Ubiquiti Edgerouter X VPN Setup

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.

Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?

The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.

The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.

I don't follow FB security closely. Is that something that is a threat there?

Dashrender

Now we have all this talk about a VPN from our client.

What about using a hardware wireless bridge device to protect ourselves like we do at home and work?

It would be a device that we carry with us that we have a wireless connection directly to from our phone/laptop/tablet/etc. Using a console of some type, we have the device make a connection to the open WiFi AP. The device then can be limited to only join the network we pick at the time in question (unlike Windows desire to hope around to the random list of places we've been that consumers never curate) and act as a hardware firewall like home.

Dashrender

@scottalanmiller said:

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.

Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?

The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.

The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.

I don't follow FB security closely. Is that something that is a threat there?

FB was vulnerable to Firesheep back in the day. They aren't any longer because they use TLS all the time, just like Google.

As far as I know, FB does a pretty good job of securing it's network and it's users (from an FB point of view).

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

On the assumption that I'm not using TLS based webpage/internet traffic anyone on the same local LAN segment as me can see my traffic.

Why would you be doing that in a situation where the data mattered? If there is the slightest concern about privacy, encrypt it end to end. If there is no concern, why go to all this trouble?

The best answer I can give you is data leakage. Before Firesheep, the average consumer had no idea how vulnerable they were on places like Facebook.

The reality is that many sites just have no clue what they are doing. And all it takes is one small breakdown in the security chain and a hacker can wedge their way in.

I don't follow FB security closely. Is that something that is a threat there?

FB was vulnerable to Firesheep back in the day. They aren't any longer because they use TLS all the time, just like Google.

As far as I know, FB does a pretty good job of securing it's network and it's users (from an FB point of view).

Oh I totally get that this used to be a big deal and that people did not understand it. Historically it mattered a lot.

scottalanmiller

@Dashrender said:

Now we have all this talk about a VPN from our client.

What about using a hardware wireless bridge device to protect ourselves like we do at home and work?

It would be a device that we carry with us that we have a wireless connection directly to from our phone/laptop/tablet/etc. Using a console of some type, we have the device make a connection to the open WiFi AP. The device then can be limited to only join the network we pick at the time in question (unlike Windows desire to hope around to the random list of places we've been that consumers never curate) and act as a hardware firewall like home.

You mean basically making a portable LAN with a hardware firewall on the perimeter? There is merit to that. Not a lot, I don't think, but some. It would make using lots of devices on a single connection easier and fix a lot of issues. We basically do this when we travel - we take an EdgeRouter and a UBNT AP with us so that it is always "our" network that we are on.

But at the end of the day, the traffic going out of it is still hitting the wild, unknown and if it isn't secure it isn't secure. I don't see this catching on.

You could just use a Linux laptop and solve the problem that way

Alex Sage

Let use OwnCloud for example.

If I have it publicly facing, then you can try usernames and password until you get in.

If I make it local only, now you have to know how to connect to the VPN (IP Address, Username, Password) and also know my OwnCloud login.

It adds layers.

scottalanmiller

@anonymous said:

Let use OwnCloud for example.

If I have it publicly facing, then you can try usernames and password until you get in.

If I make it local only, now you have to know how to connect to the VPN (IP Address, Username, Password) and also know my OwnCloud login.

It adds layers.

Granted, it adds layers. So basically you want two passwords instead of one? It's two of the same thing. It's going into two TLS VPNs, one after another. However, there is also the factor of "if I get into your VPN, I likely have much better access to all of your stuff." VPNs make it much easier to attack "you" as a consolidated entity rather than attacking individual, disconnected services.

scottalanmiller

@anonymous said:

If I have it publicly facing, then you can try usernames and password until you get in.

fail2ban is effective for that against most attacks.

Alex Sage

What I really need is 2 Factor on the VPN.

JaredBusch

@Dashrender said:

OK. Great.

JB asked:

Do you mean you want to use the ERX as a VPN server for various clients?

