Tinc and firewall

Oliver Freyermuth o.freyermuth at googlemail.com
Tue Apr 23 21:25:12 CEST 2019 

Hallo,

Am 23.04.19 um 19:48 schrieb Julien dupont:
> Hello,
> 
> Early this year I got help here to setup tinc tunnels between users and a company LAN. Now I would like to try something different for a home usage and I have a question regarding security.
> 
> The setup would look like as follows:
> 
> - My home LAN has a classical topology where my ISP router is doing NAT and is blocking all incoming connection. I'm planning to enable port forwarding on the router: port 655 (tinc) and 656 (ssh) to a Raspberry Pi running Raspbian. It would have a static IP.
> - The ssh daemon listening on port 656 on the Rapsberry Pi will be hardened (only one user can login, strong password, protocol 2 only, fail2ban installed, etc.).
> - Tinc daemon will be listening on port 655.
> - I would use a DDNS service to find the current public IP of my router.
> 
> The goal is to be able to establish a Tinc tunnel from a laptop outside the LAN to the Raspberry Pi and access all computers behind my router from that point on. Thanks to the previous help I know how to setup Tinc and the routing rules to achieve that.
> 
> Now I'm wondering if and why I would need to implement any additional precaution, like a firewall on the Raspberry Pi with that specific setup. I'm assuming that:
> 
> - It is impossible to reach any other port than 655 and 656 from the outside as only those two are forwarded.
> - It is impossible to directly reach any other computer than the Raspberry Pi so they don't need to be protected.
> - It is impossible, or very hard, to defeat ssh and tinc daemons security.
> - It is thus impossible to access the Raspberry Pi otherwise than through a tinc tunnel or a SSH connection so no firewall is needed.
> 
> Am I right there?

Yes. I'd additionally recommend to use
PasswordAuthentication no
for ssh if you can, since a (long) keypair is significantly harder to "guess" and also harder to steal than a password, especially if protected by a passphrase. 
Of course that only works if you only need ssh access from devices on which you have the key available, but it protects you from some common attack paths
(like USB hardware keygrabbers, a camera or person watching you type your password etc.). 
Of course, also disable direct root login via ssh, and - just in case - set a password for root and check your sudoers (at least on Raspbian the default "pi" user can run "sudo" without typing a password). 

Also, even if your network is not reachable from outside (protected by the routers' firewall), you should still be careful about attacks "from the inside",
for example XSS attacks via web browsers or webcam hardware with cloud functionality (which may do UDP hole punching, open ports in your router via UPNP [which you should disable if your router allows so!]
or other uglinesses). 

But these are just general recommendations of things which are often missed. 

Cheers,
	Oliver

> 
> Thanks,
> Julien
> 
> 
> 
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
>

More information about the tinc mailing list