So I recently used a guide to setup VPN access to my home network. I followed the guide linked below. It may be a silly question, but I was wondering how safe is it? I’m not using the default port, but how open is this to attacks or anything like that?
Meh, short of nation states targeting you and some actual professional criminals, you’re probably pretty good.
Like my mom always told me: you’re safe at an amusement park, because if someone wants to steal a kid, there are plenty of places you can go that don’t charge admission. You just started charging admission.
What is your adversary?
The tech used is fine. It will “work” and probably differentiate you enough to provide good enough protection for people looking to skim data off public wifi. But it won’t stand up to determined attackers targeting specifically you. In another words, don’t think this will keep you safe if you’re secretly sleeping with your hacker friend’s wife.
Using a randomly-chosen high port with UDP and certificate-based authentication makes it unlikely somebody will find and attack that service.
Just make sure you keep the package (and server) updated with patches, and check your config against the OpenVPN hardening guide.
It’s using RSA 2048 so it has pretty well off encryption, if you wanted you could change it to 4096 bits. But 2048 is okay for consumer use.
Your mom is a wise lady.
This might be my new favorite saying
That’s a bad way to find out you were being specifically targeted…
How would this stand up against something like the free version of Zerotier?
Would I be better off setting up something like the free version of Zerotier?
Living like you’re being personally targeted without any evidence to suggest such a thing is an even worse way to live, though.
Not sure what zerotier is. Perhaps this will be helpful? https://amp.reddit.com/r/zerotier/comments/5xh2of/difference_between_zerotier_openvpn/
I was asking who will be doing the attacking. Your vindictive neighbor working for Windows Azure red team whom you pissed off because you put your dog turds in his bin? The NSA, which passively capture data like a filterfeeding whale? The dark web contractor(s) hired by the ballerusian government because they suspect you’re not who you claim you are?
Regardless. You have to remember that openvpn requires a PKI to work. Since you’ve elected to go the cheap route, it is important to remember that a PKI is a serious security system and like all other serious security systems, very sensitive to operator error. I’m talking retroactively voiding all your secure communication bad. Things to consider includes: have you ever transfered your private keys over any network? What is your certificate rollover story? Is your private keys stored securely? Is your signing certificate correctly scoped so it can’t be used to sign domains you don’t own?
No, Zerotier is a slightly different tech (with its own advantages over OpenVPN, but disadvantages too) and has not been vetted as well as OpenVPN.
OpenVPN is likely to be faster due to the encryption Zerotier uses not being hardware accelerated like AES, which is what OpenVPN defaults to.
While what you’re saying is technically true, it’s not something we should be recommending for sensitive data. Self signed certs exists solely for testing purposes.
I had an associate who thought this was a good idea to setup a tunnel to his laptop. Trouble was that to make it work they had to add the self signed cert as a trusted root as well as a trusted identity. I recovered the private key by attacking a poorly secured ssh server on the same box, signed an everything star cert, and mitm’d their traffic for a month. Sent them an email listing every porno they watched in that time.
You don’t need to add anything to your root cert store.
For homelab purposes there is nothing wrong with self-signed cert, your attack was an extreme edge case. To do what you did is extremely difficult and you had additional knowledge or access to his network you’re not disclosing.
Again, while that first statement is technically true, but it just further illustrates my point. My associate didn’t know it was not required. But after doing a bunch of things, including importing it into his trusted roots on Windows, the tunnel worked. Since my associate lacked the knowledge to operate a PKI properly, the decision was never questioned.
As for what I did it wasn’t difficult, and didn’t require special knowledge. Said person was using passwords for their ssh server and had sudo perms for their account. Took my bot about 20 hours to guess his password. Basically the same kind of attack anyone who has a ssh server ought to expect (you are aware there are bots out there port scanning everything in certain ip ranges to build botnets, right?). This why I, being a good friend, brought it to their attention in the manner I did to raise urgency
As “for homelab purposes” I don’t know what other security tradeoffs you’ve made with that rationalization, but I like to know what I’m defending against, which is why I asked what was this person’s expected adversary in the first place.
Self-signed certs are perfectly fine in most use cases. If someone attacks you and steals your root self-signed cert, they can plant whatever cert they want anyway and do far worse things.
Your friend was an idiot but you’re blaming his use of self-signed certs.
As far as your claimed attack, even with self-signed certs, you’d still get an HSTS error which you have to dive into about:config on most browsers to clear, so either you didn’t MiTM him or your friend is extra stupid.
Please, let’s not resort to name calling and speculation. Are you really trying to have a conversation with me or are you just trying to be right for the sake of being right?