Newbie....how to make everything secure???


SPOautos

11 posts in this topic Last Reply

Recommended Posts

Hello! I have recently built my first server and started setting up Unraid on it a couple weeks ago. I really dont know much about servers, networks, I'm not a big computer guy and I know almost ZERO about all this.....BUT, I would like my network, including the server, to be as private and hidden as possible.  

 

That said, some of the things we do that I feel like might make our server vulnerable logging in remotly but I use Wireguard so supposedly that is secure, I have various apps like Sonarr/Radarr/Lidarr setup using Usenet (no torrents).  I am setting up a W10 VM for gaming and will be running internet based multiplayer games

 

I'd really like to be able to access my entire network remotely., have privacy where ISP cant tell what we do, have the server and entire network very secure it does a good job of keeping out intruders.  If possible I would like to have the ability to map a drive from a computer at our business (off site) to a section of the Unraid server so that I can create backups at the office which backup on the server automatically as a off site backup. 

 

Would something like the Mullvad VPN and some kind of firewall be the right direction? What firewall would be good?  Do I need things to work at the router or cable modem level in order to access my entire network instead of just Unraid? Once i access the network, I assume I can just log into Unraid just like if I was local to it.

 

Also, I have a TON of devices at the house that are always using the internet with users who have zero technical ability so it needs to be something that once set up, no one will know it exists.....stable, works, just fades into the background and doesn't cause any problems......if possible.

 

I appreciate any info you can provide!  

Edited by SPOautos
Link to post

I'm watching videos on pfsence and gotta be honest, this stuff is wayyy over my head. I feel like I need a degree in computer networking. I mean, SI has a 7 part video series on pfsense. 

 

It feels like one of those things that even IF I was by some chance, able to get that up and running, if one thing went wrong a year from now, I'd be completely lost in how to fix it.

 

Are there things that are decent but 'easy' for someone trying to feel thier way through it? I dont have top secret NASA documents on my server.....but I would like it to be fairly secure.

 

Im Lost  lol

Link to post
On 9/8/2020 at 11:10 PM, SPOautos said:

have privacy where ISP cant tell what we do

This is a different thing from VPN into your network. You need a VPN service, typically you would pay for that. Your internet traffic is routed encrypted and anonymously through the VPN service.

Link to post
On 9/8/2020 at 11:10 PM, SPOautos said:

I have various apps like Sonarr/Radarr/Lidarr setup using Usenet (no torrents). 

Each one of those would be contained within its docker and to their mapped folders, even if there were some chance of penetration through them (which would probably have been discovered by now).  What those dockers connect to in order to use them for usenet or anything else you can't stop, else the dockers wont work to begin with.

 

On 9/8/2020 at 11:10 PM, SPOautos said:

I am setting up a W10 VM for gaming and will be running internet based multiplayer games

What you do would be contained within the VM.

 

On 9/8/2020 at 11:10 PM, SPOautos said:

I'd really like to be able to access my entire network remotely., have privacy where ISP cant tell what we do, have the server and entire network very secure it does a good job of keeping out intruders. 

You would need a vpn on your entire network to connect to it. You would need a custom DNS server to have privacy from the ISP (but no privacy from the DNS service), and a network firewall for intruders.

 

On 9/8/2020 at 11:10 PM, SPOautos said:

If possible I would like to have the ability to map a drive from a computer at our business (off site) to a section of the Unraid server so that I can create backups at the office which backup on the server automatically as a off site backup. 

You could do this with an SMB share but without the proper security set up it would expose your entire Unraid server at the business.  Other methods would be owncloud/nextcloud/dropbox/whatever running on Unraid.

 

On 9/8/2020 at 11:10 PM, SPOautos said:

Also, I have a TON of devices at the house that are always using the internet with users who have zero technical ability so it needs to be something that once set up, no one will know it exists.....stable, works, just fades into the background and doesn't cause any problems......if possible.

That would all be on your router end, and/or however your router handles the connections and information.

Link to post
7 hours ago, trurl said:

This is a different thing from VPN into your network. You need a VPN service, typically you would pay for that. Your internet traffic is routed encrypted and anonymously through the VPN service.

 

So I can setup a VPN service for my entire network and everything within my network would go in and out through the VPN service? Does it slow down the connection for things like gaming and such?  Would something like Mullvad be what your refering too?

 

Then I can work the Wireguard remote login to go through the VPN service (Mullvad service)?

 

What is the difference between all this and a firewall? If I have a VPN and Wireguard setup do I still need some kind of firewall?

