Looking for advice on accessing my system from outside my network

MAYBL8 · 2024-07-01 13:28:05

Questions like:
What method do you use: ssh , gui etc?
How you have it set up : for example do you use iptables , fail2ban etc?
This might be related to the above question.
Do you do any other security measures?
Do you monitor activity?

Any other info you can give me would be appreciated.
Please just don't give me a canned answer just pointing to links to read, I am always reading articles.
Would like some real user experiences to hear from.
Thanks

Trilby · 2024-07-01 14:20:25

I just use openssh with root login disabled and public key authentication only (password logins disabled). I have a pretty basic iptables configuration. I focus on security non-measures: don't open anything up and you wont need to worry about securing so much (aka "positive security" or "default deny" approaches).

But given you say you want to access your system from "outside my network", there's likely another hurdle here. What is this network? Is this a home network through a commercial ISP? Do you use the ISP-provided router? Do you have a static public IP address? If not, you'll need dynDNS or similar.

However, another important starting point is asking what you want / need. What do you mean by "accessing" your system? What do you want to be able to do with it?

Last edited by Trilby (2024-07-01 14:25:58)

ewaller · 2024-07-01 14:27:32

I am set up the same way as Trilby, except I don't run a local firewall. I use port forwarding on my router for ssh and let it handle my firewall needs. Everything has to go through the public key protected ssh tunnel. If one needs it, one can forward ports through the tunnel.

I also run wireguard on my router, so if need be I can establish a VPN and then connect to my system as if I were inside my LAN.

cryptearth · 2024-07-01 14:48:43

I'm on the same page as above:
A small single-board-computer running SSH on a non-default port, root login disable, password login disabled -> public-key required.
As for security: I have the luxury to have public static IP and the isp-provided device is the firewall (as in only the SSH port is forwarded - the rest is blocked by NAT).
Downside: As I don't actively monitor failed attempts from time to time the random entropy can get drained low resulting in a longer handshake.
I use it as regular SSH endpoint, as VPN endpoint (is still set up but haven't used for a long time), simple hairpin-proxy (using squid and ssh port-tunnel to browse the internet remotely from home), it has WoL and PXE for the rest of devices so I can remote manage most of my devices.
An old raspberry-ip or something x86 based are good starting points.

If you don't have a static IP: use dynDNS
If you can't connect due to CG-NAT you may look into cheap VPS

dakota · 2024-07-01 18:43:03

Trilby wrote:

I just use openssh with root login disabled and public key authentication only (password logins disabled). I have a pretty basic iptables configuration. I focus on security non-measures: don't open anything up and you wont need to worry about securing so much (aka "positive security" or "default deny" approaches).

Same for me, except...

... both of my endpoints are behind CG-NATs, so I run Arch on a VPS (which I pay $5/month for). The remote computer connects to the VPS and establishes a reverse port-forwarding connection. Then my local computer connects to the VPS and creates a normal port-forwarding connection. The VPS has an external firewall (that blocks huge swaths of the Internet by IP address) and an Internal firewall that runs iptables which has rules for routing between the ports.

The endpoints rely on the CG_NAT as the firewall.

When I need a gui, I tunnel VNC through the ssh connection.

I'm working on getting wireguard setup, but I'm still getting dropouts which I'm trying to troubleshoot.

Cheers,

Superhansel · 2024-07-01 19:06:24

I use the native solution my router offers me: Through a WireGuard VPN connection. Its very simple, yet fast & secure. Very happy with it and I can easily connect/disconnect to my home network with a variety of devices (essentially all based on Android or Linux).
Furthermore, the router is itself configured to be a WireGuard peer of a remote network which I can then convinentily access as well.

To access my devices, I mostly use SSH. Depending on the device, I can sometimes also fallback to using a Web UI through HTTP.

// Edit: To connect to my home network, I use https://desec.io/ as DynDNS provider and delegated control of a DNS zone that I own (e.g. dyndns.yourdomain.tld) and use that as my DynDNS endpoint.

Last edited by Superhansel (2024-07-01 19:14:42)

MAYBL8 · 2024-07-02 10:41:20

Trilby wrote:

I just use openssh with root login disabled and public key authentication only (password logins disabled). I have a pretty basic iptables configuration. I focus on security non-measures: don't open anything up and you wont need to worry about securing so much (aka "positive security" or "default deny" approaches).
But given you say you want to access your system from "outside my network", there's likely another hurdle here. What is this network? Is this a home network through a commercial ISP? Do you use the ISP-provided router? Do you have a static public IP address? If not, you'll need dynDNS or similar.
However, another important starting point is asking what you want / need. What do you mean by "accessing" your system? What do you want to be able to do with it?

First I want to thank every one that has given be input on this. I will be reading your responses and taking some of your advice.

I answered this yesterday but somehow it didn't post so I will try again.

What is this network?
It is just a local LAN network at my home.

Is this a home network through a commercial ISP?
Yes

Do you use the ISP-provided router?
No I use my own router. It is a TP-Link M5 Wireless Mesh system.

Do you have a static public IP address?
No it is dynamic on a Fiber connection. The IP address doesn't change to often. My TP-Link has dyn-DNS so I will be setting that up soon.

What do you mean by "accessing" your system?
I have a NAS drive and all of my files are on it. I want to be able to access those files when I am away from home. I would also like to manage my workstation when not at home.

What do you want to be able to do with it?
I think I answered that question above.

cryptearth · 2024-07-02 11:00:28

side-question: does the isp-provided fiber-modem already some layer3 IP stuff / routing or is it a dumb layer2 bridge?
are you behind cg-nat (i.e. can you access your network from the outside at all)?

