Living in a not so safe country => call for guidance/advice

[minime]

Hi,

Soon I will relocate to a not so safe country. I already have a OPNsense box at the moment up and running incl. OpenVPN. However, at the moment it is not that much important whether I did a configuration mistake or not, but soon I have at least the perceived feeling that it is critical to get it right. Hence I am asking the expert on this forum for guidance, advice and tips. Any help is much appreciated!

Scenario: Living in a not so safe country and getting a secured connection into a safe country
Goal: Routing ALL internet traffic securely from Country B through Country A, while making sure the OPNsense boxes themselves are secured as well

Country A (safe)

• Modem (1gbit symmetric)
  
• Dedicated OPNsense box
  
• NAS connected to the OPNsense box
  

Country B (not so safe)

• Modem (1gbit symmetric)
  
• Dedicated OPNsense box
  
• Wireless Router connected to a Switch that is connected to the OPNsense box
  

Line of thinking

• Creating a site-2-site OpenVPN connection on the two OPNsense boxes
  
• Attaching the Wireless Router to Switch that is connected to the OPNsense box in Country B
  
• Mobile devices directly connect to the OPNsense box in Country A
  

Questions

• Without a OpenVPN connection I can saturate my 1gbit line (achieving ~950mbit), with a OpenVPN I achieve on my current OPNsense box (i5-6200u) ~350mbit. Is that to be expected? What system would allow me to saturate the line with a OpenVPN connection? Any experience?
  
• Inline Intrusion Prevention System is currently deactivated as the performance impact is without a OpenVPN connection already quite high (down to 500-700mbit depending on the activated options). From a security point of view, do you recommend having this feature activated? If yes, in combination with my previous questions, what system would allow me to saturate my line and do you have experience with this?
  
• As the configuration options in OPNsense exceeds my full understanding and I can't make a mistake here, is there any configuration guidance/recipe for a scenario like I have? No frills, just having a secured connection and secured OPNsense boxes (like login/management, certificates/keys, making sure the system can't get manipulated => read-only system, etc.)?
  

Many thanks for your support!

[bartjsmit]

Make sure that your destination country allows the cryptography protocols provided by OPNsense. Judging by your description, it may not be covered by the Wassenaar agreement: http://www.wassenaar.org/participating-states/

You may need an import license.

Bart...

[minime]

Hi,

Interesting information. Would that also be true for SSL? The reason I'm asking this is, that this would more or less affect everything as more and more websites are delivered with SSL end-to-end encryption....

I think I'm going to ignore this potential requirement of getting an import license, defeats a bit the whole purpose of privacy if you announce in a not-so-safe country that you want to keep your privacy, right?

[bartjsmit]

SSL (now TLS) is just a protocol wrapper. The work is done by the cryptographic protocols (AES, SHA, RSA, etc.).

And yes, websites in dodgy countries are often subject to restrictions and attacks with at least a few openly filtering cross-border traffic (China, Iran, gulf states).

I'm sure ROT13 will be fine

Bart...

[franco]

Hi minime,

Sorry for the delay! Here are my thoughts:

Without a OpenVPN connection I can saturate my 1gbit line (achieving ~950mbit), with a OpenVPN I achieve on my current OPNsense box (i5-6200u) ~350mbit. Is that to be expected? What system would allow me to saturate the line with a OpenVPN connection? Any experience?

I think yes. AES-NI hardware can help. Setting the connection to UDP too. IPsec on 11.0 is a little better over 500 mbit, but it really depends on the hardware, number of cores, mainly CPU throughput.

OpenVPN is the better choice still, because in OPNsense we have the XOR obfuscation integrated, you can find the details here in the forum and two links for further reading about it below. It's perfect for your use case.

IPsec was in the press for having alleged backdoors that could have circulated in BSD implementations.

Inline Intrusion Prevention System is currently deactivated as the performance impact is without a OpenVPN connection already quite high (down to 500-700mbit depending on the activated options). From a security point of view, do you recommend having this feature activated? If yes, in combination with my previous questions, what system would allow me to saturate my line and do you have experience with this?

IDS alone can help spot incidents, you can't always block, but you need to set up a reporting / audit routine to find out about incidents. IDS mode (not IPS) should be at line speed.

You can also make great use of the GeoIP alias feature, not from the IPS, but from the firewall aliases. The blocking performance is a lot better and the databases are the same.

As the configuration options in OPNsense exceeds my full understanding and I can't make a mistake here, is there any configuration guidance/recipe for a scenario like I have? No frills, just having a secured connection and secured OPNsense boxes (like login/management, certificates/keys, making sure the system can't get manipulated => read-only system, etc.)?

It depends on how paranoid you are. You could secure your box with 2FA, that even works with SSH now. (Note this doesn't work for OpenVPN renegotiation.) You can lock down the console (it is password-protected by default). You should keep the system up to date. Keep copies if your config. Rotate your shared secrets or certificates.

I always scramble the root password. There's a feature for this in OPNsense 17.1.2 now. Use a differently-named admin account. SSH only using keys if you don't want to 2FA.

Probably more...

Further reading on the XOR obfuscation feature not in OpenVPN, but provided by Tunnelblick and OPNsense:

https://tunnelblick.net/cOpenvpn_xorpatch.html

Further reading on OpenVPN obfuscation inside the project itself, how effective it is, etc.:

https://sourceforge.net/p/openvpn/mailman/openvpn-users/thread/DFBD5589-71CB-41CD-B7A7-F2A540380E33%40haloprivacy.com/#msg35560747


Cheers,
Franco

[minime]

Many thanks, this helps. However, may I invite knowledgeable people to chip-in? I am hoping that we could create a howto for my described use-case. The further we lower the bar for people to have a safe environment the better.