Tag: vpn

Posted on

Setup WireGuard VPN with piVPN

One of the most secure ways to remotely access your LAN is via a Virtual Private Network (VPN) connection. A VPN encrypts all of your network traffic from your device, until it reaches the LAN. This is especially useful when you are managing a server on that LAN, or wanting privacy when using public WiFi.

In order for a VPN connection to work, your must have an un-proxied “A Record” pointing to your network (acting as the public DNS). Otherwise, the VPN will fail.

PiVPN provides an easy setup for two types of VPN: WireGuard, and OpenVPN. WireGuard is one of the newest VPNs out there, and is extremely lightweight since it was written on only ~3000 lines of code. Since it is so lightweight, mobile devices benefit from this by using less battery when connected. Alternatively, OpenVPN is the industry standard. It has been around forever, and can be customized to your need. For this guide, I’m going to show you how to setup a WireGuard VPN.

Setup

Devices/ Applications Used

  1. Raspberry Pi
  2. PiVPN with WireGuard
  3. Cloudflare
  4. DDClient (optional)

The Guide

  1. Update your device
    sudo apt-get update && sudo apt-get upgrade -y
  2. Set a static IP address to your device.
  3. Log onto your domain provider (Cloudflare), and create an “A record” that points to your domain. This record will serve as your public DNS to support the connection. For this guide, I will use test.aaronridgeway.com. In order for the DNS record to serve as a public DNS, you will need to ensure the proxy is turned off (DNS only).
  4. On your device download PiVPN
    sudo curl -L https://install.pivpn.io | bash
  5. When you get to the static IP question, select Yes if you’re using DHCP reservation, otherwise select No.
  6. Select a local user to hold your VPN configurations. (I recommend selecting a user other than pi.
  7. Select WireGuard as the VPN.
  8. Set the default port to 51820.
  9. If you have Pi-Hole installed, then you will get asked if you want to integrate with the application. Since I have it setup already, and love it, I will select Yes.
  10. Enter the public DNS that you created in step 3.
  11. Select Yes for the rest of the prompts and success! You have setup your very own VPN. Now let’s add some users.

Adding Users

  1. Type in pivpn -a to add a new user.
  2. Enter the name of the client you want to add. I include a name and device name to make managing configs easier.
  3. Add the .conf file, located in /home/[pivpn user]/configs, to the computer you want to connect from, via a WireGuard VPN client.
  4. For mobile devices, you can add the config file via a QR code by typing pivpn -qr and selecting the user. You will need to download the WireGuard app to connect to the VPN.

Considerations

Your Public IP address will change over time. If you don’t have a static Public IP address, you will need to config a dynamic DNS (DDNS) to ensure the IP address stays accurate. Additionally, there are two types of VPN configurations to choose from: TAP and TUN. WireGuard VPN only offers a TUN configuration, whereas OpenVPN offers both a TAP and TUN. Lastly, the VPN connection will only be as fast as the Network Interface Card (NIC) you are using. If your device only has 10/100 Mbps, then the connection will be slower than 100 Mb/s.

Posted on

TAP vs TUN VPN

There are two different types of VPN configurations that you can use when setting one up. They are TAPand TUN. TAP is derived from “to TAP into” something, and TUN is an abbreviation for TUNnel. It will depend on your use case to determine which configuration to go with. Let’s explore differences.

TAP

TAP operates on the OSI Layer 2. A TAP configuration allows you to simulates a physical ethernet adapter on the target LAN, and bridges the two networks together. TAP would allow you to see all devices (computers, printers, TVs) on the network, as if you were on the LAN in person. While, TAP may seem like the ideal choice, there are a lot of broadcast packets that will congest on the connection, and it is more complex to setup. An example use case would be managing a network remotely. You can setup a TAP VPN with OpenVPN.

TUN

TUN operates on the OSI Layer 3. This configuration allows you pass routable traffic over the VPN. This model configuration does not allow you to see devices on the LAN, but would allow you to see devices connected to the VPN server. Another way to think of it is that TUN provides access to a single IP address on the LAN, and provides access to the internet from that location. Since TUN does not provide the capabilities of a TAP configuration, the congestion and network overhead is lower. This could potentially make for a faster VPN than TAP. An example use case would be accessing Netflix content in another country. You can setup a TUN VPN with WireGuard or OpenVPN.

Posted on

Lock Down Your Exposed Server

Do you have a server running on your computer that you access outside of your home network? Is it locked down? If not, what’s stopping someone else from accessing it? An IP address is not obscure enough to deter threats.

The internet is full of bots that crawl the internet, scanning for open ports at all hours of the day. Within minutes of searching shodan.io, you can generate a report listing several public IP addresses that don’t have any authentication protecting them. What are the chances that your IP appeared was on someone’s report? Would it really be considered “hacking” if there was never any authentication, authorization, or encryption method in place? So how can we fix this?

Methods To Secure Your Server:

  1. Deploy a Virtual Private Network (VPN). A VPN allows you to create a “tunnel” back to your home network, encrypting your traffic until it reaches the network. With this approach, you would only need to expose the one/two VPN port(s), and you can access your servers. This method physically reduces the next of vulnerabilities as you would no longer need an open port for each server. This method uses public key cryptography where keys are configured for access. The challenge with this approach is that in order to access the server remotely, you must already have the VPN tunnel setup on the remote computer.
  2. Incorporate Two Factor Authentication (2FA). 2FA provides an additional layer of security, by requesting a randomly generated pass code to be entered, which is sent to your device or authentication app. In order to log into a server that has 2FA enabled, you would need both the user credentials to log on, in addition to the 2FA code. Unless the hacker has access to the account, app, or recovery codes, you can rest assured that 2FA will virtually stop any unauthorized access. This is one of the most commonly used authentication methods that I use to protect myself. If the app/ website has the capability, then you can bet that I have it enabled.
  3. Incorporate TLS certificates. These certificates provide authenticated access only to those who have them. They leverage public key cryptography which consists of public/ private key pairs. You can tell if a site leverages TLS certificates by checking the beginning of the URL for https (the S stands for secure). Home servers can leverage TLS certificates in cases where they are connected to a proxy server (like cloudflare), or a firewall. That way, even though your port is exposed on your router, no access will be granted as the guest does not have the certificate.
  4. Lock down your server with Cloudflare Access. If you have a domain pointing to your server, then you can leverage Cloudflare’s “easy” VPN alternative. By placing your trust in the company, it can protect your server with federated authentication that enables only user’s with the specified accounts access.
  5. Leverage username/ password authentication. Most servers have this capability out-of-the-box. It’s simple enough to enable and can deter a lot of threats. With this, you’d need to consider the complexity of your credentials, or else you could be susceptible to dictionary or brute force attacks.
  6. Whitelist your remote public IP address. If you know the public IP address of where you’d connect from remotely, then you can add that IP address to a whitelist so that traffic can only come from the approved IP addresses on that whitelist. Be careful though as someone can still spoof your IP address. Unless you have a static public IP address, this approach can be hard to manage.

There are many different ways to mitigate the threats to your server. As long as you have at least one method of authentication enabled, then you will stop the random internet troll from “hacking” you.