Thoughts on my plan for a home network?

truckerDave

truckerDave

Well-Known Member
Joined
Oct 7, 2023
Messages
330
Reaction score
302
Credits
2,718
GOALS:
  • Ditch Windows (Done)
  • Server for my business records (Apache, PHP, MySql)(Done)
  • Have access from afar
After some research, I think I have an "idea" of how to have access to my server while on the road. I would prefer to be able to access my server via a php web page. However, I'm no security guru and want to avoid having the local rugrat down the street getting in and messing things up (or worse). I have no delusions of keeping out a real hacker. But if one is that good, he/she would know ahead of time that my network wasn't worth the effort. As I keep no financial records on a networked/internet connected PC.

I am thinking of something along the lines of this image
Untitled.png

I've read/watched several articles/videos about hardware routers, pfSense and Wireguard. I'm still uncertain about Wireguard as everything I have viewed goes through all the "great reasons to use it" and the whole set up process . But after 3 evenings of looking, I've yet to see anyone actually show how to use the program beyond installation and setup. It goes without saying, I'm no network engineer. And after reviewing the Wireguard website, I'm afraid it may be over my head. I'm the sort where if you show me how to cook something I like, I can make that dish the rest of my life. Hand me a recipe, and I'll screw it up.

I do intend on adding the firewall. However, I may opt for OPNSense. Still undecided.

I've also thought about, after adding the firewall, to set it up to only allow my cell phone's IP to access the server via some obscure port. But not sure how secure that would be. But it would probably be more within my knowledge base.

Thoughts? Pointers? Criticisms? Am I going about this all wrong?
 
Last edited:


truckerDave said:
Thoughts? Pointers? Criticisms? Am I going about this all wrong?
Click to expand...

No idea from me, all I have done with networking was to use openssh to employ shared folder networking, but I hope someone comes along soon with ideas and I'll watch and learn something.

Good luck

Wizard
 
The issue with hacking is that it makes sense for more things than „financial records“.

You can get into a computer and add it to a botnet to mine crypto, attack your enemies or store illegal media and I dont mean pirated hollywood movies.

So the general „first hacking attempt“ vs „real hacker“ idea isnt accurate.

There are thousands of people out there that can exploit your systems vulneraribilities and some do so automated. I know, I have both, broken into systems when I was young and am running a public server that gets scanned for vertors every minute.

Running everything that is in your home network behind a vpn is the only thing I‘ll ever embrace because its hard to get in. Having some webpage on port 80 is going to expose you to man in the middle attacks and 443 is going to get hammered with every combination of GET and wp-admin you have ever heard of. (Joking, not only wp-admin but its the most prevalent I‘ve seen)

The next issue is that if one device inside your home network gets compromised, it becomes dangerous to anyone joining that network because it could listen in on stuff, even activate mics and cameras. The possibilities are endless.

So, even if you use a commercial login like say nextcloud, its gonna be hammered with brute force attempts and statistically they are going to succeed. If not that it might get ddos‘d if nothing else. And that is only if you keep on it like a hawk with updates. If it gets too much out of date, chances for a successful break in skyrocket.

TL;DR: I would suggest using a vpn to get into the network and under no circumstances expose any web ports (80/443) to the open web.
 
I have a simlar setup, if you are going to expose a server to the outside world you will want to setup fail2ban to scan your log files for login attempts and such, as well as setting up vlans so that you can put the server you want to expose to the world in a seperate vlan which doesn't have access to your internal network.
 
I was going to suggest the use of DWService.....which allows file transfers, etc, among other things.

This works along similar lines to TeamViewer, but you access it via a web-browser instead. However, as Haui says, that means leaving web access open while you're away from home. Which ain't a brilliant idea.

Or, there's AnyDesk (which I highly recommend), though this requires an instance of AnyDesk left running while you're away. Remote access via password is allowed; default port is 7070, though this can of course be changed.

I know the standard, time-honoured, recommended way in Linux is to use SSH. However, taking note of what you said about recipes - I'm the same; show me how to do summat, I'm fine. Give me a recipe (or article to read through), and I'll probably get it wrong. I respond far better to visual input! - to my way of thinking, these kinds of apps are better, because it's as though you're sitting in front of your main machine at home. You know exactly how to access stuff when you're there, don't you?

