Access services from Internet behind router

@steve

Hi Steve

As a guy who’s been spending the last 30+ years creating and managing secure networks for clients, I have a major problem with the following statement:

If you’re “handing out” VPN access to users you don’t trust (we are talking about your home network, aren’t we?) that is a security issue, not the fact you’re using VPN or port forwarding…

Why are you allowing “untrusted” users on your Home Network?

As I read it, you’re not even using eg LetsEncrypt (Won’t work with only VPN access!), so your Nextcloud data or whatever is more or less “in the clear” or using an unsecure CA for SSL access, if you’re even using SSL access…

Maybe even using SSL on IPs, not FQDN names… (Shudder!)

My 2 cents
Andy

Dear Andy,

I apologize but my English is not perfect.

I am glad that we both have similar professional experience, including professional time. But I think we have different views on security. I have found that people are curious. If they find a page where you can log in, they will try … I would also like to limit this possibility.

We are not talking about a home network but about the network of our small business. Employees must have access to server services. They currently achieve this remotely, working in a home office. Only the most necessary ports on the router are open and redirected. Therefore, employees can only connect to the server through a VPN. Employees should be trusted but their access should be restricted. Because everyone is curious, employee’s access should be denied which is not necessary for work. If I don’t, the employee can even exclude themselves from the system and can’t work until I fix the problem.

I’m sorry, but looking for a solution although it may have been an exaggeration on my part for my safety I expected …

Regards

@steve

Hi

If my hungarian was as good as your english is, I’d be very happy! :slight_smile:

It’s true that you can’t trust all employees, the larger the company, the worse it gets…
The “human” factor…

A simple custom error page, displaying the fqdn and IP of the computer the user is attempting access (and maybe even the VPN-Login name), and maybe a scary message stating somthing about “misuse” of company infrastructure / servers / etc along with the note that a mail may be sent to HR (Human Resources / Employee dept) about this “transgression” often works wonders!

NethServer does allow you to assign an individual IP for the VPN (if running in routed mode), that way you have IP-wise track of any users attempting to be a “wise guy”… Not only the internal IP, but also the externally used IP…

As a point in example, for example my home server. Acessing it via
https://intranet.r7.anwi.ch/
will display the right page, using an IP or “other” name, eg gw.r7.anwi.ch will display a different page - a catch all, as such accesses are mostly botnets or wannabe hackers…
You’re welcome to copy the contents and adapt as needed…

My 2 cents
Andy

Hi Andy,

thank you though I know my abilities :)) I am currently using Zentyal but I have been testing Nethserver for a long time. Unfortunately, none of them are perfect for my purposes, but maybe Nethserver is closer to me. Unfortunately, Zentyal has switched to MySQL 8 and is not supported by some of the programs what we use.

You’re absolutely right. Employees work from home so I can’t control who has access to their laptop. Windows password protection doesn’t provide enough security … I also like Nethserver because I can assign two-step authentication to the VPN connection.

I think that what the user does not see then he will not try. We use a similar solution for a mail server if mail arrives at an address that does not exist. In this case, we do not send a notification to the sender, we just throw the letter in the trash. I think this solution is safer.

Thank you for your suggestion but I don’t want to make the server directly available on the Internet. However, I would be interested in how you solved the Let’s Encrypt certificate for the https://intranet.r7.anwi.ch/ subdomain. My domain is registered but I can’t install a Let’s Encrypt certificate on a local subdomain. Therefore, I use a self-signed certificate on the local network.

Regards

That’s what DNS validation is for. I’ve written up a couple of ways to handle that in Nethserver:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns

The built-in Let’s Encrypt support also now has some DNS support, though I haven’t looked into the details.

3 Likes

Hi Dan,

thank you for your advice and links.

The local network is separated from the public domain by another subdomain e.g. public domain * .example.org and the local domain e.g. * .intranet.example.org.
Hosts on the local network cannot be accessed from the Internet via VPN only. The local network is controlled by a router but not the Nethserver. Nethserver has a single Green network interface. I don’t know there is an API for DNS is available. My DNS not hosted on Cloudflare.
If I want to configure the Let’s Encrypt certificate on the Nethserver nowthen I get a “not valid FDQN” error message after entering the FDQN.

Regards

Well, there are about 130 other DNS hosts supported by acme.sh–who do you use for DNS hosting?

Sorry, re you sure you understand me well? I apologize but my English is not perfect.

I have a public web server on the internet and I bought a * .mydomain.eu certificate for it. The associated DNA is recorded by BlazeArts. I don’t want to change this unless absolutely necessary.
Nethserver runs on our physical server and on our local network. Nethserver does not work on the Internet.

I wanted to do a Let’s Encrypt certificate for Nethserver with nethserver.intranet.mydomain.eu (FDQN). But I don’t want the *. mydomain.eu certificate to change. Maybe it’s necessary?

