I came across something that seems counter-intuitive while reading a tutorial associated with a very popular hosting provider showing people how to install their own Debian-based OpenVPN server. Specifically the default forward policy is changed from “DROP” to “ACCEPT” in order to allow traffic to be routed correctly. There seem to be no additional rules anywhere that would in any way restrict routing beyond this default policy.
If I understand correctly this could allow someone to use the machine as a gateway into the VPN, potentially allowing unsolicited traffic through. The logic here is that without any rules preventing packet forwarding the OS will simply forward any traffic not destined for itself. For example someone could make a static route for the external IP assuming a network of 10.8.0.0/24. Normally NAT would act as a firewall but in this case I can only assume it would, at best, rewrite the IP of response packets.
This is the tutorial for reference: How To Set Up an OpenVPN Server on Debian 9
I just want to know are my concerns justified or is there something that I’m missing?