Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
cisconz
cisconz
1320 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #3094733 25-Jun-2023 15:39
Send private message

NOW offer a static IP for a one off cost. Or at least they did when I was last with them. 





Hmmmm


 
 
 
 

Get easy to use, easy to install Norton antivirus protection against advanced online threats (affiliate link).
SmurfHk

15 posts

Geek


  #3094735 25-Jun-2023 15:46
Send private message

michaelmurfy:

 

@SmurfHk Just note - these days you don't need a public IP if you're just wanting to remotely access stuff. The better option is to use Tailscale (https://tailscale.com) for this which works fine behind CG-NAT and is totally free for most use-cases.

 

DO NOT (and I mean this) forward RDP to your PC. This is one of the most exploited services out there.

 

It sounds like to me you actually don't need a public IP and to be honest in your case I wouldn't as it adds a security layer. Just use Tailscale and be done with it.

 

 

Thank you for the comments on this, interesting. 

 

i did look very briefly at Tailscale when I saw GLiNET devices have it natively. I have a Beryl AX for travel.

 

But my ASUS Merlin router doesn’t do it natively so I gave up on it, I spent so long learning how to implement OVPN and Wireguard (Tailscale based on that I understand) on my Asus I just wanted to replicate the setup.

 

k. 


SmurfHk

15 posts

Geek


  #3094736 25-Jun-2023 15:49
Send private message

cisconz:

 

NOW offer a static IP for a one off cost. 

 

 

that would be good but the email I got from them two days ago said $5 per month. Which is doable, just not one off.




michaelmurfy
cat
12247 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3094743 25-Jun-2023 15:52
Send private message

But my ASUS Merlin router doesn’t do it natively so I gave up on it, I spent so long learning how to implement OVPN and Wireguard (Tailscale based on that I understand) on my Asus I just wanted to replicate the setup.

 

You don't need to run it on your router. It is a client service so install on your PC and job done. If you need wider access to your network then set it up as a relay so you can tunnel all your traffic over it. It doesn't require a Public IP or any port forwards.

 

It also runs on basically any Linux device (eg - Raspberry Pi)





Michael Murphy | https://murfy.nz
Referral Links: Tessie | Tesla | Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


SmurfHk

15 posts

Geek


  #3094806 25-Jun-2023 19:11
Send private message

michaelmurfy:

 

You don't need to run it on your router. It is a client service so install on your PC and job done. If you need wider access to your network then set it up as a relay so you can tunnel all your traffic over it. It doesn't require a Public IP or any port forwards.

 

It also runs on basically any Linux device (eg - Raspberry Pi)

 

 

Thanks and apologies if this is veering off topic but I did as much reading as I could and am still not clear on the implementation of Tailscale in this particular environment.

 

The place is a bach essentially,where this router is located, and I would like to VPN INTO it, remotely, from other devices.

 

i setup Tailscale on one of my devices (an iPad) and started looking at what next. So it said copy paste this link and add your other devices. I can do this for windows clients, iOS devices and the like - just not the Router in the bach, to add it as a device to my tailnet. It had a Linux option and I’ve seen forums showing packages installed over entware (getting beyond my comfort zone) but not inbuilt on Asus Merlin. Sorry but I am not clear on your comment that I “don't need to run it on your router“. How do I tell Tailnet it’s one if my devices so clients can access it?

 

thanks,

 

 

 

k.


michaelmurfy
cat
12247 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3094809 25-Jun-2023 19:23
Send private message

But you mentioned you had a windows PC there you wanted to RDP into? That’s where you’ll install Tailscale…

I otherwise don’t understand what you’re trying to do here. If you have to port forward to IoT devices then you’re doing it wrong. You should never port forward unless if you really understand what you’re doing. The VPN doesn’t have to be on the router…

Just note also - if you install Tailscale on a device that is on this network (eg, PC) then you can use that as an exit node and that is just like having a VPN in every way. You can access the network, internet via this network and all.




Michael Murphy | https://murfy.nz
Referral Links: Tessie | Tesla | Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


MaxineN
Max
1290 posts

Uber Geek

ID Verified
Trusted
One NZ
Subscriber

  #3094815 25-Jun-2023 19:59
Send private message

michaelmurfy:

Just note also - if you install Tailscale on a device that is on this network (eg, PC) then you can use that as an exit node and that is just like having a VPN in every way. You can access the network, internet via this network and all.

 

 

 

This is exactly what I do with my Tailscale instance except this is on my TrueNAS box(which is on 24/7) so I can access it's drives and basically everything internally(including my OPNSense which has proven to be useful at times whilst I'm at work and I have to troubleshoot from a smartphone ;) ) and it's blazing fast. +1 for Tailscale. 





