Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


timmmay

20574 posts

Uber Geek

Trusted
Lifetime subscriber

#226189 24-Dec-2017 20:12
Send private message

I've set up OpenVPN on a R.Pi running Raspbian. It creates a tunnel to the UK using the Astrill VPN. The general idea is it can be used as a gateway for any device on my network that wants to appear like it's in the UK, mostly for watching UK TV. I intend for this to be running 24/7. I set it up using these instructions, other than the "VPN Kill Switch" as it broke it, I'll get to that some time.

 

Is this likely to compromise home network security? The OS only has essential services running by default - I had to enable SSH, and I changed the password. I assume that any packets not requested by the OS or a client on my network gets dropped. Obviously it opens a new way into the network, so there's some risk, but what is that risk?

 

If someone got onto my network they could potentially see shares from my Windows PC, which contain personal information. The shares have security set up so only specified people can see them, but I have a couple of open shares with generic stuff on them too.

 

 


Create new topic
kyhwana2
2566 posts

Uber Geek


  #1924745 24-Dec-2017 21:14
Send private message

Not sure if Astrill has client isolation or not (Where clients can connect to each other via the VPN) but if it doesn't you should drop all incoming TCP connections (Not established connection that are made outbound packets) on the VPN interface on your Pi.

 

 

Even if Astrill doesn't block other clients from connecting to you, the other clients should only be able to see the services listening (unfirewalled) on the tunnel interface.

 

 

To be clear, you're making an outbound connection to a VPN endpoint in the UK right? Not allowing any kind of inbound VPN connection to your network, right?

 




marpada
475 posts

Ultimate Geek


  #1924746 24-Dec-2017 21:17
Send private message

I am not an expert, but my 2 cents:

 

  • You have to assume your provider has configured their servers properly so other customers cannot access your tunnel IP (https://serverfault.com/questions/736274/openvpn-client-to-client)
  • The iptables rule "sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT" should prevent new connections from the tunnel side , but a default rule denying traffic at the end of the FORWARD table is missing ( the default policy for the chain can we DROP but you want to double check that) . Also for extra assurance you want to block incoming forward traffic where the destination ports are below 1024, or any other relevant port you have enabled on your LAN

timmmay

20574 posts

Uber Geek

Trusted
Lifetime subscriber

  #1924750 24-Dec-2017 21:31
Send private message

kyhwana2: Not sure if Astrill has client isolation or not (Where clients can connect to each other via the VPN) but if it doesn't you should drop all incoming TCP connections (Not established connection that are made outbound packets) on the VPN interface on your Pi. Even if Astrill doesn't block other clients from connecting to you, the other clients should only be able to see the services listening (unfirewalled) on the tunnel interface. To be clear, you're making an outbound connection to a VPN endpoint in the UK right? Not allowing any kind of inbound VPN connection to your network, right?

 

That's right, outbound to a UK endpoint.

 

marpada:

 

I am not an expert, but my 2 cents:

 

  • You have to assume your provider has configured their servers properly so other customers cannot access your tunnel IP (https://serverfault.com/questions/736274/openvpn-client-to-client)
  • The iptables rule "sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT" should prevent new connections from the tunnel side , but a default rule denying traffic at the end of the FORWARD table is missing ( the default policy for the chain can we DROP but you want to double check that) . Also for extra assurance you want to block incoming forward traffic where the destination ports are below 1024, or any other relevant port you have enabled on your LAN

 

I get the general idea of what you're saying, but I don't know how to do that. I've never used IPTables.




marpada
475 posts

Ultimate Geek


  #1924760 24-Dec-2017 22:30
Send private message

After

 

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

 

sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

 

sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

 

 

 

Add

 

 

sudo iptables -A FORWARD -i tun0 -o tun0 -j DROP

 

 

 

 

That will prevent packages flowing into your LAN, unless they are associated to an establish connection.

 

 

 

Also configure the OpenSSH service on the Rpi to listen only the wired IP address ListenAddress 192.168.1.2 on /etc/ssh/sshd_config and restart sshd.

 

 

 

 


vulcannz
436 posts

Ultimate Geek
Inactive user


  #1925220 26-Dec-2017 11:08
Send private message

timmmay:

 

I get the general idea of what you're saying, but I don't know how to do that. I've never used IPTables.

 

 

 

 

As far as security goes what you have could be considered fairly open.

 

However at the other end they will NATing all your outbound traffic. For someone to come back in they'd have to setup inbound NAT rules which is extremely unlikely.

 

So you're getting some basic protection from that (about the same level as your typical ISP home router).

 

It's unlikely they'd route traffic from other VPN clients directly as everyone will have overlapping subnets.


geocom
594 posts

Ultimate Geek

Subscriber

  #1925241 26-Dec-2017 11:40
Send private message

I'm going to be that guy have you even considered the pure logistics of sending all your data to the UK.

 

~300MS is the ping time to the UK if a server is in NZ your looking at adding all most a second per request. If anyone in your household plays multiplayer games even UK servers will be unplayable and NZ would be so much worse.

 

The instructions you linked to is for someone who thinks they cannot trust their ISP or government and wants to send all their traffic through a VPN. If you really want to achieve what your looking to do you should be telling the Pi to check the destination using geoIP and sending the uk bound traffic to the UK via the VPN and everything else via your internet connection.





Geoff E


timmmay

20574 posts

Uber Geek

Trusted
Lifetime subscriber

  #1925301 26-Dec-2017 12:43
Send private message

vulcannz:

 

As far as security goes what you have could be considered fairly open.

 

However at the other end they will NATing all your outbound traffic. For someone to come back in they'd have to setup inbound NAT rules which is extremely unlikely.

 

So you're getting some basic protection from that (about the same level as your typical ISP home router).

 

It's unlikely they'd route traffic from other VPN clients directly as everyone will have overlapping subnets.

 

 

So probably low to moderate risk - great :)

 

 

 

geocom:

 

I'm going to be that guy have you even considered the pure logistics of sending all your data to the UK.

 

~300MS is the ping time to the UK if a server is in NZ your looking at adding all most a second per request. If anyone in your household plays multiplayer games even UK servers will be unplayable and NZ would be so much worse.

 

The instructions you linked to is for someone who thinks they cannot trust their ISP or government and wants to send all their traffic through a VPN. If you really want to achieve what your looking to do you should be telling the Pi to check the destination using geoIP and sending the uk bound traffic to the UK via the VPN and everything else via your internet connection.

 

 

I'm not sending all my traffic to the UK. I'm creating a VPN gateway so that if I manually tell a device to use this gateway it will go via the UK. This will only be used with a device hooked to my TV, everything else such as PCs, phones, etc, will go out via the normal internet connection.

 

If you have a good tutorial for the R.Pi that sends all UK traffic via the VPN that would be interesting and useful.


Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.