ronni3 Posted February 25, 2016 Share Posted February 25, 2016 Specifically, I am looking at VPN. For the most part I have my UnRaid server setup and automated and I use SSL encryption with my Usenet connections but I'd like additional security and need further insight into the best approach on how best to deploy VPN. The easiest setup of a VPN connection would be to use the router I have that is capable of supporting OpenVPN connections, but ideally I would prefer to not have my whole personal network connected to the VPN connection. Not completely sure how big of an impact being connected to the VPN 24/7 would be on my bandwidth (155/15). Also thinking of installing DD-WRT on my router so I can take advantage of VLANs and potentially be able to place the UnRaid on its own separate VLAN and then VPN that VLAN and all devices connected to it. Not sure if this is possible. So please enlighten me on how you've succeeded in securing your UnRaid environment. Link to comment
ronni3 Posted February 25, 2016 Author Share Posted February 25, 2016 I'd like to add that the end result I am looking for with my own set up is for all Dockers, ie. Sabnzbd & Transmission to be connected to a secure VPN network so that all of that traffic is secured but also leaving me with the capability of being able to still access the Dockers from within my local network. Not sure if the easiest way to do that is to use the aforementioned Router or to use one of the available VPN Dockers and then route the other dockers to it. My previous attempts have left me with the inability to access the Dockers unless I disable the VPN service by editing the Dockers. I'd like less cumbersome, if possible. Link to comment
gundamguy Posted February 25, 2016 Share Posted February 25, 2016 Sabnzbd & Transmission to be connected to a secure VPN network so that all of that traffic is secured I don't think you can accomplish this goal by rolling your own VPN. I'm no expert on this, I have a Open VPN set up on my network (running on a Raspberry Pi) but the only point for me for that is to have access to my home system on devices that aren't always connected to my home network. Based on how I think VPN's work if you run your own VPN the unencrypted traffic will be pulled to the VPN server (with in your lan) then passed over over your LAN encrypted to you unraid server... I don't think this is actually making this more secure.... Maybe this works the way you want... and if so I hope someone chimes in. Again based on my understanding (correct or not) there are two goals with a VPN. 1) Extend your home LAN so that you can securely connect to it remotely. 2) Encrypt your incoming traffic / hide the point of origin (to get around regional blocking) ( I don't know that having your own VPN on your own network really does this, because it's still within your LAN...) (Also I realize that this is more like 3-4 points... but points 2-4 suffer from the same problem... which is why I rolled it all up.) If your goal is 2, and 1 is just something you'd like on top of that then you will likely need a service like PIA or whatever. But if your traffic is already SSL isn't that pretty good, I mean it's good enough for banking... Link to comment
ronni3 Posted February 25, 2016 Author Share Posted February 25, 2016 Thanks for the answer gundamguy. I believe I didn't do a very good job of explaining myself well. SSL is absolutely a wonderful addition and makes me feel warm and cuddly knowing I have some protection from prying eyes, but I'd like to extend my protection even further and layer this with a VPN connection provided by any one of the many providers who are marketing the capability of securing yourself and your activity. That being said, I'd like to use one of these providers VPN services to further secure the particular dockers that have incoming traffic I'd like to further protect. I believe this set up of SSL encryption with the VPN layer would be akin to using IPSEC/VPN. I don't really know how to approach setting this up and am considering making the connection from my router, which would essentially connect my whole network to that VPN provider meaning all my Internet traffic would flow through that service as well, or isolate that VPN connection within a Docker and then somehow force the Dockers I want to protect to use that VPN exclusively for Internet connectivity. By doing the latter I can then maintain the norm on all other devices on my network as well as having the UnRaid server still being accessible, which would allow me to still access, maintain and edit all Dockers. Again I've tried the second option once before and while those Dockers were on the VPN connection their respective web consoles were not accessible. I'd like to still be able to access them while they are connected to the VPN. Not sure how to do that. Link to comment
