[plug] Safely using an untrusted router
BillK
billk at iinet.net.au
Thu Oct 22 08:57:25 UTC 2015
The VPN is set up for multiple clients in routed mode. I regularly use an android phone and tablet, occasionally a windows desktop and site to site links. I did set up an iPad at one time. Carries ssh, email, calendaring, sip VoIP, security video etc all on private networks. It's all tied together by ospf on the router and various gentoo Linux hosts including the VPN concentrator VM.
I also use a stunnel instance in the VM with proxy tunnel and putty on windows to tunnel ssh out of heavily locked down networks. Both openvpn and tunnel listen on public non-standard ports port forwarded through the router. SSL is also port forwarded to an ssl multiplexor in the VM listening on port443 to redirect incoming SSL to either openvpn or stunnel as required, the end points terminate as SSH on my desktop.
It sounds complex, isn't really and is quite useful.
However what has bothered me about this thread is the emphasis on the router as a problem ... It generally isn't, a router is not automatically compromised so fix that vulnerability first, then attend to real risks. These days you are at far more risk from perverted/subverted mobile devices ... In the scheme of things routers are just one of, and definitely not the main thing you have to worry about.
BillK
On 22 October 2015 4:25:51 pm AWST, Dirk <justanothergreenguy at gmail.com> wrote:
>Thanks Bill,
>
>Your setup looks a bit too complicated for me as well :) ...but good
>to
>know iiNet are assigning private IP addresses to their mobile users.
>
>Is the VPN just between your VM and your phone? Interesting
>idea, although I'm not sure Android would be the safest bet :)
>...oops, I
>hope I didn't start any Android v iPhone pie-slinging :)
>
>Anyway, I think I'm going to pursue the 4G USB modem idea for now, and
>see
>how I go.
>
>Thanks everyone so much for your ideas and comments. I didn't mean for
>my
>wee little Qu to dominate the PLUG forum, and I kinda feel like
>I'm stretching my welcome a little bit for a first time contributor, so
>I
>do apologise to all who put up with me the last few days.
>
>But if the group is ok with it, and anyone has any further ideas, or
>feedback on the 4G USB modem approach, please don't hesitate to let me
>know.
>
>Cheers, Dirk
>
>
>
>
>On Thursday, 22 October 2015, Bill Kenworthy <billk at iinet.net.au>
>wrote:
>
>> my iinet mobile (GalaxyS5 with cyanogenmod) is using a 10.160 private
>> address - I have no problems running openvpn over it to a vm inside
>my
>> network (including security camera video over the vpn when I want to
>> take a peek). I am using a Cisco 1841 with an alcatel speadstream
>> bridged with the router doing pppoe to iinet. Stable but I need to
>work
>> on the QoS more.
>>
>> BillK
>>
>>
>>
>> On 22/10/15 07:12, Dean Bergin wrote:
>> > Hello Dirk,
>> >
>> > This is probably not going to help solve your particular issue, but
>one
>> > thing I recently did, was install OpenWRT on a Rpi2 and set up
>PPPoE
>> > over one of two subinterfaces (VLAN) to a cheap netgear modem (with
>the
>> > help of a Cisco Catalyst switch). I also put the Rpi2 OpenWRT
>> > effectively into it's own routed subnet/DMZ (part of the design) so
>that
>> > even if there where to be some kind of funny business, things like
>uPNP
>> > theoretically should not work since my experience has taught me
>that
>> > most consumer-grade modems/routers do not route/NAT anything other
>than
>> > their resident subnet, therefore I believe that not only are uPNP
>> > implementations (and many other services on consumer-grade routers)
>> > usually bound to the subnet to which they are running on, but
>should be
>> > disabled in cases where the device is in pass-through mode.
>> >
>> >>Does anyone know whether 4G modems (and smart phones, for that
>matter)
>> > are assigned a publicly-routable IP address or are they
>> > typically NAT'd behind a small number of IP addresses of the mobile
>> > service provider's servers? I can't imagine billions(?) of mobile
>> > phones all having unique publicly-routable IP addresses (on top of
>all
>> > the servers and so on, around the world).
>> >
>> > I had the opportunity to test this, as I was able to tether my
>phone to
>> > a Rpi2 running OpenWRT as part of the labs I did for my now current
>> > nework design, but I did not think to test this specific scenario.
