ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Ubiquiti Edgerouter X VPN Setup

    Scheduled Pinned Locked Moved IT Discussion
    vpnubiquitiedgerouteredgerouter xvyos
    80 Posts 7 Posters 35.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Alex Sage
      last edited by

      @anonymous said:

      @Dashrender I could, but if I have OpenVPN working, why?

      Far more flexible, less exposure. Have an article on this sent to press too. LOL

      A 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Dashrender
        last edited by

        @Dashrender said:

        I see both sides of this.

        I'm wondering if VPN is really needed? it will slow you down performance wise.

        A lot of sites use full time encryption now, so even if a hacker like the one in my linked story does manage to hijack you onto this network (should only be possible if you have other open WIFI networks that you have attached to listed in your device), the websites that use TLS you don't have to worry about. Sure they know where you are going, but who cares about that. They can't get inside the tunnel unless they can hack your OS, which maybe they can.
        In which case, the VPN doesn't help you anyhow.

        Easy when to think of it is that a TLS connection is an application specific, end to end VPN tunnel. Far safer than a traditional VPN because of the limited exposure. As long as you have TLS, the VPN is just redundant. OpenVPN is nothing but a TLS connection itself.

        1 Reply Last reply Reply Quote 1
        • DashrenderD
          Dashrender
          last edited by

          Exactly.

          @scottalanmiller said:

          @Dashrender said:

          Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.

          Yes, that is certainly a current threat. But is that really what all this is about? Is that the actual fear?

          Yes I think it is. Even though we've had the Firesheep threat for several years now many places still don't secure themselves from it. And I ask, why not? Cost has got to be the biggest reason, the cost of the cert, the cost of the extra horsepower for the webserver, etc.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @scottalanmiller
            last edited by

            @scottalanmiller said:

            @Dashrender said:

            On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.

            Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?

            The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.

            The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • A
              Alex Sage @scottalanmiller
              last edited by Alex Sage

              @scottalanmiller less exposure? How so?

              If I do it via a VPN, then the device is only accessible from my local network and anyone on the VPN connection (hopefully just me)

              If I open to the world, everyone can bang on it 24/7.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said:

                Exactly.

                @scottalanmiller said:

                @Dashrender said:

                Places like Mangolassi are subject to things like Firesheep because we don't stay encrypted at all times (if ever) when authenticating. The cookie if flying freely unencrypted for anyone to grab from my local LAN and then spoof as being me.

                Yes, that is certainly a current threat. But is that really what all this is about? Is that the actual fear?

                Yes I think it is. Even though we've had the Firesheep threat for several years now many places still don't secure themselves from it. And I ask, why not? Cost has got to be the biggest reason, the cost of the cert, the cost of the extra horsepower for the webserver, etc.

                Okay, so the fear is that people are going to go on places like MangoLassi in the short term before Let's Encrypt takes over nearly all sites and that they will post as you?

                I'm trying to understand that people are actually worried about this. I'm not saying it can't happen, it certainly can. I'm wondering why we are concerned about it.

                ML is going to lock that down in the nearish future, so this will go away as a threat here, but in general I've never felt that this was something that I really had to worry about.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Alex Sage
                  last edited by

                  @anonymous said:

                  @scottalanmiller less exposure? How so?

                  If I do it via a VPN, then the device is only accessible from my local network and anyone on the VPN connect (hopefully just me)

                  If I open to the world, everyone can bang on it 24/7.

                  I don't follow. How are you securing your OpenVPN any differently? They are both TLS connections. Can't they bang on either one equally?

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller
                    last edited by

                    Or in other words, how do you make one TLS connection invisible to outsiders and expose the other? VPNs are points of exposure the same as anything else.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said:

                      @scottalanmiller said:

                      @Dashrender said:

                      On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.

                      Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?

                      The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.

                      The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.

                      I don't follow FB security closely. Is that something that is a threat there?

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender
                        last edited by

                        Now we have all this talk about a VPN from our client.

                        What about using a hardware wireless bridge device to protect ourselves like we do at home and work?

                        It would be a device that we carry with us that we have a wireless connection directly to from our phone/laptop/tablet/etc. Using a console of some type, we have the device make a connection to the open WiFi AP. The device then can be limited to only join the network we pick at the time in question (unlike Windows desire to hope around to the random list of places we've been that consumers never curate) and act as a hardware firewall like home.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          @Dashrender said:

                          @scottalanmiller said:

                          @Dashrender said:

                          On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.

                          Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?

                          The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.

                          The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.

                          I don't follow FB security closely. Is that something that is a threat there?

                          FB was vulnerable to Firesheep back in the day. They aren't any longer because they use TLS all the time, just like Google.

                          As far as I know, FB does a pretty good job of securing it's network and it's users (from an FB point of view).

