ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Ubiquiti Edgerouter X VPN Setup

    Scheduled Pinned Locked Moved IT Discussion
    vpnubiquitiedgerouteredgerouter xvyos
    80 Posts 7 Posters 35.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Dashrender
      last edited by

      @Dashrender said:

      @DustinB3403 said:

      @scottalanmiller said:

      @Dashrender said:

      How do you keep them from seeing each other?

      THey are supposed to see each other, that's what a VPN is for.

      I think he meant the public and private networks.

      No - what I was talking about... Let's say the OP has 10 clients and they all want to use the OP's ERX as their VPN to the internet. in a normal situation, all those logged into the VPN would traditionally be able to see each other, and interact - I would assume that the OP would not want this...

      But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.

      Why would someone want to use a VPN to the Internet? Do you mean to do a proxy so that they appear geolocated with him?

      DashrenderD 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said:

        But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.

        That's what I had assumed, normal client to site VPN. The standard use case for OpenVPN.

        DashrenderD 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @scottalanmiller
          last edited by

          @scottalanmiller said:

          @Dashrender said:

          @DustinB3403 said:

          @scottalanmiller said:

          @Dashrender said:

          How do you keep them from seeing each other?

          THey are supposed to see each other, that's what a VPN is for.

          I think he meant the public and private networks.

          No - what I was talking about... Let's say the OP has 10 clients and they all want to use the OP's ERX as their VPN to the internet. in a normal situation, all those logged into the VPN would traditionally be able to see each other, and interact - I would assume that the OP would not want this...

          But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.

          Why would someone want to use a VPN to the Internet? Do you mean to do a proxy so that they appear geolocated with him?

          Well, not for that reason, but yes so that all traffic is securely leaving where ever he happens to be and entering the internet from a known trusted point.

          scottalanmillerS 1 Reply Last reply Reply Quote 1
          • DashrenderD
            Dashrender @scottalanmiller
            last edited by

            @scottalanmiller said:

            @Dashrender said:

            But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.

            That's what I had assumed, normal client to site VPN. The standard use case for OpenVPN.

            My confusion came when JB asked about clients - and the OP said yes. But there is nothing about his clients being involved here at all. It's all just the OPs traffic. Period.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said:

              @scottalanmiller said:

              @Dashrender said:

              @DustinB3403 said:

              @scottalanmiller said:

              @Dashrender said:

              How do you keep them from seeing each other?

              THey are supposed to see each other, that's what a VPN is for.

              I think he meant the public and private networks.

              No - what I was talking about... Let's say the OP has 10 clients and they all want to use the OP's ERX as their VPN to the internet. in a normal situation, all those logged into the VPN would traditionally be able to see each other, and interact - I would assume that the OP would not want this...

              But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.

              Why would someone want to use a VPN to the Internet? Do you mean to do a proxy so that they appear geolocated with him?

              Well, not for that reason, but yes so that all traffic is securely leaving where ever he happens to be and entering the internet from a known trusted point.

              Hmmmm... odd. What's the value in that? Once it is on the Internet it's at the same level of risk. If it isn't safe from the unknown point, it isn't safe this way.

              See the other discussion on the dangers of the illusion of security 😉

              A DashrenderD 2 Replies Last reply Reply Quote 0
              • A
                Alex Sage
                last edited by

                Hmmmmm.....

                Temporary I could do something like this:

                https://www.privatetunnel.com/home/pricing/

                Still want to get this going 🙂

                1 Reply Last reply Reply Quote 0
                • A
                  Alex Sage @scottalanmiller
                  last edited by

                  @scottalanmiller However people in the same coffee shop can't access it.

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said:

                    @Dashrender said:

                    @scottalanmiller said:

                    @Dashrender said:

                    @DustinB3403 said:

                    @scottalanmiller said:

                    @Dashrender said:

                    How do you keep them from seeing each other?

                    THey are supposed to see each other, that's what a VPN is for.

                    I think he meant the public and private networks.

                    No - what I was talking about... Let's say the OP has 10 clients and they all want to use the OP's ERX as their VPN to the internet. in a normal situation, all those logged into the VPN would traditionally be able to see each other, and interact - I would assume that the OP would not want this...

                    But it turns out that's not what the OP wanted at all. The OP wanted a way for his own traffic to get to the internet only from his home/office when he was away from the home/office.

                    Why would someone want to use a VPN to the Internet? Do you mean to do a proxy so that they appear geolocated with him?

                    Well, not for that reason, but yes so that all traffic is securely leaving where ever he happens to be and entering the internet from a known trusted point.

                    Hmmmm... odd. What's the value in that? Once it is on the Internet it's at the same level of risk. If it isn't safe from the unknown point, it isn't safe this way.

                    See the other discussion on the dangers of the illusion of security 😉

                    Well that's not entirely true.

                    For example, this story from last year https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-dd5b8dcb55e6#.dvxkeipfn

                    This is an example of a hacker joining a local coffee shop network, then creating a MitM attach and then watching all of the non encrypted data flow through.