This suggestion will probably be pooh-poohed as unsuitable, unsafe or not "geeky" enough.....

(shrug...)

VNCs are another popular way of doing things - and will let you access your "screen", just like the above - but I don't really understand these.

At the end of the day, it boils down to the degree of access you're happy to allow. Linux enthusiasts will tell you that no amount of access is safe, and that you must secure your home network as though defending against an entire fleet of battleships. The decision will need to be yours; nobody else can make it for you.

We CAN only suggest...though we are of course happy to advise where we can (frequently from personal experience).


Mike. :p
 
Last edited:
truckerDave said:
I do intend on adding the firewall. However, I may opt for OPNSense. Still undecided.
Click to expand...
I would go with OPNsense since it gets more regular updates, with PFsense you can only get 1-2 update a year, or so I've heard. Also, do you have a specific reason why you want to be able to access your server from outside of your home network?
 
Last edited:
Haui111 said:
I would suggest using a vpn to get into the network and under no circumstances expose any web ports (80/443) to the open web.
Click to expand...
Aren't pfSense and OPNSense considered VPN's? It seems everyone is tossing that term around when talking about them.
f33dm3bits said:
I have a simlar setup, if you are going to expose a server to the outside world you will want to setup fail2ban to scan your log files for login attempts and such, as well as setting up vlans so that you can put the server you want to expose to the world in a seperate vlan which doesn't have access to your internal network.
Click to expand...
I have fail2ban installed and running. I've done about every "trick" I could find when it comes to hardening the server. And I'll do some studying on vlans.

The server is not exposed. And it may never get exposed. If I don't feel like I have it locked down tight, I'll continue to do what I currently do. Wait til I'm home to upload my data.
 
truckerDave said:
The server is not exposed. And it may never get exposed. If I don't feel like I have it locked down tight, I'll continue to do what I currently do. Wait til I'm home to upload my data.
Click to expand...
If your server is not exposed to the internet then no reason to need to install fail2ban on it, you can just treat is as your desktop PC then and also no need for vlans. If you have no specific reason to expose your server to the internet other than for you to be able to upload data to your home network, then using a vpn setup is the better way to go.
 
Last edited:
f33dm3bits said:
Also, do you have a specific reason why you want to be able to access your server from outside of your home network?
Click to expand...
The main reason is saving my home time for other things. I'm gone 2 to 3 weeks at a time. Then I come home for 2 or 3 days and it starts all over. I hate that I have to spend up to 4 hours of my short time at home doing stuff I could be doing from the truck.
 
f33dm3bits said:
I would go with OPNsense since it gets more regular updates, with PFsense you can only get 1-2 update a year, or so I've heard. Also, do you have a specific reason why you want to be able to access your server from outside of your home network?
Click to expand...
That was my thinking. Saw some info on OPN vs pf and that was a major point. Seems that some think it has a little better layout. And the regular updates.
 
MikeWalsh said:
I was going to suggest the use of DWService.....which allows file transfers, etc, among other things.

This works along similar lines to TeamViewer, but you access it via a web-browser instead. However, as Haui says, that means leaving web access open while you're away from home. Which ain't a brilliant idea.

Or, there's AnyDesk (which I highly recommend), though this requires an instance of AnyDesk left running while you're away. Remote access via password is allowed; default port is 7070, though this can of course be changed.

I know the standard, time-honoured, recommended way in Linux is to use SSH. However, taking note of what you said about recipes - I'm the same; show me how to do summat, I'm fine. Give me a recipe (or article to read through), and I'll probably get it wrong. I respond far better to visual input! - to my way of thinking, these kinds of apps are better, because it's as though you're sitting in front of your main machine at home. You know exactly how to access stuff when you're there, don't you?

This suggestion will probably be pooh-poohed as unsuitable, unsafe or not "geeky" enough.....

(shrug...)

VNCs are another popular way of doing things - and will let you access your "screen", just like the above - but I don't really understand these.

