sonic vpn network mask?

Advanced feature discussion, beta programs and unsupported "Labs" features.
4 posts Page 1 of 1
by etnahouse » Fri Apr 05, 2019 2:48 am
What are the IP address ranges for sonic vpn clients?

I'm currently using 184.23.188.0/10, but this is just from exploring my past vpn connections and some DNS sleuthing -- I haven't found anything that states this information authoritatively.

Thanks,
Don

ps: I'm using this to provide some first-level security in my firewall ... I'm annoyed by world-wide ssh probing (mostly, it wakes up my sleeping machine, and fills the logs with failed logins). I'd prefer a customer specific static IP address range, but sonic doesn't support that -- I'm aware that this is not really secure, so that's why it's just a first level (I use it with ssh, not web server login).
by ds_sonic_asif » Fri Apr 05, 2019 9:29 am
etnahouse wrote:... I'm annoyed by world-wide ssh probing (mostly, it wakes up my sleeping machine, and fills the logs with failed logins).
For years I've been running my world-visible ssh server on an alternate port and have never seen it hit with a script-kiddie ssh attempt.
by sysops » Fri Apr 05, 2019 10:19 am
I prefer to drop ALL non-established/related traffic on the VPN interface. Personally, I don't want anything coming in over the VPN interface; but you may have reasons to allow some traffic.

On Ubuntu, simply enabling UFW will protect the VPN interface from allowing any traffic in. Or you get get more advanced and use iptables to add a jump rule for traffic in on tun0 to only allow established/related and drop everything else.

To answer your question, it looks like the ovpn range is roughly 184.23.188.0/22.

I sleuthed this by connecting and getting an IP, then running "host" in both directions until I stopped getting VPN hostnames:

Code: Select all

# host 184.23.191.1
1.191.23.184.in-addr.arpa domain name pointer 184-23-191-1.vpn.dynamic.sonic.net.
#host 184.23.192.1
1.192.23.184.in-addr.arpa domain name pointer cpe2-0.horizoncable.com.
# host 184.23.190.1
1.190.23.184.in-addr.arpa domain name pointer 184-23-190-1.vpn.dynamic.sonic.net.
# host 184.23.189.1
1.189.23.184.in-addr.arpa domain name pointer 184-23-189-1.vpn.dynamic.sonic.net.
# host 184.23.188.1
1.188.23.184.in-addr.arpa domain name pointer 184-23-188-1.vpn.dynamic.sonic.net.
# host 184.23.187.1
1.187.23.184.in-addr.arpa domain name pointer 184-23-187-1.dsl.static.sonic.net.
So based on that, it looks like 184.23.188.0 - 184.23.191.255 (184.23.188.0/22). From looking at https://bgp.he.net/AS7065#_prefixes there is no exact prefix advertised, so if you want to only allow SSH in from Sonic's VPN, that's a more restrictive range to use. There's also the beta VPN to consider.

I will also echo what ds_sonic_asif said: Don't run ssh on port 22. Unless you're being specifically targeted, this will stop 99% of malicious connection attempts.
Proud Sonic customer since 1999. Ask me about internet privacy, VPN, anonymity and security.
by ds_sonic_asif » Tue Mar 17, 2020 5:44 pm
ds_sonic_asif wrote:For years I've been running my world-visible ssh server on an alternate port and have never seen it hit with a script-kiddie ssh attempt.
Updating the statement. We've been on Sonic fiber now for about 9 months, and the bad guys have discovered my alternate ssh port. For a while I was updating my internal firewall to blacklist the IP addresses that were coming in, but the scale of it has gotten out of hand. I've turned off the port in my internal firewall and am now musing about a better solution that doesn't involve having to remember to change the firewall every time I may want external access.
4 posts Page 1 of 1

Who is online

In total there are 28 users online :: 0 registered, 0 hidden and 28 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 28 guests