                    If the OP uses a VPN to leave the coffee shop before getting on the internet, he doesn't have to worry about the local coffee shop hacker. Just the rest of the hackers who don't have local network level access.

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Alex Sage
                      last edited by

                      @anonymous said:

                      @scottalanmiller However people in the same coffee shop can't access it.

                      Is that a concern? I've never understood that one. People in the same coffee shop you protect against but not people elsewhere? What's the specific threat in the coffee shop versus the threat from everywhere else?

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said:

                        If the OP uses a VPN to leave the coffee shop before getting on the internet, he doesn't have to worry about the local coffee shop hacker. Just the rest of the hackers who don't have local network level access.

                        You've just made my point brilliantly. He still has to worry about the same attacks, just not from the coffee drinker that he can see. So the illusion has caused him to not to end to end security because he felt "safe enough" from the illusion and now he is being less safe than he should be. If the data is worth protecting, it's worth more than this level of effort.

                        Now I agree, this is "real security", it really does prevent that one attack vector but it does create another point of Internet entrance with its own security concerns and path and makes the overall path longer, but it is a trivial addition of security but a lot of illusion, which is my concern.

                        I have an article about this very thing and even with VPNs that has already gone to publisher, hopefully we see it soon.

                        1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          @anonymous said:

                          @scottalanmiller However people in the same coffee shop can't access it.

                          Is that a concern? I've never understood that one. People in the same coffee shop you protect against but not people elsewhere? What's the specific threat in the coffee shop versus the threat from everywhere else?

                          Really? OK I must really be over complicating something then, because I agree with the OP.

                          On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.

                          Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.

                          It's much more difficult if not impossible for someone on the internet to get that kind of access on the internet at large, vs the local LAN segment.

                          scottalanmillerS 2 Replies Last reply Reply Quote 0
                          • A
                            Alex Sage
                            last edited by

                            Also, in my case, I want to be able to use connect to my NAS, and do other things that are not going to be public 🙂

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @Alex Sage
                              last edited by

                              @anonymous said:

                              Also, in my case, I want to be able to use connect to my NAS, and do other things that are not going to be public 🙂

                              For the NAS you could possibly get a Free Let's Encrypt certificate installed on the NAS and publish it through your firewall, with passwords, etc.

                              A 1 Reply Last reply Reply Quote 0
                              • A
                                Alex Sage @Dashrender
                                last edited by

                                @Dashrender I could, but if I have OpenVPN working, why?

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said:

                                  On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.

                                  Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?

                                  DashrenderD 1 Reply Last reply Reply Quote 1
                                  • DashrenderD
                                    Dashrender
                                    last edited by

                                    I see both sides of this.

                                    I'm wondering if VPN is really needed? it will slow you down performance wise.

                                    A lot of sites use full time encryption now, so even if a hacker like the one in my linked story does manage to hijack you onto this network (should only be possible if you have other open WIFI networks that you have attached to listed in your device), the websites that use TLS you don't have to worry about. Sure they know where you are going, but who cares about that. They can't get inside the tunnel unless they can hack your OS, which maybe they can.
                                    In which case, the VPN doesn't help you anyhow.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said:

                                      Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.

                                      Yes, that is certainly a current threat. But is that really what all this is about? Is that the actual fear?

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Alex Sage
                                        last edited by

                                        @anonymous said:

                                        @Dashrender I could, but if I have OpenVPN working, why?

                                        Far more flexible, less exposure. Have an article on this sent to press too. LOL

                                        A 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said:

                                          I see both sides of this.

                                          I'm wondering if VPN is really needed? it will slow you down performance wise.

                                          A lot of sites use full time encryption now, so even if a hacker like the one in my linked story does manage to hijack you onto this network (should only be possible if you have other open WIFI networks that you have attached to listed in your device), the websites that use TLS you don't have to worry about. Sure they know where you are going, but who cares about that. They can't get inside the tunnel unless they can hack your OS, which maybe they can.
                                          In which case, the VPN doesn't help you anyhow.

                                          Easy when to think of it is that a TLS connection is an application specific, end to end VPN tunnel. Far safer than a traditional VPN because of the limited exposure. As long as you have TLS, the VPN is just redundant. OpenVPN is nothing but a TLS connection itself.

                                          1 Reply Last reply Reply Quote 1
                                          • DashrenderD
                                            Dashrender
                                            last edited by

                                            Exactly.

                                            @scottalanmiller said:

                                            @Dashrender said:

                                            Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.

                                            Yes, that is certainly a current threat. But is that really what all this is about? Is that the actual fear?

                                            Yes I think it is. Even though we've had the Firesheep threat for several years now many places still don't secure themselves from it. And I ask, why not? Cost has got to be the biggest reason, the cost of the cert, the cost of the extra horsepower for the webserver, etc.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 2 / 4
                                            • First post
                                              Last post