Security - Unraid and VPNs

[something fishy]

Excuse me if this is a question that reveals ignorance of how VPNs work.

 

I am considering using a VPN to avoid traffic shaping of bittorrent traffic from my ISP (using the openvpn unraid plugin).

 

I have found a VPN provider that appears to forward all ports I need (apologies if wrong terminology, what I mean is that torrent clients report that they are able to receive incoming connections on a reasonable number of arbitrarily selected ports).

 

However I am worried that this will leave unraid vulnerable to attack in a similar way to if it were in a DMZ.

 

Are my fears justified and is there anything I can do about it?

 

Thanks

 

Eric

[Helmonder]

You are most probably talking about a provider like StrongVPN  ( I use that one).

 

What will happen is that your pc will create a vpn tunnel with that provider, your requests will go into the tunnel, and leave at the other end. From the other end it is regular traffic again.

 

Setting up a VPN towards an outside source does -not- leave your pc vulernable. No need to worry.

[RokleM]

You are most probably talking about a provider like StrongVPN  ( I use that one).

 

What will happen is that your pc will create a vpn tunnel with that provider, your requests will go into the tunnel, and leave at the other end. From the other end it is regular traffic again.

 

Setting up a VPN towards an outside source does -not- leave your pc vulernable. No need to worry.

 

That is not necessarily true.  You need to look at the client software and their terms/technical very carefully.

 

VPN technology mostly originated for the capability of a remote computer to join a remote network, as though it was on that network.  Dependent on the way the software/provider works, your machine may actually be exposed MUCH more than normal behind your private local home network (machine technically typically "hidden" from the Internet via standard NAT), at minimum to their network and/or other clients on their network.

[Helmonder]

True. You need to be at comfort with the provider that gives you the VPN, they are in a position to either make stuff not secure inside their own cloud, or do stuff themselves..

 

 

[something fishy]

Dependent on the way the software/provider works, your machine may actually be exposed MUCH more than normal behind your private local home network (machine technically typically "hidden" from the Internet via standard NAT), at minimum to their network and/or other clients on their network.

 

Interesting that you say this as it accords with my worries.

Some specifics.

 

I am testing a VPN provided by a company called seed.st (which is known for providing seedboxes). It claims to offer a switchable firewall (in which I can select open ports) however I do not think this works. I have a support request lodged with them concerning this, I'd like to investigate the general principles here.

 

As it stands today if I initiate an VPN connection with Seed.st (openVPN) from my laptop and open up the deluge bittorrent client *any* arbitrarily selected port reports that its open to incoming traffic. I can confirm this with GRC's shields up. If this is the case how is it different from the PC being placed in the DMZ in my router's firewall?

 

And if it is the same as putting the PC in the DMZ what would stop someone telnetting into my unraid server, via the VPN's endpoint IP address (until this issue is resolved my unraid server is not using VPN, theres no way that I would put an unraid server in a DMZ).

 

I should observe that I don't think that Seed.st is typical here. I also have a vpn account with a "normal" VPN provider (Overplay.net) and repeating the above does not show ports to be open (nor does it have a firewall setup page). However given the increased popularity of ISPs restricting P2P traffic and the option of using VPN to avoid this I would like to understand the risks. Until I had actually started to try and get a "port open" connection I hadn't even considered a VPN as a source of risk.

[Helmonder]

That is definately not correct... Shields UP is an external system and should only see an added opening for port 1723 (VPN). If it sees something else then there is need to worry.

[RokleM]

Dependent on the way the software/provider works, your machine may actually be exposed MUCH more than normal behind your private local home network (machine technically typically "hidden" from the Internet via standard NAT), at minimum to their network and/or other clients on their network.

 

Interesting that you say this as it accords with my worries.

Some specifics.

 

I am testing a VPN provided by a company called seed.st (which is known for providing seedboxes). It claims to offer a switchable firewall (in which I can select open ports) however I do not think this works. I have a support request lodged with them concerning this, I'd like to investigate the general principles here.

 

As it stands today if I initiate an VPN connection with Seed.st (openVPN) from my laptop and open up the deluge bittorrent client *any* arbitrarily selected port reports that its open to incoming traffic. I can confirm this with GRC's shields up. If this is the case how is it different from the PC being placed in the DMZ in my router's firewall?

