to explain everything fully.

 

I have a router running DD-WRT which connects to AirVPN on interface tun1. I have set up iptables as follows in order to route all traffic via the VPN tunnel and ensure that no local traffic makes it through to eth0 (the WAN). Note that br0 is the bridge, consisting of the wired LAN (my server) and the wireless clients (personal computer, iPhone, etc.).

 

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o eth0 -j DROP
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

The server has an NGINX webserver that listens on ports 80/443. I have port forwarding setup in the NAT / QoS tab of DD-WRT to pass these ports to the appropriate static local IP within my network. I opted this approach instead of using AirVPNs port-forwarding service, since I wanted access to port 80/443 directly (ports <2048 are blocked on AirVPN) - I run a DDNS service which updates my Google Domains account with my local IP (the WAN IP, not the AirVPN IP) so that my domain name routes directly back to the router (not via AirVPN) and these port forwarding rules pass the requests to the NGINX server.

 

The system is up and working. If I navigate to AirVPN.org I see in the page header that I'm "connected". Also, ipleak.net does not report my actual IP address at all - only the AirVPN address. Furthermore, my webserver is accessible from the internet and works as before.

 

So I guess my question is: are there any significant risks while browsing / downloading that my IP address is being leaked? What steps can I take or tests can I perform to double check that everything is doing what it should and that my traffic (except my webserver traffic) is being directed over the VPN correctly?

 

While reading up on all of this, I saw that the Port Fowarding page specifically says "Do NOT forward on your router the same ports you use on your listening services while connected to the VPN. Doing so exposes your system to correlation attacks and potentially causes unencrypted packets to be sent outside the tunnel from your client." While I know I'm not forwarding the same ports, I also don't know what a correlation attack is so I thought it best to ask.

 

Thanks in advance

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...