I’ve set up a Plex server at location A and I’m using port forwarding to enable remote access for location B.
To mitigate the risks of the open port, I’ve configured the port to be only accessible from the IP of location B in OpenWRT (Source IP in port forward) and location A itself, so any other IP that is trying to access the port is blocked.
Now I’m reading in many posts that a VPN should be used as safest approach, but since I’m only allowing a specific IP to access the port, can it be considered as safe or am I missing anything? If not, I’m considering remote desktop using the same approach as well.
The VPN would certainly give you more flexibility than the system you described. You wouldn’t have to manually configure port forwarding every time you want to expose a device, and you wouldn’t have to whitelist IP addresses.
The only issues I can foresee would depend on how much control you have over the whitelisted IP address. At the very least make sure that it is a statically allocated address!
If you do not fully trust the network at location B, the VPN would prevent anyone else on the network from snooping on or tampering with your connection.
I’m sure someone will chime in with a list of things I missed.
IP whitelist is for access control. who can access. so some random IP that tries to make a connection gets dropped to oblivion and cannot do any funny business on login etc.
but when you dont want to login, but you want to capture traffic going from point A to B or from B to A, then the IP whitelist does not do anything. here comes encryption in to play.
so, that Plex server you run. to you have HTTPS enabled on it? then you are fine… ish. there is some metadata going around that can be used to make an educated ques what is going on, but most stuff is encrypted and cannot be viewed by 3rd party.
now VPN tunnel even encrypts that data and they only see that there is a tunnel with info. thats it.
But don’t they need to know 1. which port is specified as port forward, because I’ve set a random port 2. which IP is whitelisted? It’s a little bit like a chicken egg problem and will take some time and effort just to brute force a random target like me.
The connection to the Plex server is using SSL, so it’s encrypted.
People can spoof source IP’s to gain access to things.
Yes but no. Depending on the system, if you have ip 1.1.1.1 and spoof in order to say “hey, I have ip 2.2.2.2” then the server would reply to 2.2.2.2, thus you couldn’t get a thing
If the system is like “If I get a request from 2.2.2.2 I will open for everyone” then… Yeah that could work, but I don’t see how a sane person would do that
I have SSH and HTTPS open from the Internet to a few of my servers in a DMZ. I used a random port over 5000; I have never had anyone try to hit me on those ports, and I have had them open for years.
Port scanning is a thing, either way, you should be ok assuming that plex requires authentication, you don’t use the default port (although this one is security by obscurity) and the traffic is encrypted (so your ISP can’t see what you are sending)
You couldn’t easily (or at all) do that through the internet…
If it’s some internal network then yes, it might be possible, though the attacker would still have to know the authentication credentials (either through brute force, social engeneering or a phishing attack)
You would still have to do port forwarding for the vpn server which would mean that instead of the attack vector being plex it would be OpenVPN/wireguard/whatever.
If you mean connecting to some third party vpn provider then you are just delegating trust from your ISP to the VPN provider