I dove into the VPN waters with the Quick Set PPTP tunnel, but read about how it isn’t very secure and how NSA has cracked PPTP (plus it is open to anyone on the internet to try accessing via username/password combo). So I them moved on to SSTP, and generated certificates, and uploaded CA to my local Windows 10 machine, and was able to connect just fine (also using username/password), but I thought having the certificate was an added security measure. I was shocked/dismayed to find out I could connect via SSTP from my android phone without having a secret certificate, just username/password. I tried turning on verify client-certificate, but that made windows 10 connection no longer work. So while the tunnel itself may be more secure than PPTP, the access control is still open to any hacker on the WWW to try username/password combos. I’m used to setting up OpenVPN tunnels with shared keys, so that only users with the shared key can access. 2FA tunnel would be nice, but doubt that exists. Additionally, I’d like to have a way to not have ports open to the www, but maybe the only way to get around that is through port knocking?
So looking for suggestions on what VPN I should try next (and tutorial/how-to), and then suggestions on how to secure any ports that need to be open (firewall rules, port knocking, or other suggestions).
My overall goal is to access a password vault I am hosting on my local server when I am outside of my home. So I don’t want to leave this vault wide open to hacker attacks if possible, while also making it available for me in emergencies.
Is the web-interface of your password-vault also TLS/SSL or plain HTTP ?
If TLS/SSL you could even discard the VPN and simply use a port-knocking construction to allow you access to your password vault.
I don’t use VPN but have port-knocking construct for accessing basically 2 (secured) services from the outside
If your Vault is only HTTP then there is no encryption at all … port-knock on its own is not optimal obviously.
With solely port-knock you leave no external service open.
The chance of somebody “guessing” the knock-sequence exists, but in my case it would be about 1 out of 2,62 billion in theory. Off course making few failed attempts will put you on a block-list for a week anyway to cool off
Thanks for the replies. Update, I followed one tutorial online for an OpoenVPN setup, and had a little embarrassing trouble with the config (I worked on a config file, imported it, then kept working on the original config file, instead of the imported file, so took me an hour to figure out why my changes weren’t doing anything) but once I cleared all the errors, I got this one TCP: connect to [AF_INET]xx.xx.xx.xx:1149 failed: Unknown error. I then added a firewall rule to open port 1149 in the Mikrotik, and still no change. I then stareted logging my dropped packets and saw a mac address for some Cisco device trying many different source IP/port combinations being blocked, so yeah someone is actively trying to hack me right now, great.
My service is set up with self signed HTTPS, but I really don’t know enough about encryption and certificates to know whether that is good enough to prevent snooping. Do you have a rule example or tutorial link for a port knocking example?
I’m a little intimadted by ipsec/IKE stuff, mainly because I use these at work, but always have let another department set them up. So maybe it isn’t that hard to do, but I’d really like a good tutorial recommendation. I randomly picked a OpenVPN tutorial last night and having it not work at the end of the night isn’t fun. Maybe I should try to figure out why that isn’t working before going on to the next thing?
Another option would just be to run OpenVPN on a server, not the mikrotik. I tried running a OpenVPN docker image last week, and couldn’t get it to work, so I gave up.
Even with self-signed the confidentially part is OK, anyone that would be intercepting cannot read it/reverse it.
For the port-knock the idea is some “multistage” approach.
Knock on 1e TCP or UDP port … put that on a temporary intermediate ACL for short period of time (eg. 30 seconds) (ACL “Portknock_Stage1”)
Within 30 second, that same public IP you just placed on that “intermediate ACL list” [Portknock_Stage1] must hit another TCP or UDP port and then that same public IP will be place on a 2e stage temporary ACL (eg. “Portknock_Stage2”) for again 30 second
Finaly, a last hit on a specific TCP or UDP for any public IP(s) that made it to the 2e intermediate ACL “Portknock_Stage2” are place a final ACL (eg. "Portknock_ServiceX) and you can give them eg. 4 hours of access-time.
It is THAT last ACL “Portknock_ServiceX” that you will be using in your DNAT statement to allow DNAT straight into your network for ServiceX IF coming from the “3e stage” ACL “Portknock_ServiceX” within a 4 hours timeframe.
This is the basic concept. You can enhance it by reducing the timers between port-knock sequences (eg. only 5 seconds)
FOLLOWED by the Portknock rules I have also rules to “add” TCP & UDP scanners to some “Portscanner” list to immediately drop them in the future for a week or so BUT I made the list like that so it
does not count for those public IP’s if you made it already to Portknock_Stage2.
For that I use the fields like you can find them on the Mikrotik.
(search the forum for these, they are well explained how to use them)
Weight Threshold
Delay Threshold
Low Port Weight
High Port Weight
The actual filter “Drop Portscanners” is the very first on my “input chain” but you could also use put in the “raw” chain. I’m running only a home-environment any my RB3011 CPU is not really challenged…