Edited by SPOautos
Link to post
3 hours ago, Energen said:

Each one of those would be contained within its docker and to their mapped folders, even if there were some chance of penetration through them (which would probably have been discovered by now).  What those dockers connect to in order to use them for usenet or anything else you can't stop, else the dockers wont work to begin with.

 

What you do would be contained within the VM.

 

You would need a vpn on your entire network to connect to it. You would need a custom DNS server to have privacy from the ISP (but no privacy from the DNS service), and a network firewall for intruders.

 

You could do this with an SMB share but without the proper security set up it would expose your entire Unraid server at the business.  Other methods would be owncloud/nextcloud/dropbox/whatever running on Unraid.

 

That would all be on your router end, and/or however your router handles the connections and information.

I dont know how to break your post up the way you did and respond to each section by itself so I just tried to separate it.

 

So the ports that all the apps use are very secure without doing anything, just based on the design of Unraid itself?

 

Regarding the VM....so if I leave it open and it was to get compromised nothing could get beyond the W10VM itself? What if I have SMB's within the VM?  For instance I have the "My Documents" folder routed to a share in Unraid.......does that increase its risk to Unraid and make it real vulnerable?

 

Does setting up a VPN on the entire network and a custom DNS server require a lot of complex knowledge or is it fairly simple? Especially when there are a lot of devices that need to use the internet?

 

Would using Nextcloud be more secure than a SMB to the business or maybe setting up VPN access to the business?

Link to post

@trurl @Energen

 

I've discovered that my router has VPN capabilities. It has options of "Internet Connection Type" that are....

Static IP,  Dynamic IP,  PPPOE,  L2TP,  PPTP.  Also it "seems" like I can setup and VPN connection for remoting into the network without even haveing a VPN service. The router software allows me to generate a certificate and says I can download the free client from the OpenVPN website (to the remote computer), type in the certificate info, and apparently it will connect and allow that client access.....does that sound right??? Or is that something I would do in conjunction with a service? Would it be correct that I can VPN into the network without a paid service and only need the paid service for outgoing from the network to the internet? 

 

Currently my router internet connection it has been on Dynamic IP....so would I just setup a VPN Service like Mullvad and use something like PPPOE or L2TP connection service in my router? Then that would take all of our internet access from all devices behind the router through a VPN service?

 

If so, is setting up a VPN internet access going to affect containers/apps in my Unraid server such as Sonnar and SAB? Or will they just go right through like any other device since they are on the network side of my router and the VPN isnt tied to the server but rather to the router?  

 

If I setup a VPN access from the router to the internet, would I still have need of a firewall?

 

Sorry if this is dummy level questions, but its all new to me....first time I've ever thought of things like VPN's or heard of things like PPPOE 

 

I appreciate you guys!

Edited by SPOautos
Link to post

So I think your head is all over the place.. and that's normal because you don't know much about these topics... so first try to simplify what you actually want to do.. what you need to do... and what, in reality, you should do...  3 levels there.  With that you need to separate home and work capabilities to narrow down your options.

 

To answer a couple of your questions first.. 

On 9/10/2020 at 1:04 PM, SPOautos said:

So I can setup a VPN service for my entire network and everything within my network would go in and out through the VPN service? Does it slow down the connection for things like gaming and such?  Would something like Mullvad be what your refering too?

 

Then I can work the Wireguard remote login to go through the VPN service (Mullvad service)?

 

What is the difference between all this and a firewall? If I have a VPN and Wireguard setup do I still need some kind of firewall?

So yes, you could set up a VPN for your entire network and all traffic could go through the VPN.  Does it slow down the connection?  Possibly.. depends on the quality of the service, the location of the servers, etc.. I wouldn't use a VPN for online gaming, you'd probably introduce too much latency.. unless you weren't playing games where ping speed mattered.  Any online multiplayer/FPS games should be as fast as possible -- no vpn.

 

Wireguard on Unraid is it's own VPN.. if you had Wireguard running, and then also had another VPN like Mullvad running on your network... well, to be honest I'm not actually sure on that one.. You would either be able to connect to Wireguard directly still, or you would have to connect to the network VPN first (think of that as a top layer), and then connect to the Wireguard vpn running "below" the network VPN.  Not sure if that's even possible.  So this is where you have to go back to what I said about planning what you actually want/need/can do.

 

The difference between a VPN and a firewall is a VPN is a "virtual private network", and a firewall is a firewall.  A VPN only handles connections to/from the network.  A firewall blocks attackers, etc.  Two different things.  You "need" a firewall of some type, although usually your router can handle it.