And you said "yes"

This is where I became confused.

That desire has nothing to do with your clients.

We are on the same page, but want to clarify, that he never stated his clients. He simply used the word clients. In context it meant VPN clients. You inferred the his somehow.

So now that we are on the same page (I hope), I'm sure the OpenVPN instructions on ubiquiti's webset should solve the problem for you.

Nope, not a chance. UBNT documentation on this is bad.

scottalanmiller

@anonymous said:

What I really need is 2 Factor on the VPN.

Or two factor on the ownCloud. You can do it in either place.

Dashrender

@scottalanmiller said:

You could just use a Linux laptop and solve the problem that way

How does Linux solve this?

The article I linked specifically mentioned that the hacker, now having LAN access could see what OS you were, what patch level perhaps.. and then do an exploit lookup and take over you device.

That is what I see being the saving grace of the carry with you firewall.

I completely agree with your particular situation of the ERL for your longer term travels - but I'm guessing you don't take the ERL with you to the coffee shop.

aww.. you mentioned Linux because it probably won't just willy nilly jump to any of your listed previously used WiFi networks (but is that true? - Android is based on Linux and it does this).

Dashrender

@anonymous said:

What I really need is 2 Factor on the VPN.

Why not just 2 factor on OwnCloud? whoops I was late to that response.

scottalanmiller

@Dashrender said:

The article I linked specifically mentioned that the hacker, now having LAN access could see what OS you were, what patch level perhaps.. and then do an exploit lookup and take over you device.

That is what I see being the saving grace of the carry with you firewall.

Wouldn't they just take over the firewall then?

scottalanmiller

@Dashrender said:

aww.. you mentioned Linux because it probably won't just willy nilly jump to any of your listed previously used WiFi networks (but is that true? - Android is based on Linux and it does this).

Android is not based on Linux, it IS Linux. You can't really be "based on." Not effectively. You are or you are not.

You still need to tell your Linux to behave intelligently, of course. If you pick an insecure distro it's going to do silly things. But Linux itself does not have this kind of vulnerability.

scottalanmiller

Wouldn't forcing a TLS key for ownCloud provide all of the security of the OpenVPN but without the second step? Then you would need the key and the password for any access.

Dashrender

@scottalanmiller said:

@Dashrender said:

aww.. you mentioned Linux because it probably won't just willy nilly jump to any of your listed previously used WiFi networks (but is that true? - Android is based on Linux and it does this).

Android is not based on Linux, it IS Linux. You can't really be "based on." Not effectively. You are or you are not.

You're right, wrong choice of words.

Dashrender

@scottalanmiller said:

Wouldn't forcing a TLS key for ownCloud provide all of the security of the OpenVPN but without the second step? Then you would need the key and the password for any access.

A TLS Key? You mean like client side certs? or just a username and password?

Dashrender

@scottalanmiller said:

@Dashrender said:

The article I linked specifically mentioned that the hacker, now having LAN access could see what OS you were, what patch level perhaps.. and then do an exploit lookup and take over you device.

That is what I see being the saving grace of the carry with you firewall.

Wouldn't they just take over the firewall then?

Presumably the portable firewall would be at least as good as an ERL, and I'm assuming you're not worry about them taking over that?

I guess the question is, is an ERL or most any firewall really susceptible to intrusion on the outside local LAN segment vs over the internet (i.e. on the other side of the ISP's router)?

We all know that Windows is basically like a sieve, I'm hoping that the Windows firewall is at least OK, but if you get behind in patches then you're open to attach. how many home users are stay up to date on patches? especially when traveling?

hell, forget windows. Let's look at phones! Android phones rare ever get patched. A hardware firewall in front of them seems very smart!

scottalanmiller

@Dashrender said:

@scottalanmiller said:

Wouldn't forcing a TLS key for ownCloud provide all of the security of the OpenVPN but without the second step? Then you would need the key and the password for any access.

A TLS Key? You mean like client side certs? or just a username and password?

You can do either, key is a bit more secure, though.