Score:1

Disallow port forwarding to bypass VPN

by flag

We have a linux workstation that is used by a group of users via Internet. For security, users must connect to our private network by VPN and then can ssh to the workstation.

The job they run on the workstation needs Internet connection, so the workstation is connected to Internet via NAT.

However, then it is possible that any normal user can use port forwarding to bypass VPN. For example, by running the following command on the workstation:

ssh -NTf -R 60000:localhost:22 [email protected]

One can then connect to the workstation at public.server:60000. This bypasses VPN and impose a security problem, since anyone can connect to public.server:60000, not just the certain user who run this command. (If only that certain user can use it, I think it would be fine though.)

This is a issue not only for ssh port forwarding. One can also use tools like frp or just write a simple code to achieve this.

I wonder if there's any good measure to solve this issue?

anx avatar
fr flag
anx
Why is this even a concern? What incentives exist for a user to share the access they have been provided with to the internet? (If the incentive is sufficient, no increase in cost to do it anyway will ever resolve this..)
Ruixing Wang avatar
by flag
Users may want to connect from any computer without the VPN software installed for their convenience..
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.