 

On 9/10/2020 at 1:48 PM, SPOautos said:

So the ports that all the apps use are very secure without doing anything, just based on the design of Unraid itself?

 

Regarding the VM....so if I leave it open and it was to get compromised nothing could get beyond the W10VM itself? What if I have SMB's within the VM?  For instance I have the "My Documents" folder routed to a share in Unraid.......does that increase its risk to Unraid and make it real vulnerable?

 

Does setting up a VPN on the entire network and a custom DNS server require a lot of complex knowledge or is it fairly simple? Especially when there are a lot of devices that need to use the internet?

 

Would using Nextcloud be more secure than a SMB to the business or maybe setting up VPN access to the business?

The open ports for docker containers are as secure as the docker is.  I wouldn't worry too much about that.

 

If you have a VM and SMB shares in the VM, then theoretically yes your entire Unraid server would be at risk of being exposed if something were to happen in the VM.  The SMB share can be penetrated to your entire array.  If the VM has no shares and more importantly has the network connection in the template configured for a virtual network connection rather than bridged or whatever, nothing could leave the VM.  If you are even able to map an SMB share in the VM to Unraid then it could be vulnerable, theoretically.

 

VPN and/or DNS could be as easy as setting it on your router.  For a custom DNS you can simply change your router's DHCP settings so that every device gets a DNS server of 1.1.1.1 (cloudflare, I believe), 4.4.4.4 (quad4 or something like that), 8.8.8.8 (google).  That one change takes all routing away from your ISP's dns servers.

 

Nextcloud or something like that would be infinitely more secure / better for accessing from a business.

 

13 hours ago, SPOautos said:

I've discovered that my router has VPN capabilities. It has options of "Internet Connection Type" that are....

Static IP,  Dynamic IP,  PPPOE,  L2TP,  PPTP. 

That's how you connect to your ISP, don't change those.  Unless you need to for a VPN, I guess.. never actually put my entire system on a VPN.

 

13 hours ago, SPOautos said:

 Also it "seems" like I can setup and VPN connection for remoting into the network without even haveing a VPN service.  Would it be correct that I can VPN into the network without a paid service and only need the paid service for outgoing from the network to the internet? 

That's entirely possible.  I don't know what router you have but it could have VPN capabilities built in.  That would essentially give you what Wireguard on Unraid does.  You'd connect to your VPN network ---- but that has nothing to do with your outgoing connections.  Your outgoing connection would still be on your ISP.  So yes, paid service for outgoing.

 

13 hours ago, SPOautos said:

Then that would take all of our internet access from all devices behind the router through a VPN service?

 

If so, is setting up a VPN internet access going to affect containers/apps in my Unraid server such as Sonnar and SAB? Or will they just go right through like any other device since they are on the network side of my router and the VPN isnt tied to the server but rather to the router?  

 

If I setup a VPN access from the router to the internet, would I still have need of a firewall?

1) Yes

 

2) Yes all containers would still be behind your network level VPN since Unraid still connects through your router.   Which may or may not be desirable.  You'd also have to make sure the VPN doesn't block certain services or ports or whatever else that you might be using.   

 

3) Yes, still need a firewall -- but router should be able to handle most things since anything not explicitly allowed is blocked.

 

 

So after all of this, we can circle around to planning what you actually need/want to do.  Do you *need* ALL of your home traffic routed through a VPN?  And what implications could that have on what sites you're going to?  Would you want a local country VPN server or from another country? If you log into your bank account and it shows that you are connecting from Bulgaria, what will happen?  Will you get blocked for suspicious login attempt?   What happens if you log in from within your own country but from a different location? Do you want your banking information passed through the VPN which you are believing is secure but don't actually know if it is?    What do you do if you go to a site that explicitly blocks your VPN connection, do you then have to disable your entire network so that you can log in without the VPN?   Why do you want all your traffic through a VPN is the question, it's not necessary.

 

I actually forget what else I was going to say.. I'm at work so I've been writing this for the last 2 hours because I can't get anything done uninterrupted :D 

 

Link to post
1 hour ago, Energen said:

So I think your head is all over the place.. and that's normal because you don't know much about these topics... so first try to simplify what you actually want to do.. what you need to do... and what, in reality, you should do...  3 levels there.  With that you need to separate home and work capabilities to narrow down your options.

 

To answer a couple of your questions first.. 

So yes, you could set up a VPN for your entire network and all traffic could go through the VPN.  Does it slow down the connection?  Possibly.. depends on the quality of the service, the location of the servers, etc.. I wouldn't use a VPN for online gaming, you'd probably introduce too much latency.. unless you weren't playing games where ping speed mattered.  Any online multiplayer/FPS games should be as fast as possible -- no vpn.