danioj Posted February 25, 2016 Share Posted February 25, 2016 To do what you want to do In summary you will need to: 1. Purchase a VPN Service (preferably with support for OpenVPN); useNET Docker>unRAID Box>Router>VPNClient (on Router)>VPN Service Provider>useNET Server 2. Buy a new router which has the support for (and grunt to manage) a high speed connection over VPN; 3. Use custom or factory firmware on the router to run a VPN Client; and 4. Configure router to ensure there are no DNS leaks and that all traffic routes over VPN or not at all (If thats what you want). I would NOT recommend doing this via dockers on your unRAID box. You can also NOT achieve this by running your own VPN Service as was previously noted. Link to comment
isvein Posted February 25, 2016 Share Posted February 25, 2016 If I understand you correct you want to have an VPN to you're home, but dont want to access all of the LAN over it? Link to comment
ken-ji Posted February 25, 2016 Share Posted February 25, 2016 What the OP wants is one of the more difficult things to do without an understanding of dockers and networking. AFAIK, the OP wants to secure his outbound Usenet connections via a VPN, most likely to annonymize said connections. Again, AFAIK, the easy way to do this is to have the Usenet connections coming from a specific and unique IP (by default dockers won't let you do that as they share unRAID IP) then have the router do a source routing and pass all that traffic to the VPN connection (if the router is the one running the VPN client endpoint) The next easy way is to be absolutely sure of what IPs are used by your Usenet servers and make a static route for all of those to use the VPN. Beyond that you'd need to work with some hacks to get the Usenet dockers to talk to a VPN client docker manually as the UI doesn't support that yet. Did I get that right? Link to comment
Ashe Posted February 25, 2016 Share Posted February 25, 2016 I use Sabai Technologies firmware on my router (based on tomato) that allows selected IPs to be routed through a VPN Link to comment
ronni3 Posted February 25, 2016 Author Share Posted February 25, 2016 What the OP wants is one of the more difficult things to do without an understanding of dockers and networking. AFAIK, the OP wants to secure his outbound Usenet connections via a VPN, most likely to annonymize said connections. This is correct. Didn't really know how to phrase the question, but, yes, I want to anonymize the Docker traffic from my UnRaid box by using a VPN connection. This should provide additional comfort and security for NewsGroup and Torrent traffic originating from those Dockers and the UnRaid box. Again, AFAIK, the easy way to do this is to have the Usenet connections coming from a specific and unique IP (by default dockers won't let you do that as they share unRAID IP) then have the router do a source routing and pass all that traffic to the VPN connection (if the router is the one running the VPN client endpoint) The next easy way is to be absolutely sure of what IPs are used by your Usenet servers and make a static route for all of those to use the VPN. Beyond that you'd need to work with some hacks to get the Usenet dockers to talk to a VPN client docker manually as the UI doesn't support that yet. Did I get that right? I didn't know that Dockers didn't have interfaces? that were not configurable. I was running on the assumption that they did and mainly because of Dockers that have the capability built in, ie. SABnzbd+VPN and Deluge+VPN. I now see the error in how I was looking at this. Knowing this...could I then instead add an additional NIC card (I only have one NIC currently) and then assign that new NIC to the Dockers I want to always be connected to a VPN Service? Would this work without making the whole UnRaid box part of that VPN network? I use Sabai Technologies firmware on my router (based on tomato) that allows selected IPs to be routed through a VPN I am familiar with Tomato but use Merlin currently with my Asus router although I know Tomato and DD-WRT are both supported on my router. I like the idea of having the router create and maintain the VPN Service Providers session and even more so that I can select specific IP's, such as the UnRaid box, that way the rest of my network is not tied to the VPN service as well. The only device I want using the VPN service is the Dockers/UnRaid box. Again as suggested above, could I use what you've suggested but instead using a separate NIC on the UnRaid box that is assigned specifically to the Dockers I want using the VPN service without forcing the whole UnRaid box to be on that VPN service? Thanks for answering my questions all. Much appreciated. Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.