No, certificates don’t conflict with each other, so there’s no inherent reason you couldn’t have both certificates. It may not be technically feasible to get and maintain the intranet cert for other reasons, but conflict between certs wouldn’t be the reason.

But are you saying your DNS hosting is provided by these folks?

I don’t see anything on their website about hosting anything, so can’t say whether they have a DNS update mechanism that acme.sh supports–you might want to ask their support if they can handle, e.g., nsupdate. If so (or if they can handle one of the other mechanisms listed on the acme.sh doc page here: https://github.com/acmesh-official/acme.sh/wiki/dnsapi), you can use the instructions in the first link I gave, substituting the relevant credentials for the Cloudflare ones I mention.

Failing that, there are a few other options. In ascending order of technical difficulty:

  • Switch your DNS hosting (only DNS; web hosting isn’t affected) to Cloudflare. It’s free and it works well with acme.sh (and other clients as well, if you prefer). As long as you control your current DNS records, the only thing you need to do is change the NS records to point to Cloudflare.
  • On your router, forward port 53 to your Neth server and install acme-dns as described in my second link. You’ll need to make a couple of DNS entries to get it going, but it’s been working well for me for several internal hosts for a couple of years now.
    • You can also use acme-dns without installing it locally (and therefore without requiring the port forwarding) by using the author’s public acme-dns instance–just point the hook script to https://auth.acme-dns.io (which, IIRC, would mean you wouldn’t need to edit it at all). This isn’t really recommended, as it gives him the power to issue certs for your domains if he were to choose to, but a lot of people still do it.
  • If your router is something reasonably-capable like pfSense/OPNsense, you can get the cert on the router, and then use scripting to get it installed onto your Nethserver.
1 Like

Hi Dan,

you are very helpful, thank you.

No, my DNS hosting (BlazeArts Kft. or Internet CZ, a.s.) you can found it here in English language: https://www.forpsi.com/?lang=en-us

I haven’t Cloudflare acoount…

I rarely maintain DNA records. I also created a Let’s Encrypt certificate maybe twice for public web server but it was easy …
The solution you suggested I don’t know I have never used this. It’s not a problem to always learn new things. I learn new things every day. Now, I’m trying to understand and apply it to my circumstances, but I can’t find a solution yet.

Regards

This could be resolved at the cost of nothing more than a few minutes’ time. As to the rest, let me know what your questions are.

Hi Dan,

I am beginning to understand how the solution works.
I need to contact my DNS service to see what solution they support.

Regards

Unfortunately, my DNS provider does not support the use of the DNS API.
I will continue to use my own local CA.

Thanks and Regards

I likewise use a dedicated firewall router. I am in the process of setting up nethserver and an OPNsense firewall for my daughters new law office.

In my own business I have always used a dedicated PFsense or OPNsense firewall and used it to be the OPNvpn server. And I use SME Server (Koozali) for the fileserver (will upgrade to Nethserver with new hardware soon - after 12 years its time) I always found running the VPN from the firewall more secure and less complicated. No special configuration was required to access the file server, intranet (local in house) email, or to remote into the other office computers.

But Nethserver has so much more functionality than my antique SME Server file server I was curious if there was an advantage to using the Nethserver box as the VPN server instead? It seems inherently more insecure. But is it harder to use the outward facing functions like nextcloud and collaboration software that I only want accessed locally or via the VPN anyways?

I want to get my daughters install right the first time. She will need to be accessing files and videos from the courtroom often.

@pauldiggsjazz

Hi Paul
And Welcome to the NethServer Community!

I’m using the combination OPNsense (hardware) + NethServer (VM) + Proxmox (Hypervisor) - and for some larger clients started using PBS Proxmox Backup Server.

All my clients only run virtualized servers, something I’d strongly suggest for you. You get so much more features - not all you might need, but the bottom line is much better availability. Features like Live Backups (NethServer does it’s Backups, Proxmox does its…), but also fast Snapshots (Nice before a critical upgrade)… Sensational fast disaster recovery! Proxmox is as free as NethServer & OPNsense.

Nowadays, most people suggest using VMs for server, and I can confirm this. No Hardware dependencies! And 5 years NO issues!

Among my clients there’s also a law office using the above setup - and a Windows “Member Server” for their law “software”…

Now to your original question:

OpenVPN on OPNsense or NethServer?

I’d suggest using OpenVPN on OPNsense! Mind you, during tests I have confirmed that NethServer’s OpenVPN implementation is rock solid, but as you, My clients and I prefer that running on the gateway / firewall, and my clients also want a dedicated box for this. Maybe swiss mentality? But It works great!

NethServer profits from the - in my Opinion - best communities in OpenSource! Plenty of know-how and good will amassed here - enough to tackle almost ANY problem, not necessarily NethServer related!

And, as you, I also used SME for around 10+ years - before switching to NethServer! Never regretted the move!

