Home network security help

[bwall244]

I have continued to build my home network and have come across sever functions I would like to have that would require me to access my network from outside the home. This includes but I'm sure will not be limited to, accessing functions of plugins on my home server, IP camera viewing, streaming audio/video from my home server to mobile devices, and accessing general data.

With that being said it seems I am left with 2 options reguarding securely completing these tasks. Either purchasing a dedicated firewall/VPN device, OR flashing dd-wrt on an existing router and setting up a VPN myself. I need some advice on the pros/cons of both, and once I do, the best way to access those functions from a mobile device? Thank you!

 

[stevech]

Do you use a NAS? Good ones have VPN termination.

 

[bwall244]

I am using unraid as a media server that runs a few plugins, I believe that unraid offers a beta plugin for openVPN however I think I would also like to access data stored on other machines, and in the future possible home automation features that would be located on another device. This is why I was thinking having it terminate somewhere at the router/gateway level.

 

[stevech]

I'd argue that VPN into home is an overkill, versus SSL or WebDav to access files on a NAS. IP Camera streaming.. is the camera looking into the shower?

 

[Samir]

Personally, I'd go for a dedicated smb class router that has these features natively. It's not bulletproof, but at worse, it will be a hair above a flashed router and at best it will be perfect, rock-solid and flawless.

 

[sinshiva]

some kind of vpn would definitely be best for accessing all the services you might have, remotely.

if the proprietary web servers for remotely accessing the different services are usng SSL (ideally withTLS, you'll be safe from most people. of course, it'll mean punching holes in your firewall for each of these services you intend to access remotely. people are a lot more likely to find holes in web implementations, though. and by people, i mean they find a vuln, add it as something to look for in their scanners, such as nikto and then scan the isp customer blocks. they are generally the greatest threat to your security, besides viruses etc.

if you just want a vpn to work, you can still get away with pptp, probably the most widely supported and easy to use. if you can use any vpn implementation besides pptp, i would.

you can use input/output redirection to get other things to work, like ssh, but these tricks aren't useful for a permanent setup.

where the vpn server is located, be it the router or the NAS, is irrelevant. it's a little more important if you want the device acting as a vpn client router, but only in the ease of setup.

 

[bwall244]

I can run openvpn directly on the NAS however there are other network resources I may need to access, albeit less frequently. I spent the day today flashing my router to dd-wrt and creating certs and keys to run openvpn directly on the router however it seems like the router doesn't want to start the service. Anyone with experience with this? If I can't get this running its going to be time to talk about a plan B. I really just want to protect my network(large NAS, cameras, home automation) while maintaining mobile access.

Sent from my SPH-L710 using Tapatalk

 

[Samir]

I don't have any experience with dd-wrt's VPN service, but if it looks like it's running, check all your settings. VPNs sometimes don't work over the tiniest variance in settings, sometimes even stuff that's supposed to work.

 

[bwall244]

I've posted on the dd-wrt forum about my concerns. From the status page it looks like the service isn't running but I think it may be wrong, however I'm not sure how to heck from the ssh session. Without spending much more $ what thoughts do you have on a plan B?

Sent from my SPH-L710 using Tapatalk

 

[sinshiva]

I can run openvpn directly on the NAS however there are other network resources I may need to access, albeit less frequently. I spent the day today flashing my router to dd-wrt and creating certs and keys to run openvpn directly on the router however it seems like the router doesn't want to start the service. Anyone with experience with this? If I can't get this running its going to be time to talk about a plan B. I really just want to protect my network(large NAS, cameras, home automation) while maintaining mobile access.

Sent from my SPH-L710 using Tapatalk

you probably need to play more with the keys. use a better text editor like notepad++ or whatever. formatting will make all the difference

 

[Samir]

I've posted on the dd-wrt forum about my concerns. From the status page it looks like the service isn't running but I think it may be wrong, however I'm not sure how to heck from the ssh session. Without spending much more $ what thoughts do you have on a plan B?

Sent from my SPH-L710 using Tapatalk

If you have the ability to use something simpler like pptp, try it for testing purposes. Then slowly change one thing at a time and work your way up to ssh.

As far as plan b, I've used the Cisco rv series for pptp access without any issues. But pptp has inherit security flaws, so I'd avoid it if security is your main concern. Then I'd try the Netgear FVS series (318N is what I have). I've just started playing with this one for production use, but it has l2tp from what I recall that is as simple as pptp, but robust enough to be secure.

If you went either one of these routes, it would be dead simple--it's your main router, assign dhcp reservations for everything on your network you need a fixed address for, connect in via your wan ip address or dyndns address, and you're inside your network.