Ubiquiti Edgerouter X VPN Setup
-
@anonymous said:
Let use OwnCloud for example.
If I have it publicly facing, then you can try usernames and password until you get in.
If I make it local only, now you have to know how to connect to the VPN (IP Address, Username, Password) and also know my OwnCloud login.
It adds layers.
Granted, it adds layers. So basically you want two passwords instead of one? It's two of the same thing. It's going into two TLS VPNs, one after another. However, there is also the factor of "if I get into your VPN, I likely have much better access to all of your stuff." VPNs make it much easier to attack "you" as a consolidated entity rather than attacking individual, disconnected services.
-
@anonymous said:
If I have it publicly facing, then you can try usernames and password until you get in.
fail2ban is effective for that against most attacks.
-
What I really need is 2 Factor on the VPN.
-
@Dashrender said:
OK. Great.
JB asked:
Do you mean you want to use the ERX as a VPN server for various clients?
And you said "yes"
This is where I became confused.
That desire has nothing to do with your clients.
We are on the same page, but want to clarify, that he never stated his clients. He simply used the word clients. In context it meant VPN clients. You inferred the his somehow.
So now that we are on the same page (I hope), I'm sure the OpenVPN instructions on ubiquiti's webset should solve the problem for you.
Nope, not a chance. UBNT documentation on this is bad.
-
@anonymous said:
What I really need is 2 Factor on the VPN.
Or two factor on the ownCloud. You can do it in either place.
-
@scottalanmiller said:
You could just use a Linux laptop and solve the problem that way
How does Linux solve this?
The article I linked specifically mentioned that the hacker, now having LAN access could see what OS you were, what patch level perhaps.. and then do an exploit lookup and take over you device.
That is what I see being the saving grace of the carry with you firewall.
I completely agree with your particular situation of the ERL for your longer term travels - but I'm guessing you don't take the ERL with you to the coffee shop.
aww.. you mentioned Linux because it probably won't just willy nilly jump to any of your listed previously used WiFi networks (but is that true? - Android is based on Linux and it does this).
-
@anonymous said:
What I really need is 2 Factor on the VPN.
Why not just 2 factor on OwnCloud? whoops I was late to that response.
-
@Dashrender said:
The article I linked specifically mentioned that the hacker, now having LAN access could see what OS you were, what patch level perhaps.. and then do an exploit lookup and take over you device.
That is what I see being the saving grace of the carry with you firewall.
Wouldn't they just take over the firewall then?
-
@Dashrender said:
aww.. you mentioned Linux because it probably won't just willy nilly jump to any of your listed previously used WiFi networks (but is that true? - Android is based on Linux and it does this).
Android is not based on Linux, it IS Linux. You can't really be "based on." Not effectively. You are or you are not.
You still need to tell your Linux to behave intelligently, of course. If you pick an insecure distro it's going to do silly things. But Linux itself does not have this kind of vulnerability.
-
Wouldn't forcing a TLS key for ownCloud provide all of the security of the OpenVPN but without the second step? Then you would need the key and the password for any access.
-
@scottalanmiller said:
@Dashrender said:
aww.. you mentioned Linux because it probably won't just willy nilly jump to any of your listed previously used WiFi networks (but is that true? - Android is based on Linux and it does this).
Android is not based on Linux, it IS Linux. You can't really be "based on." Not effectively. You are or you are not.
You're right, wrong choice of words.
-
@scottalanmiller said:
Wouldn't forcing a TLS key for ownCloud provide all of the security of the OpenVPN but without the second step? Then you would need the key and the password for any access.
A TLS Key? You mean like client side certs? or just a username and password?
-
@scottalanmiller said:
@Dashrender said:
The article I linked specifically mentioned that the hacker, now having LAN access could see what OS you were, what patch level perhaps.. and then do an exploit lookup and take over you device.
That is what I see being the saving grace of the carry with you firewall.
Wouldn't they just take over the firewall then?
Presumably the portable firewall would be at least as good as an ERL, and I'm assuming you're not worry about them taking over that?
I guess the question is, is an ERL or most any firewall really susceptible to intrusion on the outside local LAN segment vs over the internet (i.e. on the other side of the ISP's router)?
We all know that Windows is basically like a sieve, I'm hoping that the Windows firewall is at least OK, but if you get behind in patches then you're open to attach. how many home users are stay up to date on patches? especially when traveling?
hell, forget windows. Let's look at phones! Android phones rare ever get patched. A hardware firewall in front of them seems very smart!
-
@Dashrender said:
@scottalanmiller said:
Wouldn't forcing a TLS key for ownCloud provide all of the security of the OpenVPN but without the second step? Then you would need the key and the password for any access.
A TLS Key? You mean like client side certs? or just a username and password?
You can do either, key is a bit more secure, though.
-
@Dashrender said:
Presumably the portable firewall would be at least as good as an ERL, and I'm assuming you're not worry about them taking over that?
I'm not worried about it, but you already stated that you were worried about Linux. It's not my concern that is the issue, it is yours. Why are you worried about one Linux system and assume it is an automatic lost cause and not worried about another assuming that it is effectively secure?
-
@Dashrender said:
I guess the question is, is an ERL or most any firewall really susceptible to intrusion on the outside local LAN segment vs over the internet (i.e. on the other side of the ISP's router)?
Same as any lean OS, lessso if you do not take care to keep it updated.
-
@Dashrender said:
We all know that Windows is basically like a sieve, I'm hoping that the Windows firewall is at least OK, but if you get behind in patches then you're open to attach. how many home users are stay up to date on patches? especially when traveling?
That's a different issue. If home users are turning off automatic patching on Windows do you think that they will...
- Spend money on a portable firewall.
- Keep the portable firewall patched when it is offline for months at a time when they don't do this with Windows that they use every day?
- Actually bother to use the firewall?
-
@Dashrender said:
hell, forget windows. Let's look at phones! Android phones rare ever get patched. A hardware firewall in front of them seems very smart!
If you are concerned with security to the point that you are carrying hardware to put in front of your phone, wouldn't you more likely just get an iPhone?
-
I feel like the "carrying a firewall" only sounds good and I see the technical merit but it all requires:
- People to be super concerned about security while not taking their endpoint security seriously.
- Being willing to spend money on something they have demonstrated that they are not super concerned about.
- Do something really cumbersome and confusing on one hand while avoiding simple things on the other.
I don't see it making sense in the real world of end users.
-
@scottalanmiller said:
@Dashrender said:
hell, forget windows. Let's look at phones! Android phones rare ever get patched. A hardware firewall in front of them seems very smart!
If you are concerned with security to the point that you are carrying hardware to put in front of your phone, wouldn't you more likely just get an iPhone?
No - I just can't bring myself to own anything apple.
I'll admit my bias and suffer the consequences.