Ramblings from a mysterious lady who's into tech. Warning I may often create zingers.

 

Opinions are my own. They don't represent my employer.




Spyware
3261 posts

Uber Geek

Lifetime subscriber

  #3094842 25-Jun-2023 20:46
Send private message

SmurfHk:

 

 Sorry but I am not clear on your comment that I “don't need to run it on your router“. How do I tell Tailnet it’s one if my devices so clients can access it?

 

thanks,

 

k.

 

 

https://tailscale.com/kb/1019/subnets/





Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.


SmurfHk

15 posts

Geek


  #3100387 5-Jul-2023 19:24
Send private message

Just a quick note to say thanks to all and to close this out, I ended up getting a Static IP from NOW.

I have 300 Fibre and tested it to the Router WebAdmin only from overseas; it’s pretty slow as upload is slower than I’m used to my normal upload is close to the download at around 900 (not on VPN).

I did read (a lot) about subnet routers and was thinking about repurposing my RPi to make it that device and allow access to my LAN but I decided it was too hard basket in the end with all the configuration, autostart and everything (certainly doable though, just no time right now). Was even thinking of a small headless window option but I won’t be running it often.

Cheers

k

michaelmurfy
cat
12247 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3100415 5-Jul-2023 20:55
Send private message

Do not forward to the router ever! This is a substantial security risk!

Tailscale is blatantly easy to set up so not sure why you put that in the too hard basket, you didn’t need to go the subnet router way but instead install Tailscale on a Pi or heck even your PC as it runs on Windows then put it in relay mode. When you port forward the device you’re forwarded to has a service open directly to the internet - this is no longer secure, one vulnerability and you’re screwed.

Things you should never forward to are RDP, router interfaces, IoT, cameras etc. You put your entire network at risk and on top of this could be a part of an attack if one of your devices has a vulnerability.

Personally, as a security person what you’ve done here is a security nightmare where the better solution would have taken (not kidding) about 10mins to set up and worked fine for your needs without any extra expense or risk.




Michael Murphy | https://murfy.nz
Referral Links: Tessie | Tesla | Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


SmurfHk

15 posts

Geek


  #3100446 6-Jul-2023 00:47
Send private message

michaelmurfy: Do not forward to the router ever! This is a substantial security risk!

Tailscale is blatantly easy to set up so not sure why you put that in the too hard basket, you didn’t need to go the subnet router way but instead install Tailscale on a Pi or heck even your PC as it runs on Windows then put it in relay mode. When you port forward the device you’re forwarded to has a service open directly to the internet - this is no longer secure, one vulnerability and you’re screwed.

Things you should never forward to are RDP, router interfaces, IoT, cameras etc. You put your entire network at risk and on top of this could be a part of an attack if one of your devices has a vulnerability.

Personally, as a security person what you’ve done here is a security nightmare where the better solution would have taken (not kidding) about 10mins to set up and worked fine for your needs without any extra expense or risk.


I’m not sure I understand the concern, but you do have me worried. Let me explain my setup.
I have WireGuard installed on the Router (ASUS Merlin FW) on an RT-AX86U pro.

I have checked the security checks in the router and all the items it said to turn off are off or changed, UPnP, access to the Router WebAdmin from outside etc. All I have is WG and OpenVPN Servers setup on the Router itself. I did not set up any port forwards myself (does setting up a VPN server do this somehow?).

I’m not an IT person by any stretch but I followed the guidelines on ASUs website and the snbforum for WireGuard. Surely if it was a security risk no one would be setting up these and tunnelling into their own routers (in my case via s static IP)?

I really did look at the RPi subnet router solution (I don’t want to run a windows PC all the time and I wasn’t sure whether a KASA plug would work to turn it on remotely) but again, loading it onto the RPi wasn’t the issue it was the subsequent Linux instructions that made me cross-eyed. It’s not being obstinate I’m just short of time and not at the location. I’ll be there again for a couple of weeks in August.

k.

SmurfHk

15 posts

Geek


  #3100901 7-Jul-2023 11:26
Send private message

@michaelmurphy For some reason the thread got locked, but if you have time I’d appreciate your take on my note above, if it changes your well intended concern about security. Cheers

Thanks very much

michaelmurfy
cat
12247 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3100998 7-Jul-2023 15:19
Send private message

So I just read this and assumed, especially from the "not a VPN" part you were exposing the router interface to the internet - you've otherwise been pretty light on details considering several members asked you for more information:

 

SmurfHk: tested it to the Router WebAdmin only from overseas; it’s pretty slow as upload is slower than I’m used to my normal upload is close to the download at around 900 (not on VPN).