 

And if it is the same as putting the PC in the DMZ what would stop someone telnetting into my unraid server, via the VPN's endpoint IP address (until this issue is resolved my unraid server is not using VPN, theres no way that I would put an unraid server in a DMZ).

 

I should observe that I don't think that Seed.st is typical here. I also have a vpn account with a "normal" VPN provider (Overplay.net) and repeating the above does not show ports to be open (nor does it have a firewall setup page). However given the increased popularity of ISPs restricting P2P traffic and the option of using VPN to avoid this I would like to understand the risks. Until I had actually started to try and get a "port open" connection I hadn't even considered a VPN as a source of risk.

Precisely.  Using a provider without proper security implementation could leave you exposed to possibly at minimum other clients using the service, or possibly the entire public.

 

That is definately not correct... Shields UP is an external system and should only see an added opening for port 1723 (VPN). If it sees something else then there is need to worry.

That is not correct.

 

In general terms, when you connect via VPN, you get an IP on said third parties network.  That network is basically your remote IP address.  If they do nothing to protect your IP (or NAT if using public space) you have in essence moved your machine from behind a NAT/firewall at home, to a publicly routed and wide open Internet.  It's no different from sticking your machine straight into your internet at home instead of behind your router.  While your ISP can no longer sniff your traffic when you're VPN'd, it does not imply any sort of protection for your actual computer and as mentioned could actually be much worse.

 

Don't confuse VPN with network security.  It is only a service to make your traffic "appear" to originate from a different place (i.e. your VPN provider instead of your home ISP).

 

Again, in very general terms.

[Helmonder]

 

That is definately not correct... Shields UP is an external system and should only see an added opening for port 1723 (VPN). If it sees something else then there is need to worry.

That is not correct.

 

In general terms, when you connect via VPN, you get an IP on said third parties network.  That network is basically your remote IP address.  If they do nothing to protect your IP (or NAT if using public space) you have in essence moved your machine from behind a NAT/firewall at home, to a publicly routed and wide open Internet.  It's no different from sticking your machine straight into your internet at home instead of behind your router.  While your ISP can no longer sniff your traffic when you're VPN'd, it does not imply any sort of protection for your actual computer and as mentioned could actually be much worse.

 

Don't confuse VPN with network security.  It is only a service to make your traffic "appear" to originate from a different place (i.e. your VPN provider instead of your home ISP).

 

Again, in very general terms.

 

VPN is definately not meant to "make your traffic appear to be from a different ip address", that is a side effect that is now used. Basically it definately IS A security measure to connect safely to another network.

 

Ofcourse if that other network is totally unsecured that you run a major risk, I can imagine that this could be the case with  a provider that is now packaging vpn as a solution to change your ip address.. Do not use a provider like that, security implication might be even greater. It is basically like putting a large lock on your door but removing the glass from your windows..

 

Lets not further discuss symantecs by the way ( I wont ), nuff said that this is not what you should use.

[RokleM]

I think you're missing the point here I and the OP (as he/she is finding out) are attempting to make...  VPN does not imply any sort of Internet based security for your PC beyond basic data encryption (VERY basic with some) as it flows between you and the provider.  Your assumption that no ports, or no additional ports would be open to your host once VPN'd in is absolutely flawed dependent on one of the many solutions out there.  You MUST ensure that the provider you are using has security policies in place to protect your machine since by definition your PC is now on THEIR network once you VPN into their service.  You're missing the fundamental fact that when you VPN in, your device joins their network.  If they in turn offer you a non RFC 1918 without any inbound firewall in place, you potentially have completely exposed your device to the Internet (which isn't the case at home unless you've put it in a "DMZ" as most home routers call it or forwarded ports).  The runner up possible worse case scenario would be the ability for other VPN clients to interact together once connected, but not external.  Best case would no client to client connectivity, RFC1918, and outbound NAT (hence no incoming allowed rules).

 

Looking at some of these public VPN services available, leaving you wide open is EXACTLY what many of them do (and one of the many reasons I would never use them).  Let's be honest, VPN services exist for two reasons a) trying to bypass a filter/proxy to either get to something you need to or need to "host" or b) attempting to stop someone close (work, home, direct upstream provider, etc) from sniffing your data.

 

VPN is definately not meant to "make your traffic appear to be from a different ip address", that is a side effect that is now used. Basically it definately IS A security measure to connect safely to another network.

Obviously Again, simplistic terms in order to try to convey the info.  See points above.