At the end of the day, it boils down to the degree of access you're happy to allow. Linux enthusiasts will tell you that no amount of access is safe, and that you must secure your home network as though defending against an entire fleet of battleships. The decision will need to be yours; nobody else can make it for you.

We CAN only suggest...


Mike. :p
Click to expand...
I had not thought/heard about DWService, TeamViewer or AnyDesk. I will look into those.

I have SSH running on my server and use it for transferring files and making changes on the server from my Mint box.
 
truckerDave said:
Aren't pfSense and OPNSense considered VPN's? It seems everyone is tossing that term around when talking about them.

I have fail2ban installed and running. I've done about every "trick" I could find when it comes to hardening the server. And I'll do some studying on vlans.

The server is not exposed. And it may never get exposed. If I don't feel like I have it locked down tight, I'll continue to do what I currently do. Wait til I'm home to upload my data.
Click to expand...
The reason I said use vpn was because of your „php site as login“ part. That implies to me that you are thinking about opening port 80/443 because otherwise you dont need a php page. You go through vpn and use your network as you would use it if you were there.

If that was a misunderstanding, I apologize.
 
MikeWalsh said:
I was going to suggest the use of DWService.....which allows file transfers, etc, among other things.

This works along similar lines to TeamViewer, but you access it via a web-browser instead. However, as Haui says, that means leaving web access open while you're away from home. Which ain't a brilliant idea.

Or, there's AnyDesk (which I highly recommend), though this requires an instance of AnyDesk left running while you're away. Remote access via password is allowed; default port is 7070, though this can of course be changed.

I know the standard, time-honoured, recommended way in Linux is to use SSH. However, taking note of what you said about recipes - I'm the same; show me how to do summat, I'm fine. Give me a recipe (or article to read through), and I'll probably get it wrong. I respond far better to visual input! - to my way of thinking, these kinds of apps are better, because it's as though you're sitting in front of your main machine at home. You know exactly how to access stuff when you're there, don't you?

This suggestion will probably be pooh-poohed as unsuitable, unsafe or not "geeky" enough.....

(shrug...)

VNCs are another popular way of doing things - and will let you access your "screen", just like the above - but I don't really understand these.

At the end of the day, it boils down to the degree of access you're happy to allow. Linux enthusiasts will tell you that no amount of access is safe, and that you must secure your home network as though defending against an entire fleet of battleships. The decision will need to be yours; nobody else can make it for you.

We CAN only suggest...


Mike. :p
Click to expand...
I dont think your ideas are „not geeky enough“. Some come with security risks though if not done properly.

  • dont forward any ports through your router if you can manage without
  • if you do, dont use standard ports (22 for ssh, etc)
  • use key only, no password
  • if you need to use password, ideally use 2 factor additionally
  • if you cant use 2 factor, at least use insanely long passwords if possible, whole sentences ideally with numbers and special characters and definitely use fail2ban. This significantly slows down any attacker. But make sure you test it because I‘ve made the mistake to believe someone saying install and done.

If someone is behind a vpn, its not impossible to hack them but getting into the network remotely will be tough imo.
 
Haui111 said:
The reason I said use vpn was because of your „php site as login“ part. That implies to me that you are thinking about opening port 80/443 because otherwise you dont need a php page. You go through vpn and use your network as you would use it if you were there.

If that was a misunderstanding, I apologize.
Click to expand...
No need to apologize. I misunderstand a lot that others wouldn't :D

I've spent the morning, and will be spending a great deal more time learning about VPNs. The whole "use your network as you would use it if your were there" thing would mean I would have to rethink the way I insert data. But for security's sake, that is not out of the question. As it is now, I use PHP to insert my info into a database. And to create my graphs, etc. I'm new to Linux. So, maybe I'm unaware of an obvious method. But I'll research the crap out of it and see what will work for me.
 
truckerDave said:
Aren't pfSense and OPNSense considered VPN's? It seems everyone is tossing that term around when talking about them.
Click to expand...
No Pfsense and OPNsense are designed for routing and firewalling but you can also install vpn software on them using plugins or other functionalies if you want.

