Security Possibilities

[OneShoe]

Hi,

The organisation I support has two Synology NASs running OpenVPN linked to the Internet via Draytek routers with fixed Internet IP addresses.

The OpenVPN config has been created by another one of the Admin staff, i.e. not me.

The two different NASs are on different but linked (192.168) subnets.

Each Synology NAS has a single login with minimal rights for anyone who connects via the VPN.

Connectivity to OpenVPN server on either NAS works fine and the whole subnet on which the NAS resides is visible once connected. Remote Desktop connections are possible to any PC on the network, but the entire 192.168 network is visible, e.g. devices that do not have complex passwords or login rules (like limiting attempts) and ones where the login name cannot be changed from "admin" have their login screens visible say in a web browser from the remote users PC e.g. me at home.

Moving from one OpenVPN connection to the other simply needs the Draytek Internet IP address changing in the OpenVPN config file , nothing more!

All remote users of the VPN use the same config including the same username and password, meaning that anyone with the config files and the one NAS username and password can see the whole subnet.

Remote users do not have fixed IP addresses as many are with ISPs that don't provide that functionality.

This means that in a situation where any remote user shares their config files or is hacked or leaves the company then the network is compromised and the user name and password have to be changed.

As I did not design the OpenVPN setup I am as yet not fully up to speed on what other security features would be possible.

Restricting access to known IP addresses (and not the whole of the Internet! ) would have been ideal but this is simply not possible and changing the config (IP addresses allowed) every time a user reboots their home router and gets a different Internet IP address isn't practical.

The question is, given the setup detailed above is, what other security options are possible?

Restricting the IP addresses range that can be connected to is maybe an OpenVPN option? but is defeated as people login to a PC (no domain controller just a straight login as per home PC) and once logged in they can see the whole network from that PC.

Both the Draytek router and Synology NAS have firewalls, this may be an option but does may not prevent anyone getting as far as the Draytek. I have just hit the security problem and so as yet don't know the firewall capabilities, but I don't immediately see what unique feature of a remote client could be used to let only them through and prevent hackers.

I don't see a way to have a remote client who can't get a fixed IP address use a dynamic DNS settings and use this name in the OpenVPN config ?

Providing a separate NAS login per remote user would seem like a good idea and maybe limiting the number of connection to one, but I don't see the option to have different logins for each user.

Thoughts welcome on possible options with the above and other security possibilities

[TinCanTech]

The question is, given the setup detailed above is, what other security options are possible?

You could try prayer ..

Start with the Howto and your NAS user manual.