 

Wireguard on Unraid is it's own VPN.. if you had Wireguard running, and then also had another VPN like Mullvad running on your network... well, to be honest I'm not actually sure on that one.. You would either be able to connect to Wireguard directly still, or you would have to connect to the network VPN first (think of that as a top layer), and then connect to the Wireguard vpn running "below" the network VPN.  Not sure if that's even possible.  So this is where you have to go back to what I said about planning what you actually want/need/can do.

 

The difference between a VPN and a firewall is a VPN is a "virtual private network", and a firewall is a firewall.  A VPN only handles connections to/from the network.  A firewall blocks attackers, etc.  Two different things.  You "need" a firewall of some type, although usually your router can handle it.

 

The open ports for docker containers are as secure as the docker is.  I wouldn't worry too much about that.

 

If you have a VM and SMB shares in the VM, then theoretically yes your entire Unraid server would be at risk of being exposed if something were to happen in the VM.  The SMB share can be penetrated to your entire array.  If the VM has no shares and more importantly has the network connection in the template configured for a virtual network connection rather than bridged or whatever, nothing could leave the VM.  If you are even able to map an SMB share in the VM to Unraid then it could be vulnerable, theoretically.

 

VPN and/or DNS could be as easy as setting it on your router.  For a custom DNS you can simply change your router's DHCP settings so that every device gets a DNS server of 1.1.1.1 (cloudflare, I believe), 4.4.4.4 (quad4 or something like that), 8.8.8.8 (google).  That one change takes all routing away from your ISP's dns servers.

 

Nextcloud or something like that would be infinitely more secure / better for accessing from a business.

 

That's how you connect to your ISP, don't change those.  Unless you need to for a VPN, I guess.. never actually put my entire system on a VPN.

 

That's entirely possible.  I don't know what router you have but it could have VPN capabilities built in.  That would essentially give you what Wireguard on Unraid does.  You'd connect to your VPN network ---- but that has nothing to do with your outgoing connections.  Your outgoing connection would still be on your ISP.  So yes, paid service for outgoing.

 

1) Yes

 

2) Yes all containers would still be behind your network level VPN since Unraid still connects through your router.   Which may or may not be desirable.  You'd also have to make sure the VPN doesn't block certain services or ports or whatever else that you might be using.   

 

3) Yes, still need a firewall -- but router should be able to handle most things since anything not explicitly allowed is blocked.

 

 

So after all of this, we can circle around to planning what you actually need/want to do.  Do you *need* ALL of your home traffic routed through a VPN?  And what implications could that have on what sites you're going to?  Would you want a local country VPN server or from another country? If you log into your bank account and it shows that you are connecting from Bulgaria, what will happen?  Will you get blocked for suspicious login attempt?   What happens if you log in from within your own country but from a different location? Do you want your banking information passed through the VPN which you are believing is secure but don't actually know if it is?    What do you do if you go to a site that explicitly blocks your VPN connection, do you then have to disable your entire network so that you can log in without the VPN?   Why do you want all your traffic through a VPN is the question, it's not necessary.

 

I actually forget what else I was going to say.. I'm at work so I've been writing this for the last 2 hours because I can't get anything done uninterrupted :D

 

 

First let me say that I really appreciate you taking the time to walk me through some of this. Guys like you here on the forum and SpaceInvader with all his videos makes using Unraid possible for a less than novice like me. I was able to build a server from scratch (never build a computer before), install Unraid, configure it, get it all working and doing everything I need.....and I literally know hardly anything about computers.  Its amazing to me that I could get this far with this project and its all thanks for people like you in the Unraid community that help others. I greatly appreciate it.

 

1. I suppose first and foremost I've had on my mind privacy and security. Through all of this I have come to learn that my ISP can know pretty much everything we do online and that just doesn't set well with me. I want all of our internet traffic to be hidden....not because we do anything that needs to be hidden but I just don't like it. It feels like a stranger in my house going through my stuff. Just don't like it.

 

2. Second I want to make sure that no intruders or whatever can get into my system, see open ports, etc. I have NO idea if my network is secure or not, in my mind it feels like its exposed and someone with the right know how and tools could get in....but maybe not, like you said, the router probably helps, but I have no idea how good the router is for that, I will need to research it. Its just a cheap consumer grade router, nothing fancy. (TP Link Archer C7 ac1750). Realistically its not like I'm NASA with some top secret info people are trying to find. I'm sure as long as I'm moderately protected someone wouldn't waste their time. 