[something fishy]

So the conclusion is either that I need implicitly to trust the VPN service that I am using (for example when I securely connect to my office network from remote locations) or put a firewall between my end of the VPN tunnel and my home network.

 

[Helmonder]

If you have a spare router lying around check if it can run dd-wrt (its free), that way you can build your own vpn server and be completely in control, it is what I do.

[RokleM]

So the conclusion is either that I need implicitly to trust the VPN service that I am using (for example when I securely connect to my office network from remote locations) or put a firewall between my end of the VPN tunnel and my home network.

 

Another option when connecting to those external VPN services would be to have some software based firewall on your machine.  Not ideal, but does offer some protection.

 

If you have a spare router lying around check if it can run dd-wrt (its free), that way you can build your own vpn server and be completely in control, it is what I do.

 

I think something fishy is still referring to connecting to a VPN service outbound from his home network, not the ability to connect to his home network while remote.  However, if the VPN service you're using supports site to site VPN (LAN-to-LAN), you could possibly build one with DD-WRT.

[tw332]

Tagging onto this thread as my question also relates to VPNs but for a different reason - mods please move/split if necessary.

 

I'm in the process of building my server and have been reading a lot to prepare myself for the install/config/running and customising of the server.  I have a question about VPNs and unRAID.

 

I will be using a VPN provider as described above for privacy/anonymity but I will also be looking to use a VPN to secure remote access.  For example Hamachi or (if/when it becomes possible) an Open VPN server. 

 

Am I right in saying that running a service like this on the unRaid server is still too much of a security risk?  I presume I would forward the required port for the service/VPN on my router to the unRaid box hosting Hamachi.  I imagine this creates a risk as this port is then visible to the world and as such could be compromised... therefore possibly comprising the box?

 

The reason I'd like to run the service on the box is that my router is not DD-WRT compatible and I currently have no budget for a new router.

[JonathanM]

Am I right in saying that running a service like this on the unRaid server is still too much of a security risk?  I presume I would forward the required port for the service/VPN on my router to the unRaid box hosting Hamachi.  I imagine this creates a risk as this port is then visible to the world and as such could be compromised... therefore possibly comprising the box?

Since you are asking this question, we have succeeded in communicating the proper info. Opening up an unraid box in a DMZ would be suicide, there are too many ports and services accepting connections to make it feasible to lock down. HOWEVER... it is perfectly acceptable and proper to forward the port of a service that you can audit to the internet. Your example of running a vpn server is fine, and yes it does create a risk, but that risk is mostly known and you can deal with it. If there is a vulnerability in the vpn server, you could be hacked. However, if you can reasonably verify that no one has seen a successful hack on that particular VPN server package, you should be ok. It's up to you to keep up with any software you expose to the internet, as new exploits and hacks are found all the time. If you keep up with the vulnerabilities, and know the risks, you can be reasonably safe. The reason the community is so vocal about not exposing unraid to the internet is that too many people would simply open up the DMZ on their router and then come complaining when their server was hacked.

[tw332]

Thanks for the reassurance.. VPN will definitely be something I'll be trying out.

[dgaschk]

There are several usage cases for VPN.

 

[*]A VPN can connect two private networks securely via the Internet. Private networks connected in this manor may have no connection to the public Internet or there may be one or more firewalls providing access for the entire private network.

 

[*]A VPN can be used to allow a remote user to connect to a private network or secured host. This case is used by individuals traveling who require secure access to private network resources via the Internet.

 

[*]A VPN can be used to tunnel traffic over the public Internet hiding content from service providers. This case is akin to having 2 ISPs. The local ISP provides the Internet "dial tone" and the remote ISP is reached via the VPN tunnel. The VPN tunnel should be treated like a second physical connection to the public Internet. The local end of the VPN tunnel includes all of the security considerations that apply to the local ISP connection.  Since there are now 2 paths from the public Internet, the security threat is doubled; however, securing the local end of the VPN in exactly the same manner as traffic from the local ISP is a viable solution.

 

[gtroyp]

Suggestions for trustworthy VPN providers??

[Helmonder]

I use strongVPN sometimes when I need to have a US or UK IP address.. I am not sure if I will continue using it since I only use it very rarely and it is not very cheap.

 

For connecting to my own network I use my own vpn server (this is a service on my DD-WRT router), this way I a can be quite sure it is safe. DD-WRT is so widely used, if there would be security issues this would be easily findable.