Ubiquiti Edgerouter X VPN Setup
-
@Dashrender said:
I see both sides of this.
I'm wondering if VPN is really needed? it will slow you down performance wise.
A lot of sites use full time encryption now, so even if a hacker like the one in my linked story does manage to hijack you onto this network (should only be possible if you have other open WIFI networks that you have attached to listed in your device), the websites that use TLS you don't have to worry about. Sure they know where you are going, but who cares about that. They can't get inside the tunnel unless they can hack your OS, which maybe they can.
In which case, the VPN doesn't help you anyhow.Easy when to think of it is that a TLS connection is an application specific, end to end VPN tunnel. Far safer than a traditional VPN because of the limited exposure. As long as you have TLS, the VPN is just redundant. OpenVPN is nothing but a TLS connection itself.
-
Exactly.
@scottalanmiller said:
@Dashrender said:
Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.
Yes, that is certainly a current threat. But is that really what all this is about? Is that the actual fear?
Yes I think it is. Even though we've had the Firesheep threat for several years now many places still don't secure themselves from it. And I ask, why not? Cost has got to be the biggest reason, the cost of the cert, the cost of the extra horsepower for the webserver, etc.
-
@scottalanmiller said:
@Dashrender said:
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?
The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.
The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.
-
@scottalanmiller less exposure? How so?
If I do it via a VPN, then the device is only accessible from my local network and anyone on the VPN connection (hopefully just me)
If I open to the world, everyone can bang on it 24/7.
-
@Dashrender said:
Exactly.
@scottalanmiller said:
@Dashrender said:
Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.
Yes, that is certainly a current threat. But is that really what all this is about? Is that the actual fear?
Yes I think it is. Even though we've had the Firesheep threat for several years now many places still don't secure themselves from it. And I ask, why not? Cost has got to be the biggest reason, the cost of the cert, the cost of the extra horsepower for the webserver, etc.
Okay, so the fear is that people are going to go on places like MangoLassi in the short term before Let's Encrypt takes over nearly all sites and that they will post as you?
I'm trying to understand that people are actually worried about this. I'm not saying it can't happen, it certainly can. I'm wondering why we are concerned about it.
ML is going to lock that down in the nearish future, so this will go away as a threat here, but in general I've never felt that this was something that I really had to worry about.
-
@anonymous said:
@scottalanmiller less exposure? How so?
If I do it via a VPN, then the device is only accessible from my local network and anyone on the VPN connect (hopefully just me)
If I open to the world, everyone can bang on it 24/7.
I don't follow. How are you securing your OpenVPN any differently? They are both TLS connections. Can't they bang on either one equally?
-
Or in other words, how do you make one TLS connection invisible to outsiders and expose the other? VPNs are points of exposure the same as anything else.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?
The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.
The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.
I don't follow FB security closely. Is that something that is a threat there?
-
Now we have all this talk about a VPN from our client.
What about using a hardware wireless bridge device to protect ourselves like we do at home and work?
It would be a device that we carry with us that we have a wireless connection directly to from our phone/laptop/tablet/etc. Using a console of some type, we have the device make a connection to the open WiFi AP. The device then can be limited to only join the network we pick at the time in question (unlike Windows desire to hope around to the random list of places we've been that consumers never curate) and act as a hardware firewall like home.
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?
The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.
The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.
I don't follow FB security closely. Is that something that is a threat there?
FB was vulnerable to Firesheep back in the day. They aren't any longer because they use TLS all the time, just like Google.
As far as I know, FB does a pretty good job of securing it's network and it's users (from an FB point of view).
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.
Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?
The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.
The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.
I don't follow FB security closely. Is that something that is a threat there?
FB was vulnerable to Firesheep back in the day. They aren't any longer because they use TLS all the time, just like Google.
As far as I know, FB does a pretty good job of securing it's network and it's users (from an FB point of view).
Oh I totally get that this used to be a big deal and that people did not understand it. Historically it mattered a lot.
-
@Dashrender said:
Now we have all this talk about a VPN from our client.
What about using a hardware wireless bridge device to protect ourselves like we do at home and work?
It would be a device that we carry with us that we have a wireless connection directly to from our phone/laptop/tablet/etc. Using a console of some type, we have the device make a connection to the open WiFi AP. The device then can be limited to only join the network we pick at the time in question (unlike Windows desire to hope around to the random list of places we've been that consumers never curate) and act as a hardware firewall like home.
You mean basically making a portable LAN with a hardware firewall on the perimeter? There is merit to that. Not a lot, I don't think, but some. It would make using lots of devices on a single connection easier and fix a lot of issues. We basically do this when we travel - we take an EdgeRouter and a UBNT AP with us so that it is always "our" network that we are on.
But at the end of the day, the traffic going out of it is still hitting the wild, unknown and if it isn't secure it isn't secure. I don't see this catching on.
You could just use a Linux laptop and solve the problem that way
-
Let use OwnCloud for example.
If I have it publicly facing, then you can try usernames and password until you get in.
If I make it local only, now you have to know how to connect to the VPN (IP Address, Username, Password) and also know my OwnCloud login.
It adds layers.
-
@anonymous said:
Let use OwnCloud for example.
If I have it publicly facing, then you can try usernames and password until you get in.
If I make it local only, now you have to know how to connect to the VPN (IP Address, Username, Password) and also know my OwnCloud login.
It adds layers.
Granted, it adds layers. So basically you want two passwords instead of one? It's two of the same thing. It's going into two TLS VPNs, one after another. However, there is also the factor of "if I get into your VPN, I likely have much better access to all of your stuff." VPNs make it much easier to attack "you" as a consolidated entity rather than attacking individual, disconnected services.
-
@anonymous said:
If I have it publicly facing, then you can try usernames and password until you get in.
fail2ban is effective for that against most attacks.
-
What I really need is 2 Factor on the VPN.
-
@Dashrender said:
OK. Great.
JB asked:
Do you mean you want to use the ERX as a VPN server for various clients?
And you said "yes"
This is where I became confused.
That desire has nothing to do with your clients.
We are on the same page, but want to clarify, that he never stated his clients. He simply used the word clients. In context it meant VPN clients. You inferred the his somehow.
So now that we are on the same page (I hope), I'm sure the OpenVPN instructions on ubiquiti's webset should solve the problem for you.
Nope, not a chance. UBNT documentation on this is bad.
-
@anonymous said:
What I really need is 2 Factor on the VPN.
Or two factor on the ownCloud. You can do it in either place.
-
@scottalanmiller said:
You could just use a Linux laptop and solve the problem that way
How does Linux solve this?
The article I linked specifically mentioned that the hacker, now having LAN access could see what OS you were, what patch level perhaps.. and then do an exploit lookup and take over you device.
That is what I see being the saving grace of the carry with you firewall.
I completely agree with your particular situation of the ERL for your longer term travels - but I'm guessing you don't take the ERL with you to the coffee shop.
aww.. you mentioned Linux because it probably won't just willy nilly jump to any of your listed previously used WiFi networks (but is that true? - Android is based on Linux and it does this).
-
@anonymous said:
What I really need is 2 Factor on the VPN.
Why not just 2 factor on OwnCloud? whoops I was late to that response.