 

As you're running Merlin it can be a little better than the stock Asus firmware but it is also important to note that router are not updated as much security patch wise as something more dedicated to the task. Forwarding just VPN is lower risk (you setting up VPN on the router exposes the ports required). It is also important to note that if you're connecting this router also to a third party VPN service you're also exposing that, and normally your network to that service too. If you are also using third party VPN services then this is a very good read: https://overengineer.dev/blog/2019/04/08/very-precarious-narrative.html 

 

As stated by several members above you don't need a static IP for your use-case. Tailscale is simple to install: https://pimylifeup.com/raspberry-pi-tailscale/ and activating it as an exit node is one command (sudo tailscale up --advertise-exit-node): https://tailscale.com/kb/1103/exit-nodes/ - from here you can essentially dump that Raspberry Pi on any network and you can VPN through it, to the network with zero router configuration via the Tailscale app.

 

That message however was more of a warning. It seemed you were forwarding services through your router like the router web interface and remote desktop. The problem here is remote desktop is not designed to be exposed to the internet and routers are one of the top things to get compromised and used as part of botnets to be a part of a DDOS attack etc. Unfortunately, time and time again they've been proven to not be secure. While you should be OK in the interim to operate a VPN in this manner it is important to also understand the risks in exposing services on your router to the internet. Just ensure your firmware is up to date and if you can use Wireguard or OpenVPN over the other protocols your router may offer (like PPTP or IPSEC).





Michael Murphy | https://murfy.nz
Referral Links: Tessie | Tesla | Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


SmurfHk

15 posts

Geek


  #3101001 7-Jul-2023 15:30
Send private message

Thank you Michael, understood on first pass but I will need some time to digest it all fully. Apologies for being light on details as you noted, I’m really a bit out of my depth on this stuff TBH, just decent at following instructions and trying until it work (without understanding why it works).

The NOW Tech suggested IP was faster as it didn’t have to hop another route but for what I need it for primarily I don’t think it’ll make much difference. I’m going to try it if I can and if I’m happy it’s reliable (read some stuff about additional commands needed for restarts, power outages etc which was what put me off).

k

michaelmurfy
cat
12247 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3101002 7-Jul-2023 15:35
Send private message

If you did want to do the tailscale route the service will automatically start as part of its default install. Basically it is install, run the login command, run the command to put it in exit node mode and that is it - nothing else to really do. I'm not kidding when I say it takes ~10mins to install, configure and be up and running.

 

There are more advanced features but you don't need to worry about them. The exit node mode basically turns it into a VPN where you can select it in the Tailscale app as your exit node then suddenly you're on that network.





Michael Murphy | https://murfy.nz
Referral Links: Tessie | Tesla | Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


1 | 2 | 3
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

New Air Traffic Management Platform and Resilient Buildings a Milestone for Airways
Posted 6-Dec-2023 05:00


Logitech G Launches New Flagship Console Wireless Gaming Headset Astro A50 X
Posted 5-Dec-2023 21:00


NordVPN Helps Users Protect Themselves From Vulnerable Apps
Posted 5-Dec-2023 14:27


First-of-its-Kind Flight Trials Integrate Uncrewed Aircraft Into Controlled Airspace
Posted 5-Dec-2023 13:59


Prodigi Technology Services Announces Strategic Acquisition of Conex
Posted 4-Dec-2023 09:33


Samsung Announces Galaxy AI
Posted 28-Nov-2023 14:48


Epson Launches EH-LS650 Ultra Short Throw Smart Streaming Laser Projector
Posted 28-Nov-2023 14:38


Fitbit Charge 6 Review 
Posted 27-Nov-2023 16:21


Cisco Launches New Research Highlighting Gap in Preparedness for AI
Posted 23-Nov-2023 15:50


Seagate Takes Block Storage System to New Heights Reaching 2.5 PB
Posted 23-Nov-2023 15:45


Seagate Nytro 4350 NVMe SSD Delivers Consistent Application Performance and High QoS to Data Centers
Posted 23-Nov-2023 15:38


Amazon Fire TV Stick 4k Max (2nd Generation) Review
Posted 14-Nov-2023 16:17


Over half of New Zealand adults surveyed concerned about AI shopping scams
Posted 3-Nov-2023 10:42


Super Mario Bros. Wonder Launches on Nintendo Switch
Posted 24-Oct-2023 10:56


Google Releases Nest WiFi Pro in New Zealand
Posted 24-Oct-2023 10:18









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Norton for Gamers