Viewing 26 posts - 1 through 26 (of 26 total)
  • IT network security/VPN gurus!
  • zilog6128
    Full Member

    I know there’s a few smart IT types on here! I’ve just set up a server (as a Docker Container, on my Mac) to monitor my 3d printer. I’d like to be able to log in remotely (it serves a web page on port 3334 currently) with some degree of security. Don’t want/need to expose any services other than this one at this point (may change in the future).

    As I understand it there’s 3 options. 1) port-forwarding (bad)
    2) VPN (most secure?) I’m leaning against this though as you have the extra layer of hassle of having to log in to the VPN each time (at least, that’s how it worked on iOS when I last tried this a few years ago)
    3) Reverse Proxy. Seems like the simplest option (simplicity being what I’m going for!) Found a couple of open-source options – Traefik & Nginx – although I’d be lying if I said I really understood either. Happy to be advised of more suitable software!

    Assuming I go with either 2 or 3, would it then be best to a) run software on my main computer, b) run software on my main computer in either a Docker Container or a VM running Ubuntu or something (which is best?) or c) separate computer entirely (again, installed directly or as a Docker/VM for whatever reason?) Have a spare Mac mini and lots of RPis! Ta!

    oldtennisshoes
    Full Member

    Dunno, but I’m keen to see how the usual suspects play this one.
    *BUMP*

    mogrim
    Full Member

    Can’t you hook up the printer to a Pi and just SSH into that?

    Fresh Goods Friday 696: The Middling Edition

    Fresh Goods Friday 696: The Middlin...
    Latest Singletrack Videos
    ab1970
    Free Member

    I use a RPi with NGINX for reverse proxy. Everything is accessed externally via port 443 (with Lets Encryt certificates), and proxied internally, based on the subdomain. You can set a rate-limit on NGINX to stop anybody trying to brute-force the printer login.

    I also use the same RPi for DHCP and DNS with dnsmasq. Works well and is very reliable.

    zilog6128
    Full Member

    Can’t you hook up the printer to a Pi and just SSH into that?

    I’ve just realised maybe I was slightly ambiguous in my OP – by “remotely” I mean, not on the local network. I can use SSH when I’m on the network, I don’t think I can do that over the internet though can I without using one of the 3 methods I mentioned? Also, SSH isn’t enough in this case (I think), I need to be able to get to the web page that is served up.

    I’m actually not trying to log in to the Pi, anyway. The Pi talks to a server running in a Docker Container on my Mac, it’s that server I’m trying to access.

    I use a RPi with NGINX for reverse proxy. Everything is accessed externally via port 443 (with Lets Encryt certificates), and proxied internally, based on the subdomain. You can set a rate-limit on NGINX to stop anybody trying to brute-force the printer login.

    That sounds ideal, I’d be lying if I said I understood it all though 😂 Don’t suppose you have a link to a suitable Idiot’s Guide or similar?

    purpleyeti
    Free Member

    you could run it on a pi with port forwarding only for ssh, move ssh to a random high port to cut down on the brute force noise and then use ssh port forwarding to access the web interface.

    scuttler
    Full Member

    Some considerations

    1. You need to consider access control first and foremost – where are you wanting to access it from and what will be used to stop other people also accessing it? You will be portscanned and miscreants will find systems available to connect to, be they SSH, reverse proxy or port-forwarded printer controller. If you need to access it from anywhere on the internet (Wifi, 4G) then network level controls are out and you’ll need some form of identity, usually username and password but can be other things like client/user certificates. If it’s just from one place you might be able to restrict it at the IP address level (source needs a static IP that won’t change)

    2. The thing that’s facing the internet needs to be secure so it can’t be readily bypassed. As such it should be security-oriented software and not general purpose printer controller with a username / password that may not have been designed with security in mind. This is generally why port forwarding is bad because the thing being forwarded to is insecure. If you use RPi + NGINX you should consider if there’s any authentication you can use but rate-limiting will also help. Without authentication a reverse proxy can still forward attacker traffic to the printer though which might be a risk e.g. an instruction to heat to 1 million degrees.

    A reverse proxy with some form of access control is essentially a clientless VPN, i.e. you only use a web browser but it ensures insecure internal pages are secured externally once the access controls have been satisfied.

    ab1970
    Free Member

    There are lots of guides if you search for ‘nginx raspberry pi reverse proxy’. I can’t remember which ones I’ve used – this one looks OK: https://medium.com/@mikezrimsek/configuring-nginx-as-a-reverse-proxy-897532936f9f

    If you have a domain name you can point to your home IP address, you can make the server_name in the NGINX configuration something like ‘my3dprinter.example.com’. This makes it easy to access and you can blocks the vast majority of port-scanners as they will just be using the IP address and so NGINX will drop it.

    torsoinalake
    Free Member

    What router have you got? Does it have a built in VPN?