Learn About the pfSense Project

pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more
www.pfsense.org www.pfsense.org

About OPNsense - High-end Security Made Easy™

OPNsense is the best open source, easy-to-use firewall and routing platform with a strong focus on security. High-end Security Made Easy™ Free Download.
opnsense.org opnsense.org
 
Last edited:
Haui111 said:
  • dont forward any ports through your router if you can manage without
  • if you do, dont use standard ports (22 for ssh, etc)
  • use key only, no password
  • if you need to use password, ideally use 2 factor additionally
  • if you cant use 2 factor, at least use insanely long passwords if possible, whole sentences ideally with numbers and special characters and definitely use fail2ban. This significantly slows down any attacker. But make sure you test it because I‘ve made the mistake to believe someone saying install and done.
Click to expand...
You can also use a whitelisting firewall and port knocking for if you are on a dynamic ip that will give you temporary access if needed, I find that those two are good enough for my needs in combination with using only pubkey authentication and having password authentication disabled.
 
f33dm3bits said:
You can also use a whitelisting firewall and port knocking for if you are on a dynamic ip that will give you temporary access if needed, I find that those two are good enough for my needs in combination with using only pubkey authentication and having password authentication disabled.
Click to expand...
Definitely an option.

I think it will be a while before I make anything "live". There are several methods to accomplish my goal, it seems. I already have password authentication disabled and using keys. I bought a little PC that I am going to use as the firewall. Should be here today. I guess I need to go study OPNSense and get ready to play with that.

And if I implement a VPN, I need to order a switch. Looking at the Ubiquiti EdgeRouter X. It can only handle 4 hard wired components. And if I expand, one of my PCs can be set up on WiFi.
 
truckerDave said:
Definitely an option.

I think it will be a while before I make anything "live". There are several methods to accomplish my goal, it seems. I already have password authentication disabled and using keys. I bought a little PC that I am going to use as the firewall. Should be here today. I guess I need to go study OPNSense and get ready to play with that.

And if I implement a VPN, I need to order a switch. Looking at the Ubiquiti EdgeRouter X. It can only handle 4 hard wired components. And if I expand, one of my PCs can be set up on WiFi.
Click to expand...
Sounds like a fun project. I was thinking of replacing my avm router with a pi or similar but its no option at this point due to time constraints. My servers run 50+ docker containers and they’re a pain to set up and despite high automation they take quite a bit of maintenance. Sadly, the maintenance limits my ability to go further down the rabbithole without risking total system failure (router breaks = no internet, needs update and you’re on vacation)
 
Haui111 said:
Sounds like a fun project. I was thinking of replacing my avm router with a pi or similar but its no option at this point due to time constraints. My servers run 50+ docker containers and they’re a pain to set up and despite high automation they take quite a bit of maintenance. Sadly, the maintenance limits my ability to go further down the rabbithole without risking total system failure (router breaks = no internet, needs update and you’re on vacation)
Click to expand...
I can't even imagine. And I don't want to try.

50+ containers and I've not found a use for just one as yet.
 
Your idea is good, but you can make it a whole lot simpler than that. As others have insinuated, you can just have some network device without a firewall you can SSH into. It's unlikely hackers are going to be clamoring to get to your business records unless you tell them specific info and make it known to the world...or you have some big corporation that stores credit card data for users. In the latter circumstance, you shouldn't be able to access their cc data because that would be a security vulnerability.

i think rasberry pi would work as an excellent server for this purpose, but don't quote me on that as i have not ever set up a rasberry pi.
 
You must log in or register to reply here.

Similar threads

D
Redirect the traffic of all my home devices to a proxy server, is it possible?
Replies
3
Views
1K
damix9
damix9
E
"wg" interface appearing after each reboot
Replies
7
Views
1K
vs2-free-users
vs2-free-users
dos2unix
Scanning your network with nmap.
Replies
2
Views
830
CaffeineAddict
CaffeineAddict
D
A different question about Network Manager
Replies
5
Views
939
MikeRocor
MikeRocor
S
Accessing a wireguard VPN server behind NAT
Replies
0
Views
3K
skychan
S


Members online

Total: 985 (members: 6, guests: 979)

Latest posts

Top