Ubiquiti Edgerouter X VPN Setup
-
Basically, I don't want some "hacker" at a coffee shop to be able to intercept my traffic and use it to gain access to my accounts.
-
I want all data encrpted all the way back to my network, and then to the internet.
-
OK. Great.
JB asked:
Do you mean you want to use the ERX as a VPN server for various clients?
And you said "yes"
This is where I became confused.
It sounds like you want your own traffic to enter the internet from your home/office (wherever your ERX is).
That desire has nothing to do with your clients.
So now that we are on the same page (I hope), I'm sure the OpenVPN instructions on ubiquiti's webset should solve the problem for you.
-
@Dashrender said:
I'm sure the OpenVPN instructions on ubiquiti's webset should solve the problem for you.Can you find any? Everything I find is for site to site.
-
huh - yeah quick searches definitely lean toward the site-to-site type setups.
but this link looks like a starting point.
-
@Dashrender said:
How do you keep them from seeing each other?
THey are supposed to see each other, that's what a VPN is for.
-
@scottalanmiller said:
@Dashrender said:
How do you keep them from seeing each other?
THey are supposed to see each other, that's what a VPN is for.
I think he meant the public and private networks.
-
@scottalanmiller said:
@Dashrender said:
How do you keep them from seeing each other?
THey are supposed to see each other, that's what a VPN is for.
LOL you have a lot of catching up to do in the thread.
-
@DustinB3403 said:
@scottalanmiller said:
@Dashrender said:
How do you keep them from seeing each other?
THey are supposed to see each other, that's what a VPN is for.
I think he meant the public and private networks.
No - what I was talking about... Let's say the OP has 10 clients and they all want to use the OP's ERX as their VPN to the internet. in a normal situation, all those logged into the VPN would traditionally be able to see each other, and interact - I would assume that the OP would not want this...
But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.
-
@Dashrender said:
@DustinB3403 said:
@scottalanmiller said:
@Dashrender said:
How do you keep them from seeing each other?
THey are supposed to see each other, that's what a VPN is for.
I think he meant the public and private networks.
No - what I was talking about... Let's say the OP has 10 clients and they all want to use the OP's ERX as their VPN to the internet. in a normal situation, all those logged into the VPN would traditionally be able to see each other, and interact - I would assume that the OP would not want this...
But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.
Why would someone want to use a VPN to the Internet? Do you mean to do a proxy so that they appear geolocated with him?
-
@Dashrender said:
But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.
That's what I had assumed, normal client to site VPN. The standard use case for OpenVPN.
-
@scottalanmiller said:
@Dashrender said:
@DustinB3403 said:
@scottalanmiller said:
@Dashrender said:
How do you keep them from seeing each other?
THey are supposed to see each other, that's what a VPN is for.
I think he meant the public and private networks.
No - what I was talking about... Let's say the OP has 10 clients and they all want to use the OP's ERX as their VPN to the internet. in a normal situation, all those logged into the VPN would traditionally be able to see each other, and interact - I would assume that the OP would not want this...
But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.
Why would someone want to use a VPN to the Internet? Do you mean to do a proxy so that they appear geolocated with him?
Well, not for that reason, but yes so that all traffic is securely leaving where ever he happens to be and entering the internet from a known trusted point.
-
@scottalanmiller said:
@Dashrender said:
But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.
That's what I had assumed, normal client to site VPN. The standard use case for OpenVPN.
My confusion came when JB asked about clients - and the OP said yes. But there is nothing about his clients being involved here at all. It's all just the OPs traffic. Period.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@DustinB3403 said:
@scottalanmiller said:
@Dashrender said:
How do you keep them from seeing each other?
THey are supposed to see each other, that's what a VPN is for.
I think he meant the public and private networks.
No - what I was talking about... Let's say the OP has 10 clients and they all want to use the OP's ERX as their VPN to the internet. in a normal situation, all those logged into the VPN would traditionally be able to see each other, and interact - I would assume that the OP would not want this...
But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.
Why would someone want to use a VPN to the Internet? Do you mean to do a proxy so that they appear geolocated with him?
Well, not for that reason, but yes so that all traffic is securely leaving where ever he happens to be and entering the internet from a known trusted point.
Hmmmm... odd. What's the value in that? Once it is on the Internet it's at the same level of risk. If it isn't safe from the unknown point, it isn't safe this way.
See the other discussion on the dangers of the illusion of security
-
Hmmmmm.....
Temporary I could do something like this:
https://www.privatetunnel.com/home/pricing/
Still want to get this going
-
@scottalanmiller However people in the same coffee shop can't access it.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@DustinB3403 said:
@scottalanmiller said:
@Dashrender said:
How do you keep them from seeing each other?
THey are supposed to see each other, that's what a VPN is for.
I think he meant the public and private networks.
No - what I was talking about... Let's say the OP has 10 clients and they all want to use the OP's ERX as their VPN to the internet. in a normal situation, all those logged into the VPN would traditionally be able to see each other, and interact - I would assume that the OP would not want this...
But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.
Why would someone want to use a VPN to the Internet? Do you mean to do a proxy so that they appear geolocated with him?
Well, not for that reason, but yes so that all traffic is securely leaving where ever he happens to be and entering the internet from a known trusted point.
Hmmmm... odd. What's the value in that? Once it is on the Internet it's at the same level of risk. If it isn't safe from the unknown point, it isn't safe this way.
See the other discussion on the dangers of the illusion of security
Well that's not entirely true.
For example, this story from last year https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.dvxkeipfn
This is an example of a hacker joining a local coffee shop network, then creating a MitM attach and then watching all of the non encrypted data flow through.
If the OP uses a VPN to leave the coffee shop before getting on the internet, he doesn't have to worry about the local coffee shop hacker. Just the rest of the hackers who don't have local network level access.
-
@anonymous said:
@scottalanmiller However people in the same coffee shop can't access it.
Is that a concern? I've never understood that one. People in the same coffee shop you protect against but not people elsewhere? What's the specific threat in the coffee shop versus the threat from everywhere else?
-
@Dashrender said:
If the OP uses a VPN to leave the coffee shop before getting on the internet, he doesn't have to worry about the local coffee shop hacker. Just the rest of the hackers who don't have local network level access.
You've just made my point brilliantly. He still has to worry about the same attacks, just not from the coffee drinker that he can see. So the illusion has caused him to not to end to end security because he felt "safe enough" from the illusion and now he is being less safe than he should be. If the data is worth protecting, it's worth more than this level of effort.
Now I agree, this is "real security", it really does prevent that one attack vector but it does create another point of Internet entrance with its own security concerns and path and makes the overall path longer, but it is a trivial addition of security but a lot of illusion, which is my concern.
I have an article about this very thing and even with VPNs that has already gone to publisher, hopefully we see it soon.
-
@scottalanmiller said:
@anonymous said:
@scottalanmiller However people in the same coffee shop can't access it.
Is that a concern? I've never understood that one. People in the same coffee shop you protect against but not people elsewhere? What's the specific threat in the coffee shop versus the threat from everywhere else?
Really? OK I must really be over complicating something then, because I agree with the OP.
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.
It's much more difficult if not impossible for someone on the internet to get that kind of access on the internet at large, vs the local LAN segment.