>> >
>> > Shouldn't be too difficult to create a lab to test this, if someone
>has
>> > a spare raspberry pi (mine is currently in 'prod' now)?
>> >
>> >
>> > On Wed, Oct 21, 2015 at 6:27 PM Dirk <justanothergreenguy at gmail.com
>> <javascript:;>
>> > <mailto:justanothergreenguy at gmail.com <javascript:;>>> wrote:
>> >
>> > Thanks Andrew. Will follow up on those ideas too, thanks.
>> >
>> > However, I have another idea, a bit left field, but it may just
>do
>> > the trick...
>> >
>> > Does anyone know whether 4G modems (and smart phones, for that
>> > matter) are assigned a publicly-routable IP address or are they
>> > typically NAT'd behind a small number of IP addresses of the
>mobile
>> > service provider's servers? I can't imagine billions(?) of
>mobile
>> > phones all having unique publicly-routable IP addresses (on top
>of
>> > all the servers and so on, around the world).
>> >
>> > If they're NAT'd, then maybe a pre-paid 4G USB modem dongle
>would be
>> > the way to go for low MB critical online work, eg. fetching
>package
>> > lists, logging in to ASIC, ATO, webmail, our utilities, etc.
>Should
>> > block all scanners on the net that are looking for routers to
>> > exploit, by virtue of sitting behind the Svc providers routers.
>> > (...and then use an unsecured computer and ADSL router pair
>for
>> > general web browsing, content streaming, etc).
>> >
>> > Does anyone know if this would work?
>> >
>> > (Of course, if a 4G dongle is not NAT'd then I don't really
>gain
>> > anything).
>> >
>> >
>> >
>> >
>> > On Wednesday, 21 October 2015, Andrew Cooks <acooks at gmail.com
>> <javascript:;>
>> > <mailto:acooks at gmail.com <javascript:;>>> wrote:
>> >
>> > On Wed, Oct 21, 2015 at 9:43 AM, Dirk
>> > <justanothergreenguy at gmail.com <javascript:;>> wrote:
>> >
>> >
>> > Cheers for that Pavel. And thanks again Brad for your
>> > input. You've both given me some ideas, although I was
>> > hoping for an easy OpenVPN option :)
>> >
>> > If anyone else has any thoughts or suggestions, please
>let
>> > me know!
>> >
>> > My internet access is slow enough, so I'm not really
>excited
>> > about pushing everything through a VPN.
>> >
>> > I trust my router. I have a TP-Link TD-8817 modem in bridge
>> > mode, connected to a fit-pc
>> > (http://www.fit-pc.com/web/solutions/multilan/) running
>IPFire
>> > (http://www.ipfire.org/). IPFire tells me I can trust my
>DNS.
>> > IPFire packages are kept up to date. The modem could
>conceivably
>> > modify the PPPoE frames in transit, except that it's a dirt
>> > cheap consumer product with little functionality that could
>be
>> > exploitable and it's unlikely to have enough processing
>power to
>> > do that kind of thing.
>> >
>> > There is nowhere safe, only acceptable risks.
>> >
>> > a.
>> >
>> > _______________________________________________
>> > PLUG discussion list: plug at plug.org.au <javascript:;> <mailto:
>> plug at plug.org.au <javascript:;>>
>> > http://lists.plug.org.au/mailman/listinfo/plug
>> > Committee e-mail: committee at plug.org.au <javascript:;> <mailto:
>> committee at plug.org.au <javascript:;>>
>> > PLUG Membership: http://www.plug.org.au/membership
>> >
>> > --
>> >
>> > Kind Regards,
>> >
>> > /Dean Bergin/.
>> >
>> >
>> >
>> > _______________________________________________
>> > PLUG discussion list: plug at plug.org.au <javascript:;>
>> > http://lists.plug.org.au/mailman/listinfo/plug
>> > Committee e-mail: committee at plug.org.au <javascript:;>
>> > PLUG Membership: http://www.plug.org.au/membership
>> >
>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au <javascript:;>
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au <javascript:;>
>> PLUG Membership: http://www.plug.org.au/membership
>>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>PLUG discussion list: plug at plug.org.au
>http://lists.plug.org.au/mailman/listinfo/plug
>Committee e-mail: committee at plug.org.au
>PLUG Membership: http://www.plug.org.au/membership
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20151022/f42b6768/attachment.html>
More information about the plug
mailing list