OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: pankaj on January 02, 2022, 09:43:28 pm
-
Hi Folks,
If you are running OPNSense then it is fair to assume that you've a network behind it or too much free time at hand :D
For me, I am running several services on my LAN such as Home Assistant, Bitwarden & FreeNAS. So it is fair to say that I often need to access these machines from outside the home.
There are usually two acceptable methods for accessing LANs from outside:
1. Port Forwarding - is relatively simple and most DIY tutorials seem to advocate this approach.
2. VPN is more complicated and to be very fair to newbies & DIY folks it is a headache to set up the first time.
But after tinkering with both options, I have come to form an opinion that port forwarding is very risky and here is a layman reasoning for my opinion.
Let us say you are running a server (Free NAS) and forward the port from the firewall to FreeNAS machine. This makes the port on FreeNAS visible to the network outside your LAN (aka rest of the world). So while you are happy being able to access FreeNAS from outside the LAN but so can rest of the world and herein lies the problem. If there are any vulnerability in the FreeNAS software or if the machine has weak accounts with passwords like "123" or "test" or any admin accounts with default passwords then any malicious actor anywhere in the world can exploit it as if they were typing from your home network.
VPN on the other hand has multiple levels of security such as tunneling protocols, certificates, encryption etc before anyone can even get to an account with password "123".
So as complicated a VPN may sound, it is worth exploring and here is an excellent video (by Daily Tech Bites) on setting up OpenVPN - https://www.youtube.com/watch?v=ocGAcZD8qYo (https://www.youtube.com/watch?v=ocGAcZD8qYo).
Hope this helps solve few problems for you, in the next round we will discuss how to use self-signed certificates on LAN to make apps like Home Assistant work without a FQDN!
-
Here is the HowTo for configuring Home Assistant app using self-signed certificate.
https://forum.opnsense.org/index.php?topic=26277.0 (https://forum.opnsense.org/index.php?topic=26277.0)
-
Having done both solutions, the only one that has been bullet proof for me has been port forwarding. I had a vpn setup but work changed a security profile and doesnt allow vpn traffic unless it is from an approved vpn client, and directed into the lan, vs out of it.
I ended up using a non-standard port to forward into the standard ssh port to a specific host that has key based login only. From there you can tunnel a vnc and/or rdp connection to a internal gui box and have full net access. The performance is passable.
-
@ranceh it is unfortunate but ports being open in that way is no longer safe, even with key based login because a vulnerability can be found. You should consider using a reverse proxy solution such as guacamole which can give access to rdp/ssh etc instead if a vpn is not feasible or alternatively using wireguard on a port such as 53 or 443 or some port that can bypass prevenative measure that try block vpns. Another option that works well is using something like zerotier that will use udp hole punching to bypass a strict firewall or route via their beacons when that does not work. All these options are preferable to opening a port.
-
I had a vpn setup but work changed a security profile and doesnt allow vpn traffic unless it is from an approved vpn client, and directed into the lan, vs out of it.
Setting security pros/cons aside, in US most companies consider bypassing work related network policies a breach of employment contract and often ample grounds for termination of employment. Be careful with whatever you are trying to do with port forwarding at work.
-
@allebone: thanks for the reference for guacamole. that looks like a solution that might make sense.
@pankaj: I work in education and the rule is primarily to prevent students from abusing the network. IT Staff like myself are limited in the ways we can gain access to an external network for testing, but it is allowed and a normal part of our work.