I prefer to drop ALL non-established/related traffic on the VPN interface. Personally, I don't want anything
coming in over the VPN interface; but you may have reasons to allow some traffic.
On Ubuntu, simply enabling UFW will protect the VPN interface from allowing any traffic in. Or you get get more advanced and use iptables to add a jump rule for traffic in on tun0 to only allow established/related and drop everything else.
To answer your question, it looks like the ovpn range is roughly 18.104.22.168/22.
I sleuthed this by connecting and getting an IP, then running "host" in both directions until I stopped getting VPN hostnames:
Code: Select all
# host 22.214.171.124
126.96.36.199.in-addr.arpa domain name pointer 184-23-191-1.vpn.dynamic.sonic.net.
188.8.131.52.in-addr.arpa domain name pointer cpe2-0.horizoncable.com.
# host 184.108.40.206
220.127.116.11.in-addr.arpa domain name pointer 184-23-190-1.vpn.dynamic.sonic.net.
# host 18.104.22.168
22.214.171.124.in-addr.arpa domain name pointer 184-23-189-1.vpn.dynamic.sonic.net.
# host 126.96.36.199
188.8.131.52.in-addr.arpa domain name pointer 184-23-188-1.vpn.dynamic.sonic.net.
# host 184.108.40.206
220.127.116.11.in-addr.arpa domain name pointer 184-23-187-1.dsl.static.sonic.net.
So based on that, it looks like 18.104.22.168 - 22.214.171.124 (126.96.36.199/22). From looking at https://bgp.he.net/AS7065#_prefixes
there is no exact prefix advertised, so if you want to only allow SSH in from Sonic's VPN, that's a more restrictive range to use. There's also the beta
VPN to consider.
I will also echo what ds_sonic_asif said: Don't run ssh on port 22. Unless you're being specifically targeted, this will stop 99% of malicious connection attempts.