 

3. Then is remote access, which I already have setup using Wireguard. I can scratch off access to the entire network if that complicates things....I can just leave it how I have it right now, especially since i have it working good and don't want to mess things up.

 

4. Lastly I want to create some kind of secure connection between my server here and at a business location so that documents/files can reside on the server and be used at both locations as well as the remote locations backups can save to the server. I suppose I could use Nextcloud for this.  I plan on setting up Nextcloud anyway to sync from phones and ipads, so I suppose this would work for the business computer as well. I might could even just use Splashpad and keep my W10VM pulled up on that computer and they just do everything directly in the VM...I've already got folders in the VM mapped to the array so everything they would save would be saved.....maybe that is a good alternative to consider. Only issue would be if someone minimized or closed Splashpad then they just started working on the computer directly, none of that would get saved. Decisions decisions

 

So let me start here for a minute........ if I change the DNS server to cloudflare 1.1.1.1 does that mean the ISP wont have any record of traffic, download locations, etc....it will give privacy so that all the ISP knows is the amount of data I'm using? Espically since it appears that Cloudflare does NOT keep logs of a individuals traffic. Is this something I would change on my router, or somehow in my cable modem?

Edited by SPOautos
Link to post
1 hour ago, SPOautos said:

1. I suppose first and foremost I've had on my mind privacy and security. Through all of this I have come to learn that my ISP can know pretty much everything we do online and that just doesn't set well with me. I want all of our internet traffic to be hidden....not because we do anything that needs to be hidden but I just don't like it. It feels like a stranger in my house going through my stuff. Just don't like it.

I understand your concern, ISPs, like cell phone companies, cable companies, etc, sell data related to what you're doing on the internet.  But just remember, someone, somewhere, will always know what you are doing.  All the traffic you route through a VPN --- the VPN knows what you are doing, just like the ISP.  Whether or not they collect that data and do anything with it ............................ they still know.  You're just changing the "who" of who knows..  so yes, the DNS server would help keep [some] stuff away from the ISP, but the DNS server only does lookups, like where to connect to, so you type in "google.com" and the DNS resolves it to 172.217.12.78 or whatever, so the ISP doesn't know that you tried to connect to google.com --- but once you're on google and search for something that search is now in the hands of the ISP (unless it's encrypted https).  So DNS = lookups, but VPN = traffic. And we won't even get into the latest stuff of DNS over HTTPS, so even DNS queries are encrypted from prying eyes. But that's a good option too.

 

So that should answer your last question also.  Most people change their DNS servers for the perceived speed of the DNS queries.. your ISP query might take 30ms but cloudflare's query might be 20ms, I mean it really doesn't make much of a real world difference for a lot of people, but some DNS servers like cloudflare build in protection on their DNS to block malware sites and stuff (at their discretion).

 

 

1 hour ago, SPOautos said:

2. Second I want to make sure that no intruders or whatever can get into my system, see open ports, etc. I have NO idea if my network is secure or not, in my mind it feels like its exposed and someone with the right know how and tools could get in....but maybe not, like you said, the router probably helps, but I have no idea how good the router is for that, I will need to research it. Its just a cheap consumer grade router, nothing fancy. (TP Link Archer C7 ac1750). Realistically its not like I'm NASA with some top secret info people are trying to find. I'm sure as long as I'm moderately protected someone wouldn't waste their time. 

Access is only obtained through a vulnerability of something on an open port. On an incoming attack*.  So you can use a port scanner (app, website) to scan your public IP address and see what kind of ports someone can see.  Whether or not they can be penetrated depends on what's running on that port and it's security.  If they scan port 80 and see that you have nginx running, it would depend on whether or not nginx has any unpatched vulnerabilities to attack.

 

 https://www.whatismyip.com/port-scanner/ 

 https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

 

* Not a lot of attacks are from incoming connections.  I'm just kind of guessing here but most attackers aren't scanning the entire internet looking for someone to attack.  They target specific people, companies, etc.   Most attacks on a personal level are outgoing connections from malware that you've downloaded/opened/executed.  Outgoing connections are not blocked by default on any platform.  That's where a 2 way firewall comes into play.  A firewall that can block outgoing connections.  It can hamper your ever day internet life by blocking outgoing connections because everything would have to be (in the most hardened configuration) explicitly allowed to connect, which can be a major pain in the butt, especially on Windows where's there's 100 things in the system background with outgoing connections.

 

 

Edited by Energen
Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.