    Mine does. I have VPN client on my phone that runs all the time. Nice and simple.

    zilog6128
    Full Member

    What router have you got? Does it have a built in VPN?

    I used to have a DrayTek router that had a VPN, it was a **** nightmare to be honest, very user unfriendly and seemed quite unreliable. Also had to log in each time on iPhone (this was a few years back, mind). Using a BT hub now which (I don’t think) has that feature.


    @ab1970

    ta, I’ll check that out. I do have a domain name (currently points at FB page). Can I use a subdomain or something so that still works yet ‘my3dprinter.example.com’ goes to the Reverse Proxy Server? Alternatively I also used a dynamic DNS service before, which also gives you a domain name rather than an IP to use, I suppose that would also fox the port scanners?

    willard
    Full Member

    A good question for a quiet Valborgsdag…

    Things to consider: DNS name/IP address of your router. If you are looking to get into your home LAN from outside, then you’ll want/need either a static IP address or some configuration with dynamic DNS to allow you to use the DHCP IP that your ISP give you.

    TTC #2: LetsEncrypt certs are fine if you don’t care about the re-doing them every three months and the way that you can (as an attackers) recon an environment using their open infrastructure.

    Leaving that aside, I agree that access control is going to be a big thing. Something like a certificate based VPN would work really well for what you want. Something like Wireguard would fit the bill. It is easy to set up and works really well. Apparently. I still have not got round to doing that at the house yet, but it is on my list. With Jitsi.

    I think it will run on a Pi as well. https://www.wireguard.com/

    zilog6128
    Full Member

    @willard thanks, yeah I’m familiar with Dynamic DNS services. The first I’ve heard about LetsEncrypt was when someone mentioned it earlier so I’ll have a read up about that. Likewise, not seen Wireguard mentioned re. this kind of thing before so I’ll look into that too. Assume it’s better to have this run on it’s own machine e.g. the Pi (for some kind of security reason?) rather than just running on the main server?

    Cougar
    Full Member

    Listen to Scuttler.

    I personally wouldn’t want a web server running on anything I cared about, even if it was behind a reverse proxy. Doubly so if it was running some scabby third-party software probably knocked up by a 14-year old Chinese lad one Friday lunchtime.

    Does your router support VLANs? Can you isolate anything public-facing from the rest of your LAN? (Consider, you don’t need local access to the web server, you can go out of the router and back in again.)

    zilog6128
    Full Member

    @Cougar thanks, yeah Scuttler’s post makes sense. Is the security risk still the same if the web server/app thing is ON my main computer, but inside a Docker or VM?

    In which case would I be much better off moving it onto a different physical machine?

    Don’t think my router supports VLANs (standard BT Business Hub jobby).

    Can you isolate anything public-facing from the rest of your LAN?

    Don’t know… don’t fully understand this if I’m honest!! Doesn’t the public-facing thing (is that the Reverse Proxy/VPN?) have to be connected to the LAN in order to communicate with the printer? In which case it can’t be isolated?

    zilog6128
    Full Member

    Can anyone comment on Wireguard that was mentioned earlier? Had a bit of a read through their page, sounds pretty cool. iOS app that you can configure by scanning a QR code which is good! Would it be possible to have that (or any other) VPN “always on” but ONLY use it for certain domains/IPs. I think that’s possible on a normal network setup but not sure about on an iPhone? Guess I can just try it and see!!

    torsoinalake
    Free Member

    As you are on a home router, provided you have the firewall turned on, your internal network (192.168.whatever) is essentially segregated from inbound Internet traffic.

    Regardless of your chosen solution, you will need to port forward inbound traffic from your external IP address https://www.google.com/search?q=whats+my+ip to the internal endpoint, be that VPN, Reverse Proxy, or go wild and open up your web server to the world (don’t do that). Where your solution runs isn’t as important as how well it is configured.

    I’m with Willard on this, authentication is going to be important. Set up a Pi with a static IP address on it. Harden it: https://www.raspberrypi.org/documentation/configuration/security.md. Set up the VPN he linked to on it. Configure the VPN to allow connections to your internal web server only if you want to. Then forward the necessary ports from the BT router to the Pi. VPN client is really not an issue, once you have set up keys etc. then login is seamless (in my experience anyway).

    Or do the same with a Reverse Proxy – downside for me is then you rely on the authentication provided by the proxy or your Web Server which may not be great and you have to manage certs etc.

    torsoinalake
    Free Member

    Would it be possible to have that (or any other) VPN “always on” but ONLY use it for certain domains/IPs

    I haven’t played around with it but OpenVPN client certainly supports custom routing.