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said:

                            @scottalanmiller said:

                            @Dashrender said:

                            @scottalanmiller said:

                            @Dashrender said:

                            On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.

                            Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?

                            The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.

                            The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.

                            I don't follow FB security closely. Is that something that is a threat there?

                            FB was vulnerable to Firesheep back in the day. They aren't any longer because they use TLS all the time, just like Google.

                            As far as I know, FB does a pretty good job of securing it's network and it's users (from an FB point of view).

                            Oh I totally get that this used to be a big deal and that people did not understand it. Historically it mattered a lot.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said:

                              Now we have all this talk about a VPN from our client.

                              What about using a hardware wireless bridge device to protect ourselves like we do at home and work?

                              It would be a device that we carry with us that we have a wireless connection directly to from our phone/laptop/tablet/etc. Using a console of some type, we have the device make a connection to the open WiFi AP. The device then can be limited to only join the network we pick at the time in question (unlike Windows desire to hope around to the random list of places we've been that consumers never curate) and act as a hardware firewall like home.

                              You mean basically making a portable LAN with a hardware firewall on the perimeter? There is merit to that. Not a lot, I don't think, but some. It would make using lots of devices on a single connection easier and fix a lot of issues. We basically do this when we travel - we take an EdgeRouter and a UBNT AP with us so that it is always "our" network that we are on.

                              But at the end of the day, the traffic going out of it is still hitting the wild, unknown and if it isn't secure it isn't secure. I don't see this catching on.

                              You could just use a Linux laptop and solve the problem that way 🙂

                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • A
                                Alex Sage
                                last edited by

                                Let use OwnCloud for example.

                                If I have it publicly facing, then you can try usernames and password until you get in.

                                If I make it local only, now you have to know how to connect to the VPN (IP Address, Username, Password) and also know my OwnCloud login.

                                It adds layers.

                                scottalanmillerS 2 Replies Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Alex Sage
                                  last edited by

                                  @anonymous said:

                                  Let use OwnCloud for example.

                                  If I have it publicly facing, then you can try usernames and password until you get in.

                                  If I make it local only, now you have to know how to connect to the VPN (IP Address, Username, Password) and also know my OwnCloud login.

                                  It adds layers.

                                  Granted, it adds layers. So basically you want two passwords instead of one? It's two of the same thing. It's going into two TLS VPNs, one after another. However, there is also the factor of "if I get into your VPN, I likely have much better access to all of your stuff." VPNs make it much easier to attack "you" as a consolidated entity rather than attacking individual, disconnected services.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Alex Sage
                                    last edited by

                                    @anonymous said:

                                    If I have it publicly facing, then you can try usernames and password until you get in.

                                    fail2ban is effective for that against most attacks.

                                    1 Reply Last reply Reply Quote 1
                                    • A
                                      Alex Sage
                                      last edited by

                                      What I really need is 2 Factor on the VPN.

                                      scottalanmillerS DashrenderD 2 Replies Last reply Reply Quote 0
                                      • JaredBuschJ
                                        JaredBusch @Dashrender
                                        last edited by

                                        @Dashrender said:

                                        OK. Great.

                                        JB asked:

                                        Do you mean you want to use the ERX as a VPN server for various clients?

                                        And you said "yes"

                                        This is where I became confused.

                                        That desire has nothing to do with your clients.

                                        We are on the same page, but want to clarify, that he never stated his clients. He simply used the word clients. In context it meant VPN clients. You inferred the his somehow.

                                        So now that we are on the same page (I hope), I'm sure the OpenVPN instructions on ubiquiti's webset should solve the problem for you.

                                        Nope, not a chance. UBNT documentation on this is bad.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Alex Sage
                                          last edited by

                                          @anonymous said:

                                          What I really need is 2 Factor on the VPN.

                                          Or two factor on the ownCloud. You can do it in either place.

                                          1 Reply Last reply Reply Quote 1
                                          • DashrenderD
                                            Dashrender @scottalanmiller
                                            last edited by

                                            @scottalanmiller said:

                                            You could just use a Linux laptop and solve the problem that way 🙂

                                            How does Linux solve this?

                                            The article I linked specifically mentioned that the hacker, now having LAN access could see what OS you were, what patch level perhaps.. and then do an exploit lookup and take over you device.

                                            That is what I see being the saving grace of the carry with you firewall.

                                            I completely agree with your particular situation of the ERL for your longer term travels - but I'm guessing you don't take the ERL with you to the coffee shop.

                                            aww.. you mentioned Linux because it probably won't just willy nilly jump to any of your listed previously used WiFi networks (but is that true? - Android is based on Linux and it does this).

                                            scottalanmillerS 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 4 / 4
                                            • First post
                                              Last post