MAYBL8 · 2024-07-02 11:44:38

cryptearth wrote:

side-question: does the isp-provided fiber-modem already some layer3 IP stuff / routing or is it a dumb layer2 bridge?
are you behind cg-nat (i.e. can you access your network from the outside at all)?

All I know is it is Frontier and I have an ethernet cable hooked directly from a unit attached to the wall into my TP-LInk .
I have some port forwarding setup already through the TP-Link.

-thc · 2024-07-02 12:35:44

According to an 1 year-old thread I found, Frontier uses IPv4 only and no CG-NAT. No problems from that side.

The "wall unit" is an ONT (optical network terminal) which (simplified) transfers the signals from the fiber to copper (TP) and vice versa.

Since you want to access multiple devices I recommend setting up a VPN, The VPN endpoint may be (1) your router, (2) your PC or (3) your NAS - depending on the capabilities of your devices and their online schedule.

bulletmark · 2024-07-02 12:51:54

cryptearth wrote:

If you don't have a static IP: use dynDNS
If you can't connect due to CG-NAT you may look into cheap VPS

If you are behind CGNAT then use IPv6 which is what I use for ssh end-points nowadays.

MAYBL8 · 2024-07-02 12:54:28

As far as VPN goes it will either have to be the PC or the NAS . I'm not sure what the NAS offers I will have to look that up . It is a Netgear ReadyNAS 212
As I understand setting up a VPN if I want free will slow down my internet connection.
Do any of you guys use a VPN and what would you recommend?
Thanks

Looks like my ReadyNAS is not being totally supported anymore. Won't allow me to install Apps without ssh into it and I am not comfortable with that . I don't want to screw up the NAS.
So no VPN with that for now.
Maybe time to shop for a new NAS.

Last edited by MAYBL8 (2024-07-02 13:11:45)

-thc · 2024-07-02 13:31:58

Your TP router should be able to provide you with a VPN server.

MAYBL8 · 2024-07-02 14:43:16

Unfortunately my model M5 doesn't support it. I have the latest firmware and it is not a choice for me in the settings.

cryptearth · 2024-07-02 15:37:25

The vpn is meant for inbound traffic - when you want to access your network from remote. That only depends on the speed between where you are and your home network.
For this I use openvpn.

ewaller · 2024-07-02 15:49:05

MAYBL8 wrote:

Unfortunately my model M5 doesn't support it. I have the latest firmware and it is not a choice for me in the settings.

Actually, I lied. I don't run wireguard on my router anymore. When I went fiberoptic, the new router does not support it. Wireguard now runs on the Raspberry Pi next to the router that controls my irrigation and yard lights.

Grab a cheap raspi run it there.

MAYBL8 · 2024-07-02 20:07:48

I have a Raspberry PI 4 that I am not using. It didn't look like wireguard had an install for Raspberry on their website.
Would I connect this with a switch and put the fiber line as the wan line into the switch and put the M5 router on one of the switch ports . Not sure how this would work with my setup?

ewaller · 2024-07-02 20:33:02

You would but the raspberry pi behind the router and forward the appropriate port in the router to the pi. The pi would get it's address from the router. As to setting up wireguard, look into pivpn. https://www.pivpn.io/

The auto install it provides is a bit frightening, but it is pretty straightforward and can be audited.

MAYBL8 · 2024-07-03 20:02:23

I started up my raspberry and it has raspbian OS on it running the buster version.
Should I get the Arch linux ARM and install that ?

Ok i got the raspberry working with wireguard installed on it.
I successfully connected to the VPN from the outside of the network.

Question I have now is :
I want to have the raspberry headless so how would I connect to it to update it and maintain it

Last edited by MAYBL8 (2024-07-06 19:17:58)

Arch Linux

#1 2024-07-01 13:28:05

Looking for advice on accessing my system from outside my network

#2 2024-07-01 14:20:25

Re: Looking for advice on accessing my system from outside my network

#3 2024-07-01 14:27:32

Re: Looking for advice on accessing my system from outside my network

#4 2024-07-01 14:48:43

Re: Looking for advice on accessing my system from outside my network

#5 2024-07-01 18:43:03

Re: Looking for advice on accessing my system from outside my network

#6 2024-07-01 19:06:24

Re: Looking for advice on accessing my system from outside my network

#7 2024-07-02 10:41:20

Re: Looking for advice on accessing my system from outside my network

#8 2024-07-02 11:00:28

Re: Looking for advice on accessing my system from outside my network

#9 2024-07-02 11:44:38

Re: Looking for advice on accessing my system from outside my network

#10 2024-07-02 12:35:44

Re: Looking for advice on accessing my system from outside my network

#11 2024-07-02 12:51:54

Re: Looking for advice on accessing my system from outside my network

#12 2024-07-02 12:54:28

Re: Looking for advice on accessing my system from outside my network

#13 2024-07-02 13:31:58

Re: Looking for advice on accessing my system from outside my network

#14 2024-07-02 14:43:16

Re: Looking for advice on accessing my system from outside my network

#15 2024-07-02 15:37:25

Re: Looking for advice on accessing my system from outside my network

#16 2024-07-02 15:49:05

Re: Looking for advice on accessing my system from outside my network

#17 2024-07-02 20:07:48

Re: Looking for advice on accessing my system from outside my network

#18 2024-07-02 20:33:02

Re: Looking for advice on accessing my system from outside my network

#19 2024-07-03 20:02:23

Re: Looking for advice on accessing my system from outside my network

Board footer