    Cougar
    Full Member

    Doesn’t the public-facing thing (is that the Reverse Proxy/VPN?) have to be connected to the LAN in order to communicate with the printer? In which case it can’t be isolated?

    Point is, they don’t have to see the LAN, they just have to see each other. For example:

    Take a Raspberry Pi with two NICs. NIC 1 is on your LAN, NATted on your router as the public side of your reverse proxy. This could be the Wi-Fi NIC even – reserve an address for it in DHCP on your router so that it doesn’t change.

    Then, RPi NIC 2, printer and web server VM on a separate subnet. Eg 10.0.0.1 / .2 / .3, you could use static IP addresses for this. Might need a bit of routing work on the host Mac too.
    Now all three interfaces can communicate to each other, but the only route between the private and dirty subnets is the proxy. The only way out onto your LAN now is if the Pi is compromised, which at least is a single attack vector rather than many.

    NB I’m not saying this is the best way of doing it, networking isn’t my primary area of expertise. But it’s the way I’d try do it I think.

    Cougar
    Full Member

    In fact,

    If you moved the web server to a separate physical machine and bought a cheap switch, you could physically isolate the entire thing.

    You might even get it to coexist on the Pi, but configuring that might be a bit nasty.

    zilog6128
    Full Member

    @Cougar ok, that makes sense, ta!


    @torsoinalake
    will give that a go. You actually made the VPN sound like the simpler approach (to do securely), whereas initially I’d assumed Reverse Proxy might be simpler.

    After browsing around I did just realise that a much easier way would be to use a streamer service like TeamViewer/Splashtop (these are pretty secure, right?) to view the necessary web page from the web server, but I feel committed to figuring this out now 😂

    If you moved the web server to a separate physical machine and bought a cheap switch, you could physically isolate the entire thing.

    I actually do have a spare switch I could use, replaced it with a gigabit one a few years ago and never got round to eBaying it 😂

    How would the setup work in this case? Printer server machine & Pi (running VPN/RP) on the new network, as a separate LAN?

    scuttler
    Full Member

    I think VPN would be simpler and ultimately more flexible as you change / evolve things. VPN servers come under a lot of security scrutiny so typically easy to harden and patch to keep them secure. I’ve no experience building them on home kit though so can’t offer specific advice on packages.

    Cougar
    Full Member

    After browsing around I did just realise that a much easier way would be to use a streamer service like TeamViewer/Splashtop (these are pretty secure, right?) to view the necessary web page from the web server, but I feel committed to figuring this out now 😂

    TeamViewer was actually my first thought.

    How would the setup work in this case? Printer server machine & Pi (running VPN/RP) on the new network, as a separate LAN?

    Aye.

    TBH, TeanViewer is probably Good Enough. I’m coming at this with my security head on though. I wouldn’t trust that web server. I wouldn’t trust the 3D printer. Security is often an afterthought with these things. The real world chance of anyone getting at them behind your DSL router are pretty slim, but I’d rather prefer the risk to be as close to ‘none’ as possible and would quite like for a hacker / malware not to be able to move laterally across the network from a compromised machine to something more important.

    It’s a timely thread actually because I’ve been wanting to segregate my IoT devices (Echo, Hue etc) from the rest of my network for ages and haven’t done so because my crappy router crap, using a Pi as a proxy hadn’t occurred to me.

    ben00
    Free Member

    Use https://tailscale.com its wireguard made easier. Install in your container or mac and any clients you want to connect from, login with a google account and its done.

    zilog6128
    Full Member

    @ben00 wow, that is very new! Sounds pretty cool, they literally couldn’t make having a VPN any simpler. Only snag is the free version only offers a single user account (although I found a forum post from one of the founders suggesting just creating a new gmail to share, and that they’re looking into free or low-cost “family plans”).

    However unlike with Wireguard (which it runs on) etc you don’t install & manage your own server (that’s why it’s so simple I guess!), everything still runs through them.

    I will probably stick with trying Wireguard first I reckon I try to get that up & running!

    scaled
    Free Member

    I wouldn’t want to use it for anything properly secure but ngnix has a port knocking module that’d work pretty well in this instance to enable the port forwarding to the printer backend?

    retro83
    Free Member

    Before you go to this effort is it not worth just putting up NGINX as a rev proxy on a random really high port and monitoring the log to see if anything does actually access it?

    I know it’s security by obscurity yada yada yada but it seems highly unlikely anything would find it let alone bother analysing the app in the docker image for holes. Probably the most any script would do is try the standard w00tw00t type shit on the front facing NGINX service.

Viewing 26 posts - 1 through 26 (of 26 total)

The topic ‘IT network security/VPN gurus!’ is closed to new replies.