Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
ForumsIT Pro and developersOpenVPN on R.Pi as network gateway - is this a network vulnerability?


13910 posts

Uber Geek
+1 received by user: 2470

Trusted
Subscriber

Topic # 226189 24-Dec-2017 20:12
Send private message

I've set up OpenVPN on a R.Pi running Raspbian. It creates a tunnel to the UK using the Astrill VPN. The general idea is it can be used as a gateway for any device on my network that wants to appear like it's in the UK, mostly for watching UK TV. I intend for this to be running 24/7. I set it up using these instructions, other than the "VPN Kill Switch" as it broke it, I'll get to that some time.

 

Is this likely to compromise home network security? The OS only has essential services running by default - I had to enable SSH, and I changed the password. I assume that any packets not requested by the OS or a client on my network gets dropped. Obviously it opens a new way into the network, so there's some risk, but what is that risk?

 

If someone got onto my network they could potentially see shares from my Windows PC, which contain personal information. The shares have security set up so only specified people can see them, but I have a couple of open shares with generic stuff on them too.

 

 




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

Create new topic
2431 posts

Uber Geek
+1 received by user: 143


  Reply # 1924745 24-Dec-2017 21:14
Send private message

Not sure if Astrill has client isolation or not (Where clients can connect to each other via the VPN) but if it doesn't you should drop all incoming TCP connections (Not established connection that are made outbound packets) on the VPN interface on your Pi.

 

 

Even if Astrill doesn't block other clients from connecting to you, the other clients should only be able to see the services listening (unfirewalled) on the tunnel interface.

 

 

To be clear, you're making an outbound connection to a VPN endpoint in the UK right? Not allowing any kind of inbound VPN connection to your network, right?

 

255 posts

Ultimate Geek
+1 received by user: 83


  Reply # 1924746 24-Dec-2017 21:17
One person supports this post
Send private message

I am not an expert, but my 2 cents:

 

  • You have to assume your provider has configured their servers properly so other customers cannot access your tunnel IP (https://serverfault.com/questions/736274/openvpn-client-to-client)
  • The iptables rule "sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT" should prevent new connections from the tunnel side , but a default rule denying traffic at the end of the FORWARD table is missing ( the default policy for the chain can we DROP but you want to double check that) . Also for extra assurance you want to block incoming forward traffic where the destination ports are below 1024, or any other relevant port you have enabled on your LAN



13910 posts

Uber Geek
+1 received by user: 2470

Trusted
Subscriber

  Reply # 1924750 24-Dec-2017 21:31
Send private message

kyhwana2: Not sure if Astrill has client isolation or not (Where clients can connect to each other via the VPN) but if it doesn't you should drop all incoming TCP connections (Not established connection that are made outbound packets) on the VPN interface on your Pi. Even if Astrill doesn't block other clients from connecting to you, the other clients should only be able to see the services listening (unfirewalled) on the tunnel interface. To be clear, you're making an outbound connection to a VPN endpoint in the UK right? Not allowing any kind of inbound VPN connection to your network, right?

 

That's right, outbound to a UK endpoint.

 

marpada:

 

I am not an expert, but my 2 cents:

 

  • You have to assume your provider has configured their servers properly so other customers cannot access your tunnel IP (https://serverfault.com/questions/736274/openvpn-client-to-client)
  • The iptables rule "sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT" should prevent new connections from the tunnel side , but a default rule denying traffic at the end of the FORWARD table is missing ( the default policy for the chain can we DROP but you want to double check that) . Also for extra assurance you want to block incoming forward traffic where the destination ports are below 1024, or any other relevant port you have enabled on your LAN

 

I get the general idea of what you're saying, but I don't know how to do that. I've never used IPTables.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

255 posts

Ultimate Geek
+1 received by user: 83


  Reply # 1924760 24-Dec-2017 22:30
Send private message

After

 

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

 

sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

 

sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

 

 

 

Add

 

 

sudo iptables -A FORWARD -i tun0 -o tun0 -j DROP

 

 

 

 

That will prevent packages flowing into your LAN, unless they are associated to an establish connection.

 

 

 

Also configure the OpenSSH service on the Rpi to listen only the wired IP address ListenAddress 192.168.1.2 on /etc/ssh/sshd_config and restart sshd.

 

 

 

 

249 posts

Master Geek
+1 received by user: 45


  Reply # 1925220 26-Dec-2017 11:08
Send private message

timmmay:

 

I get the general idea of what you're saying, but I don't know how to do that. I've never used IPTables.

 

 

 

 

As far as security goes what you have could be considered fairly open.

 

However at the other end they will NATing all your outbound traffic. For someone to come back in they'd have to setup inbound NAT rules which is extremely unlikely.

 

So you're getting some basic protection from that (about the same level as your typical ISP home router).

 

It's unlikely they'd route traffic from other VPN clients directly as everyone will have overlapping subnets.

489 posts

Ultimate Geek
+1 received by user: 104

Subscriber

  Reply # 1925241 26-Dec-2017 11:40
One person supports this post
Send private message

I'm going to be that guy have you even considered the pure logistics of sending all your data to the UK.

 

~300MS is the ping time to the UK if a server is in NZ your looking at adding all most a second per request. If anyone in your household plays multiplayer games even UK servers will be unplayable and NZ would be so much worse.

 

The instructions you linked to is for someone who thinks they cannot trust their ISP or government and wants to send all their traffic through a VPN. If you really want to achieve what your looking to do you should be telling the Pi to check the destination using geoIP and sending the uk bound traffic to the UK via the VPN and everything else via your internet connection.




Geoff E



13910 posts

Uber Geek
+1 received by user: 2470

Trusted
Subscriber

  Reply # 1925301 26-Dec-2017 12:43
Send private message

vulcannz:

 

As far as security goes what you have could be considered fairly open.

 

However at the other end they will NATing all your outbound traffic. For someone to come back in they'd have to setup inbound NAT rules which is extremely unlikely.

 

So you're getting some basic protection from that (about the same level as your typical ISP home router).

 

It's unlikely they'd route traffic from other VPN clients directly as everyone will have overlapping subnets.

 

 

So probably low to moderate risk - great :)

 

 

 

geocom:

 

I'm going to be that guy have you even considered the pure logistics of sending all your data to the UK.

 

~300MS is the ping time to the UK if a server is in NZ your looking at adding all most a second per request. If anyone in your household plays multiplayer games even UK servers will be unplayable and NZ would be so much worse.

 

The instructions you linked to is for someone who thinks they cannot trust their ISP or government and wants to send all their traffic through a VPN. If you really want to achieve what your looking to do you should be telling the Pi to check the destination using geoIP and sending the uk bound traffic to the UK via the VPN and everything else via your internet connection.

 

 

I'm not sending all my traffic to the UK. I'm creating a VPN gateway so that if I manually tell a device to use this gateway it will go via the UK. This will only be used with a device hooked to my TV, everything else such as PCs, phones, etc, will go out via the normal internet connection.

 

If you have a good tutorial for the R.Pi that sends all UK traffic via the VPN that would be interesting and useful.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08

Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03

Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27

Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13

Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00

Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12

Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52

Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34

Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07

All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21

Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54

Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15

IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12

New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17

Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.