file sharing (and other services) ONLY through VPN

Discussion in 'Mac OS X Server, Xserve, and Networking' started by saltyzoo, Oct 4, 2014.

  1. saltyzoo macrumors 65816

    saltyzoo

    Joined:
    Oct 4, 2007
    #1
    It seems crazy to me, but I've set up a VPN and I can find no reasonable way to enable file sharing or screen sharing, etc. ONLY to the VPN interface.

    What's the point of VPN if you're opening up the services to the world anyway?
     
  2. JoelBC macrumors 6502a

    Joined:
    Jun 16, 2012
    #2
    If you have connected via VNP then you can screen share from your VPN client use screen sharing (if your client is running OS X) or VNC Viewer (see https://www.realvnc.com/download/viewer/) (if your client is not running OS X).

    I use both and they work great.
     
  3. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #3
    I think that is what firewalls are for.

    A.
     
  4. saltyzoo thread starter macrumors 65816

    saltyzoo

    Joined:
    Oct 4, 2007
    #4
    Yes, and no. First off, it would be nice if the OSX firewall would actually let you do this, but it won't. Yes, you could manually create rules on the command line, but come on, the whole point of VPN is to not expose services, apple should make this the default scenario, or at least allow you to enable services on a specific interface only.

    Secondly, it's less secure to have your services listening everywhere and then rely on a firewall to protect you, than if you just didn't expose them on networks you don't want them on in the first place. Your suggestion is sort of like saying you don't need brakes because you have an airbag and a sturdy bumper.
     
  5. Alrescha, Oct 5, 2014
    Last edited: Oct 5, 2014

    Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #5
    Except one does not generally do this, especially not on a VPN interface that may not even exist when the VPN is not in use. Consider your own example - who has a file server listening for requests for VPN users but not on the local network? I am sure someone does, but it is not like it is a common practice.

    The only ports on your server that should be exposed to the Internet are the ones you require to be exposed, e.g. the ones used by the VPN. The normal way to do that is to use a firewall (and if security is truly a concern, that is a separate dedicated hardware firewall).

    A.
     
  6. saltyzoo thread starter macrumors 65816

    saltyzoo

    Joined:
    Oct 4, 2007
    #6
    No. If you enable VPN, then the default state IS to connect via a "local" network - through the VPN. The only service you want exposed is VPN. Everything else is accessed "locally" through the VPN
     
  7. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #7
    The local network is the network that you are physically connected to (or the wireless equivalent). When you use a VPN you are making your client machine part of a remote network *in addition* to the local network. Your client has access to both networks. Optionally, in some VPN clients, you can choose to have all traffic *not going to the local network* sent over the VPN rather than through the client's local next-hop router. In all cases (at least the ones I know about) the client always has full access to the local network.

    You have contrived an unusual requirement, you expect it to be supported in a GUI, and are surprised when it is not. You call the vendor "crazy". Someone here might be crazy, but I am not sure that it is the vendor... :)

    A.
     
  8. saltyzoo thread starter macrumors 65816

    saltyzoo

    Joined:
    Oct 4, 2007
    #8
    I have "contrived" the only useful use case for VPN. To tunnel to the local network in a secure fashion. I don't think you understand.
     
  9. Alrescha, Oct 5, 2014
    Last edited: Oct 5, 2014

    Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #9
    Well, you certainly have not supplied a lot of details as to your exact problem, so it is very possible that I do not understand your situation. On the other hand, I was implementing VPNs before IPsec was ratified. I think I understand them pretty well.

    What you have presented so far is that you have a host with file sharing turned on. This host is apparently connected directly to the open Internet with no firewall, no NAT, nothing (implied by your phrase "opening up the services to the world anyway"). Somehow you think that this is normal, or sane, or something that someone else is responsible for fixing. Since they do not, you call them "crazy".

    To me, this is not unlike laying down on the double yellow in a four-lane highway, and complaining that the highway department is not keeping you safe.

    If you would like some practical suggestions, feel free to describe your problem in more detail.

    A.
     
  10. saltyzoo thread starter macrumors 65816

    saltyzoo

    Joined:
    Oct 4, 2007
    #10
    It's very simple and Ive described it multiple times. You should be able to bind services to s specific network. Even with a firewall, it's bad security practice to listen on networks that you don't want to allow traffic from. Not having a way to bind services to a specific network is lame on a "server" (I'll grant you it's fine for a workstation). If you know a way to do it in OS X server, please let me know.

    ----------

    Also, as I've already said previously, the built in firewall does not allow you to filter it. Though you can with command line configuration, it's a pain in the butt.
     
  11. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #11
    Okay, so no additional details. I am very sorry that I have no additional suggestions, only what I have previously offered. Good luck.

    A.
     

Share This Page