I’d strongly suggest using LetsEncrypt for correct SSL, something which will give you much less headaches with Mail-Clients, but also NethServer / NextCloud. Almost anything web-available nowadays NEED SSL. Mail will often NOT work (Outlook!) with a custom certificate (Self generated incl. CA)…
Lets Encrypt is free and works well on NethServer (Or OPNsense).

My 2 cents
Andy

Thank you so much Andy,

Your prompt reply confirms all my inherent biases. :slight_smile: and assumptions. I’ve been using SME so long that I still have the dot matrix printed out Mitel Admin Guide in a binder. Likewise I have been following and testing Proxmox for ages but never found the need to implement it because my needs were so set and met with older hardware on hand and the advantage of separate appliances. Now that I am pushing 70 and preparing for retirement I want to promote the best opensource solution for my “kids” endeavors on a shoestring - and promote the inherent value of open source (FOSS). Frankly, virtualization is returning us to the days of the UNIX mainframe computer and “dumb terminals” with its ease of administration, but with the advantages of optimizing performance on modern hardware while containerizing and segregating vulnerabilities as much as can be done in software. Back to the future.

To your points:

  1. OPNvpn on OPNsense makes perfect sense for ease of configuration while minimizing vulnerabilities from software overlaps. Not a great candidate for virtualization.

  2. Proxmox as base for Nethserver. Agreed that makes a lot of sense. My only concern is administration by not tech savvy people who are running a business (law practice) and not interested in IT admin. I won’t be around to sort out their issues for long. Does it make sense for a self administered network of not tech savvy users? Simplicity and intuitive Gui is what I am striving for. (I will discuss file systems, raid levels, data redundancy, snapshots and back ups under that umbrella.)

  3. LetsEncrypt - Amen brother! Thank you for the pointers. often overlooked but proper SSL is essential to just plain working.

Thanks for your 2 cents. looking forward and grateful for your perspective.

Paul

@pauldiggsjazz

Hi Paul

  1. Virtualized OPNsense in Proxmox - not ideal, but doable, and astoundling stable. A friend needed to do this because the old server died 2 days before his vacation, no time to order a replacement and set it up. So remote in to Proxmox with Anydesk on Mobile Hotspot, setup OPNsense in Proxmox, and did the rest via VPN… A reboot of Proxmox drops your Internet connection, but is available in 3-4 Minutes with VPN back up and running!

I still prefer a dedicated box, and I always have a spare at home, as “jumper”, which I can use at any of my 30 clients…

  1. Proxmox…

I’ve been a VMWare user since before the millenium, even as beta tester before Workstation 1.0. I used VMWare ESXi until about 2015, when I started switching to Proxmox.
There are so many advantages, like live backups for almost ANY OS. For Windows and Linux, that includes full disaster recovery, but also comfortable GUI based restore of folders or files.
I’ve moved all my clients to Proxmox, the only ESXi still running is at a client who still has Novell Netware running. It’s only there for archive reasons, but as bookkeeper, with our strict swiss laws, he needs to keep stuff available for 10 years. And there’s no way Novell Netware will run on Proxmox. Even the E1000, an often used driver for Netware, works on ESXi, but crashes Netware (ABEND) on Proxmox.
The clue? ESXi is running inside Proxmox, as Nested virtualization. Inside are Netware 6.0 and 6.5 servers… :slight_smile:
Almost anything is nowadays administratable via WebGUI on Proxmox… :slight_smile:

It’s that rock solid!


I also use Zabbix to monitor all of my clients. Here are a few samples:

My Home LAN:

A client (State institute)

A doctors practice:

Another doctors practice:

A financial company (Treuhand):

Some special “Features”:

  • All clients use a Raspberry PI as dedicated NUT Server for UPS.
  • All clients have their “Off Site Backup” at home, on a NAS, via VPN from the Office. This NAS is usually identical as the one in the office, and can double as a last drop emergency…
  • All clients use NethServer as AD, File, Print, Mail, NextCloud, Zabbix Monitoring and more.
  • Windows “Servers” are only “member” servers in AD.

Most of my clients use a PCengines apu4d4 box for OPNsense, some have much more powerful hardware, like the IPU882 from NRG-Systems in Germany. All run OPNsense…

If you need any assistance, or specific questions, send a me a PM, and I’ll be glad to help.

My 2 cents
Andy

…and now you can even integrate Proxmox with your single sign-on infrastructure, doing things like this:
image


3 Likes

I have a few different setups and requirements for controlling access including some with separated campuses/offices on different LANs.

My go to solution is ZeroTier.

I either add the ZeroTier interface direct to the NethServer and manage there or setup OPNSense or a Raspberry PI to route/masq as required.

I also setup my own controller in some cases: https://key-networks.com/ztncui/

I would love to see ZeroTier and Controller integrated into NethServer :slight_smile:

Klaus

2 Likes