[Discuss] Request for possible topic for next LINUX Group Meeting

Sat Sep 26 19:11:33 PDT 2020

Hi Murray,

(I'm on the vlug list now. Huzzah.)

Your unanswered question has the following short answer: no.

Long answer: There is some tiny little point, but many trade offs.

Making all your internal systems connect to an internal
VPN server would have the following considerations:

1. What happens when a client is not connected?  Does network
traffic escape around the VPN?  You might have to block all
network traffic, except VPN protocols, by default.

2. Do you want your internal systems to talk to each other?
If yes, you must setup fairly complex routing within your
VPN configuration.

3. For external destined network traffic, once a web request
from an internal system passes along the VPN via openWRT,
it exits the VPN in order to go external.  This traffic is
not "protected" by any VPN at this point.

4. You are adding complexity to an already reasonably complex
network.

5. In terms of security against hackers - there are these attacks
that an internal VPN will stop:

  - listening on ethernet devices by trying to use wireshark or
tcpdump will be made mostly impossible.

  - connecting to an internal system that has been properly
configured for VPN only use will be very difficult.

  Caveats: each internal computer client will have to have a
  firewall running and all services offered by said host (e.g.
  file sharing) will have to be configured to use the VPN.

It's not worth it.

On 2020-09-26 16:01, Murray Strome wrote:
> Hi Craig and Jean,
> 
> Thanks for the links.
> 
> I have difficulty in seeing how $85/year and from what I read about it, 
> to be effective, you would need at least two VPN accounts for vpnrotator 
> to offer any extra protection.
> 
> Unanswered: Is there any point in installing Wireguard server on the 
> OpenWRT router and client on the computers on my LAN?
> 
> Murray
> 
> 
> On 2020-09-26 1:40 p.m., Craig Miller wrote:
>> Hi Murray,
>>
>> There are a couple of VPN providers which support Wireguard. Because 
>> of my IPv6 bias, I would suggest you look at:
>>
>> https://ungleich.ch/ipv6/vpn/
>>
>> They will give you a routable /48 (65,000 subnets).
>>
>> Craig...
>>
>> On 9/26/20 9:26 AM, Jean Taggart wrote:
>>> Hello all.
>>>
>>> I use this for my work and it might be of interest. Not the cheapest 
>>> solution because of the cost of vpn accounts, but great for isolation 
>>> and geolocation evasion.
>>>
>>> https://github.com/malwareinfosec/vpnrotator
>>>
>>>
>>>
>>> Sent from my iPhone
>>>
>>>> On Sep 26, 2020, at 7:46 AM, Murray Strome <wmstrome at shaw.ca> wrote:
>>>>
>>>> Most of you are probably very familiar with VPNs and Wireguard. 
>>>> Craig has touched upon some of these in some of his OpenWRT and 
>>>> other presentations. However, if anyone feels he/she is able to do 
>>>> so, I would be very interested in more details on the topic. I am 
>>>> not sure if it would be of interest to others or not.
>>>>
>>>> From what I have read, usually a VPN is set up on an external 
>>>> server. The advice I have seen is to avoid the free ones. I don't 
>>>> think I would want nor need to do that.
>>>>
>>>> Wireguard looks interesting.  What, if any protection from hackers 
>>>> etc. if I were to set up a Wireguard server on my openWRT router? Is 
>>>> it something I should consider doing, and what would I have to do 
>>>> with all of my devices? I doubt that things like my smartplugs are 
>>>> even compatible, but I don't know for certain.
>>>>
>>>> More discussion about things like setting up different internal 
>>>> sub-networks, and things like DMZ would be valuable inclusions for me.
>>>>
>>>> Thanks for considering this.
>>>>
>>>> Murray 
> 
> 
> _______________________________________________
> Discuss mailing list
> Discuss at vlug.org
> http://vlug.org/mailman/listinfo/discuss_vlug.org