OpenVPN on R.Pi as network gateway - is this a network vulnerability?

Forums › IT Pro and developers › OpenVPN on R.Pi as network gateway - is this a network vulnerability?

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#226189 24-Dec-2017 20:12

I've set up OpenVPN on a R.Pi running Raspbian. It creates a tunnel to the UK using the Astrill VPN. The general idea is it can be used as a gateway for any device on my network that wants to appear like it's in the UK, mostly for watching UK TV. I intend for this to be running 24/7. I set it up using these instructions, other than the "VPN Kill Switch" as it broke it, I'll get to that some time.

Is this likely to compromise home network security? The OS only has essential services running by default - I had to enable SSH, and I changed the password. I assume that any packets not requested by the OS or a client on my network gets dropped. Obviously it opens a new way into the network, so there's some risk, but what is that risk?

If someone got onto my network they could potentially see shares from my Windows PC, which contain personal information. The shares have security set up so only specified people can see them, but I have a couple of open shares with generic stuff on them too.

kyhwana2

2566 posts

Uber Geek

#1924745 24-Dec-2017 21:14

Not sure if Astrill has client isolation or not (Where clients can connect to each other via the VPN) but if it doesn't you should drop all incoming TCP connections (Not established connection that are made outbound packets) on the VPN interface on your Pi.

Even if Astrill doesn't block other clients from connecting to you, the other clients should only be able to see the services listening (unfirewalled) on the tunnel interface.

To be clear, you're making an outbound connection to a VPN endpoint in the UK right? Not allowing any kind of inbound VPN connection to your network, right?

marpada

475 posts

Ultimate Geek

#1924746 24-Dec-2017 21:17

I am not an expert, but my 2 cents:

You have to assume your provider has configured their servers properly so other customers cannot access your tunnel IP (https://serverfault.com/questions/736274/openvpn-client-to-client)
The iptables rule "sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT" should prevent new connections from the tunnel side , but a default rule denying traffic at the end of the FORWARD table is missing ( the default policy for the chain can we DROP but you want to double check that) . Also for extra assurance you want to block incoming forward traffic where the destination ports are below 1024, or any other relevant port you have enabled on your LAN

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#1924750 24-Dec-2017 21:31

kyhwana2: Not sure if Astrill has client isolation or not (Where clients can connect to each other via the VPN) but if it doesn't you should drop all incoming TCP connections (Not established connection that are made outbound packets) on the VPN interface on your Pi. Even if Astrill doesn't block other clients from connecting to you, the other clients should only be able to see the services listening (unfirewalled) on the tunnel interface. To be clear, you're making an outbound connection to a VPN endpoint in the UK right? Not allowing any kind of inbound VPN connection to your network, right?

That's right, outbound to a UK endpoint.

marpada:

I am not an expert, but my 2 cents:

You have to assume your provider has configured their servers properly so other customers cannot access your tunnel IP (https://serverfault.com/questions/736274/openvpn-client-to-client)
The iptables rule "sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT" should prevent new connections from the tunnel side , but a default rule denying traffic at the end of the FORWARD table is missing ( the default policy for the chain can we DROP but you want to double check that) . Also for extra assurance you want to block incoming forward traffic where the destination ports are below 1024, or any other relevant port you have enabled on your LAN

I get the general idea of what you're saying, but I don't know how to do that. I've never used IPTables.

marpada

475 posts

Ultimate Geek

#1924760 24-Dec-2017 22:30

After

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Add

sudo iptables -A FORWARD -i tun0 -o tun0 -j DROP

That will prevent packages flowing into your LAN, unless they are associated to an establish connection.

Also configure the OpenSSH service on the Rpi to listen only the wired IP address ListenAddress 192.168.1.2 on /etc/ssh/sshd_config and restart sshd.

vulcannz

436 posts

Ultimate Geek
Inactive user

#1925220 26-Dec-2017 11:08

timmmay:

I get the general idea of what you're saying, but I don't know how to do that. I've never used IPTables.

As far as security goes what you have could be considered fairly open.

However at the other end they will NATing all your outbound traffic. For someone to come back in they'd have to setup inbound NAT rules which is extremely unlikely.

So you're getting some basic protection from that (about the same level as your typical ISP home router).

It's unlikely they'd route traffic from other VPN clients directly as everyone will have overlapping subnets.

geocom

594 posts

Ultimate Geek

Subscriber

#1925241 26-Dec-2017 11:40

I'm going to be that guy have you even considered the pure logistics of sending all your data to the UK.

~300MS is the ping time to the UK if a server is in NZ your looking at adding all most a second per request. If anyone in your household plays multiplayer games even UK servers will be unplayable and NZ would be so much worse.

The instructions you linked to is for someone who thinks they cannot trust their ISP or government and wants to send all their traffic through a VPN. If you really want to achieve what your looking to do you should be telling the Pi to check the destination using geoIP and sending the uk bound traffic to the UK via the VPN and everything else via your internet connection.

Geoff E

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#1925301 26-Dec-2017 12:43

vulcannz:

As far as security goes what you have could be considered fairly open.

However at the other end they will NATing all your outbound traffic. For someone to come back in they'd have to setup inbound NAT rules which is extremely unlikely.

So you're getting some basic protection from that (about the same level as your typical ISP home router).

It's unlikely they'd route traffic from other VPN clients directly as everyone will have overlapping subnets.

So probably low to moderate risk - great :)

geocom:

I'm going to be that guy have you even considered the pure logistics of sending all your data to the UK.

~300MS is the ping time to the UK if a server is in NZ your looking at adding all most a second per request. If anyone in your household plays multiplayer games even UK servers will be unplayable and NZ would be so much worse.

The instructions you linked to is for someone who thinks they cannot trust their ISP or government and wants to send all their traffic through a VPN. If you really want to achieve what your looking to do you should be telling the Pi to check the destination using geoIP and sending the uk bound traffic to the UK via the VPN and everything else via your internet connection.

I'm not sending all my traffic to the UK. I'm creating a VPN gateway so that if I manually tell a device to use this gateway it will go via the UK. This will only be used with a device hooked to my TV, everything else such as PCs, phones, etc, will go out via the normal internet connection.

If you have a good tutorial for the R.Pi that sends all UK traffic via the VPN that would be interesting and useful.