On that topic, I have often pondered how to safely access my home LAN.
Soo many ways, it seems.
Do I access the Router/IPFire?
Seems no point since if I can access a machine in my LAN I can access the Router from there.
Do I setup a machine to receive conns via RDP? (Actually did that once, many years ago). Very unsafe without a VPN these days. One could of course use a 2FA on the machine, like DUO which I actually tried but was so nervous about being locked out I stopped messing with it.
VPN to some kind of system that monitors and handles access?
Feel free to share how you did it, with all the pesky non-private details.
When I am away from home I use a Roadwarrior OpenVPN connection with the strongest cipher and the tls authentication key.
Then I use ssh to access any of the machines I want to on my lan. My ssh is set up with elliptic curve key authentication and normal password access is not allowed. I specify specific users in my ssh config. I also specify the allowed ssh KexAlgorithms, Ciphers, MACs and HostKeyAlgorithms to match tightly with the servers I have set up. It makes my ssh connection very specific but I don’t use it to connect to anything else so I am in charge of both ends of all connections.
I also have it set up that if the IP is not coming from the local lan but, for instance, from the OpenVPN connection then a 2FA is required in addition to the ssh key to make access to the computers.
That way internal on the lan use just uses the ssh keys but access from outside requires both the keys and a 2FA code.
That is correct. With my current setup I only have the 2FA for ssh into all my computer consoles but not for accessing the IPFire console via ssh.
In my other systems I have used the libpam-google-authenticator package to get linked into the pam modules to integrate the 2FA authentication process.
IPFire doesn’t have the libpam-google-authenticator package available. However it does now have the oath-toolkit package in the core packages as it is used for the OpenVPN 2FA.
So I may, just for fun, have a look at the ability to set up 2FA for the IPFire ssh connection. Will need to look at how to accomplish it and how it is used with OpenVPN because it doesn’t look like it is using PAM integration as the pam_oath.so file is not included in the IPFire oath-toolkit installation.
To be honest, for my home network, just having the strongest OpenVPN connection with TLS Authentication (ta.key) and then using ssh only with keys gives a pretty strong protection on its own. I just did all the 2FA on my computers to see if I could do it.
Appreciate the feedback on how IPF folks are connecting to their networks remotely.
I generally use the likes of Anydesk or TeamViewer for accessing my IPF home network which is not very often so I only activate Anydesk host when needed.
What are the general thoughts on using Anydesk vs IPF Roadwarrior / OpenVPN for remote connectivity?
Are there any basic security vulnerabilities / risks associated with using Anydesk / TeamViewer that I might be missing?
I Don’t know if it is a general thought here and my answer is probably off-topic, so in short.
Anydesk and the likes is closed source software, so there is no way of control. That’s a no go, for me anyway.
A tiny hint.
RustDesk is an open source alternative to TeamViewer and AnyDesk.
You can use their public rendezvous/relay server, self-hosting, or write your own server.
