[plug] Safely using an untrusted router

Bill Kenworthy billk at iinet.net.au
Wed Oct 21 23:31:37 UTC 2015 

my iinet mobile (GalaxyS5 with cyanogenmod) is using a 10.160 private
address - I have no problems running openvpn over it to a vm inside my
network (including security camera video over the vpn when I want to
take a peek).  I am using a Cisco 1841 with an alcatel speadstream
bridged with the router doing pppoe to iinet.  Stable but I need to work
on the QoS more.

BillK



On 22/10/15 07:12, Dean Bergin wrote:
> Hello Dirk,
> 
> This is probably not going to help solve your particular issue, but one
> thing I recently did, was install OpenWRT on a Rpi2 and set up PPPoE
> over one of two subinterfaces (VLAN) to a cheap netgear modem (with the
> help of a Cisco Catalyst switch). I also put the Rpi2 OpenWRT
> effectively into it's own routed subnet/DMZ (part of the design) so that
> even if there where to be some kind of funny business, things like uPNP
> theoretically should not work since my experience has taught me that
> most consumer-grade modems/routers do not route/NAT anything other than
> their resident subnet, therefore I believe that not only are uPNP
> implementations (and many other services on consumer-grade routers)
> usually bound to the subnet to which they are running on, but should be
> disabled in cases where the device is in pass-through mode.
> 
>>Does anyone know whether 4G modems (and smart phones, for that matter)
> are assigned a publicly-routable IP address or are they
> typically NAT'd behind a small number of IP addresses of the mobile
> service provider's servers?  I can't imagine billions(?) of mobile
> phones all having unique publicly-routable IP addresses (on top of all
> the servers and so on, around the world).
> 
> I had the opportunity to test this, as I was able to tether my phone to
> a Rpi2 running OpenWRT as part of the labs I did for my now current
> nework design, but I did not think to test this specific scenario.
> 
> Shouldn't be too difficult to create a lab to test this, if someone has
> a spare raspberry pi (mine is currently in 'prod' now)?
> 
> 
> On Wed, Oct 21, 2015 at 6:27 PM Dirk <justanothergreenguy at gmail.com
> <mailto:justanothergreenguy at gmail.com>> wrote:
> 
>     Thanks Andrew.  Will follow up on those ideas too, thanks.
> 
>     However, I have another idea, a bit left field, but it may just do
>     the trick...
> 
>     Does anyone know whether 4G modems (and smart phones, for that
>     matter) are assigned a publicly-routable IP address or are they
>     typically NAT'd behind a small number of IP addresses of the mobile
>     service provider's servers?  I can't imagine billions(?) of mobile
>     phones all having unique publicly-routable IP addresses (on top of
>     all the servers and so on, around the world).
> 
>     If they're NAT'd, then maybe a pre-paid 4G USB modem dongle would be
>     the way to go for low MB critical online work, eg. fetching package
>     lists, logging in to ASIC, ATO, webmail, our utilities, etc.  Should
>     block all scanners on the net that are looking for routers to
>     exploit, by virtue of sitting behind the Svc providers routers.
>      (...and then use an unsecured computer and ADSL router pair for
>     general web browsing, content streaming, etc).
> 
>     Does anyone know if this would work?
> 
>     (Of course, if a 4G dongle is not NAT'd then I don't really gain
>     anything).
> 
> 
> 
> 
>     On Wednesday, 21 October 2015, Andrew Cooks <acooks at gmail.com
>     <mailto:acooks at gmail.com>> wrote:
> 
>         On Wed, Oct 21, 2015 at 9:43 AM, Dirk
>         <justanothergreenguy at gmail.com> wrote:
> 
> 
>             Cheers for that Pavel.  And thanks again Brad for your
>             input.  You've both given me some ideas, although I was
>             hoping for an easy OpenVPN option  :)
> 
>             If anyone else has any thoughts or suggestions, please let
>             me know!
> 
>         My internet access is slow enough, so I'm not really excited
>         about pushing everything through a VPN.
> 
>         I trust my router. I have a TP-Link TD-8817 modem in bridge
>         mode, connected to a fit-pc
>         (http://www.fit-pc.com/web/solutions/multilan/) running IPFire
>         (http://www.ipfire.org/). IPFire tells me I can trust my DNS.
>         IPFire packages are kept up to date. The modem could conceivably
>         modify the PPPoE frames in transit, except that it's a dirt
>         cheap consumer product with little functionality that could be
>         exploitable and it's unlikely to have enough processing power to
>         do that kind of thing.
> 
>         There is nowhere safe, only acceptable risks.
> 
>         a.
> 
>     _______________________________________________
>     PLUG discussion list: plug at plug.org.au <mailto:plug at plug.org.au>
>     http://lists.plug.org.au/mailman/listinfo/plug
>     Committee e-mail: committee at plug.org.au <mailto:committee at plug.org.au>
>     PLUG Membership: http://www.plug.org.au/membership
> 
> -- 
> 
> Kind Regards,
> 
> /Dean Bergin/.
> 
> 
> 
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>

More information about the plug mailing list