Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
ForumsIT Pro and developersOpenVPN on R.Pi as network gateway - is this a network vulnerability?


14107 posts

Uber Geek
+1 received by user: 2526

Trusted
Subscriber

Topic # 226189 24-Dec-2017 20:12
Send private message

I've set up OpenVPN on a R.Pi running Raspbian. It creates a tunnel to the UK using the Astrill VPN. The general idea is it can be used as a gateway for any device on my network that wants to appear like it's in the UK, mostly for watching UK TV. I intend for this to be running 24/7. I set it up using these instructions, other than the "VPN Kill Switch" as it broke it, I'll get to that some time.

 

Is this likely to compromise home network security? The OS only has essential services running by default - I had to enable SSH, and I changed the password. I assume that any packets not requested by the OS or a client on my network gets dropped. Obviously it opens a new way into the network, so there's some risk, but what is that risk?

 

If someone got onto my network they could potentially see shares from my Windows PC, which contain personal information. The shares have security set up so only specified people can see them, but I have a couple of open shares with generic stuff on them too.

 

 




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

Create new topic
2439 posts

Uber Geek
+1 received by user: 144


  Reply # 1924745 24-Dec-2017 21:14
Send private message

Not sure if Astrill has client isolation or not (Where clients can connect to each other via the VPN) but if it doesn't you should drop all incoming TCP connections (Not established connection that are made outbound packets) on the VPN interface on your Pi.

 

 

Even if Astrill doesn't block other clients from connecting to you, the other clients should only be able to see the services listening (unfirewalled) on the tunnel interface.

 

 

To be clear, you're making an outbound connection to a VPN endpoint in the UK right? Not allowing any kind of inbound VPN connection to your network, right?

 

264 posts

Ultimate Geek
+1 received by user: 95


  Reply # 1924746 24-Dec-2017 21:17
One person supports this post
Send private message

I am not an expert, but my 2 cents:

 

  • You have to assume your provider has configured their servers properly so other customers cannot access your tunnel IP (https://serverfault.com/questions/736274/openvpn-client-to-client)
  • The iptables rule "sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT" should prevent new connections from the tunnel side , but a default rule denying traffic at the end of the FORWARD table is missing ( the default policy for the chain can we DROP but you want to double check that) . Also for extra assurance you want to block incoming forward traffic where the destination ports are below 1024, or any other relevant port you have enabled on your LAN



14107 posts

Uber Geek
+1 received by user: 2526

Trusted
Subscriber

  Reply # 1924750 24-Dec-2017 21:31
Send private message

kyhwana2: Not sure if Astrill has client isolation or not (Where clients can connect to each other via the VPN) but if it doesn't you should drop all incoming TCP connections (Not established connection that are made outbound packets) on the VPN interface on your Pi. Even if Astrill doesn't block other clients from connecting to you, the other clients should only be able to see the services listening (unfirewalled) on the tunnel interface. To be clear, you're making an outbound connection to a VPN endpoint in the UK right? Not allowing any kind of inbound VPN connection to your network, right?

 

That's right, outbound to a UK endpoint.

 

marpada:

 

I am not an expert, but my 2 cents:

 

  • You have to assume your provider has configured their servers properly so other customers cannot access your tunnel IP (https://serverfault.com/questions/736274/openvpn-client-to-client)
  • The iptables rule "sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT" should prevent new connections from the tunnel side , but a default rule denying traffic at the end of the FORWARD table is missing ( the default policy for the chain can we DROP but you want to double check that) . Also for extra assurance you want to block incoming forward traffic where the destination ports are below 1024, or any other relevant port you have enabled on your LAN

 

I get the general idea of what you're saying, but I don't know how to do that. I've never used IPTables.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

264 posts

Ultimate Geek
+1 received by user: 95


  Reply # 1924760 24-Dec-2017 22:30
Send private message

After

 

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

 

sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

 

sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

 

 

 

Add

 

 

sudo iptables -A FORWARD -i tun0 -o tun0 -j DROP

 

 

 

 

That will prevent packages flowing into your LAN, unless they are associated to an establish connection.

 

 

 

Also configure the OpenSSH service on the Rpi to listen only the wired IP address ListenAddress 192.168.1.2 on /etc/ssh/sshd_config and restart sshd.

 

 

 

 

309 posts

Ultimate Geek
+1 received by user: 68


  Reply # 1925220 26-Dec-2017 11:08
Send private message

timmmay:

 

I get the general idea of what you're saying, but I don't know how to do that. I've never used IPTables.

 

 

 

 

As far as security goes what you have could be considered fairly open.

 

However at the other end they will NATing all your outbound traffic. For someone to come back in they'd have to setup inbound NAT rules which is extremely unlikely.

 

So you're getting some basic protection from that (about the same level as your typical ISP home router).

 

It's unlikely they'd route traffic from other VPN clients directly as everyone will have overlapping subnets.

503 posts

Ultimate Geek
+1 received by user: 114

Subscriber

  Reply # 1925241 26-Dec-2017 11:40
One person supports this post
Send private message

I'm going to be that guy have you even considered the pure logistics of sending all your data to the UK.

 

~300MS is the ping time to the UK if a server is in NZ your looking at adding all most a second per request. If anyone in your household plays multiplayer games even UK servers will be unplayable and NZ would be so much worse.

 

The instructions you linked to is for someone who thinks they cannot trust their ISP or government and wants to send all their traffic through a VPN. If you really want to achieve what your looking to do you should be telling the Pi to check the destination using geoIP and sending the uk bound traffic to the UK via the VPN and everything else via your internet connection.




Geoff E



14107 posts

Uber Geek
+1 received by user: 2526

Trusted
Subscriber

  Reply # 1925301 26-Dec-2017 12:43
Send private message

vulcannz:

 

As far as security goes what you have could be considered fairly open.

 

However at the other end they will NATing all your outbound traffic. For someone to come back in they'd have to setup inbound NAT rules which is extremely unlikely.

 

So you're getting some basic protection from that (about the same level as your typical ISP home router).

 

It's unlikely they'd route traffic from other VPN clients directly as everyone will have overlapping subnets.

 

 

So probably low to moderate risk - great :)

 

 

 

geocom:

 

I'm going to be that guy have you even considered the pure logistics of sending all your data to the UK.

 

~300MS is the ping time to the UK if a server is in NZ your looking at adding all most a second per request. If anyone in your household plays multiplayer games even UK servers will be unplayable and NZ would be so much worse.

 

The instructions you linked to is for someone who thinks they cannot trust their ISP or government and wants to send all their traffic through a VPN. If you really want to achieve what your looking to do you should be telling the Pi to check the destination using geoIP and sending the uk bound traffic to the UK via the VPN and everything else via your internet connection.

 

 

I'm not sending all my traffic to the UK. I'm creating a VPN gateway so that if I manually tell a device to use this gateway it will go via the UK. This will only be used with a device hooked to my TV, everything else such as PCs, phones, etc, will go out via the normal internet connection.

 

If you have a good tutorial for the R.Pi that sends all UK traffic via the VPN that would be interesting and useful.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.