You are here

Network security with an AREDN node on the LAN

6 posts / 0 new
Last post
KS1O
Network security with an AREDN node on the LAN

How secure is the tunnel between AREDN nodes over the internet? If I put WAN of an AREDN node on my LAN and tunnel to another node, how at risk is my LAN from being accessed via the tunnel itself?

w6bi
w6bi's picture
Firewall rules

The AREDN code has a pretty good set of built-in firewall rules to keep that from happening.  You can see devices with IP addresses from your AREDN DHCP server, but you can choose not to advertise them.

AE6XE
AE6XE's picture
Home Lan netowrk risk

Home Lan netowrk risk

KS1O,  Do not advertise your AREDN node as an internet gateway across the AREDN mesh network, and it is not possible for the tunnel traffic or other AREDN mesh traffic to access your home network and onto the internet.   There are no route definitions created across the AREDN network that would route traffic to you home network to be able to reach.   Note, however, any devices on the AREDN node's LAN do have a route path to your home network (on the node's WAN interface).

Joe AE6XE

KS1O
Clarification

I was speaking more of a hacker exploiting the tunnel rather than a fellow HAM surfing through AREDN. Could the tunnel between nodes across the internet be easily exploited or compromised?

AE6XE
AE6XE's picture
protecting tunnels across the internet

The number one thing you can do to protect the tunnel across the internet is to choose a good password.   Here's an article, with a few touch ups,  I wrote though my day job that is applicable.

Joe AE6XE

-------------------
Too many of us choose passwords that are chosen poorly and readily compromised. Read on to see if you are at risk.
 
A threat actor starts by capturing an encrypted password. Encrypted passwords are cached by the browser and the operating system (single-sign-on, etc.).  Network traffic can be captured to find the exchange of encrypted passwords.   The encrypted password can be taken offsite and run through cracking programs, with potentially any high end hardware horse-power the threat actor applies. 
 
Why are our passwords easily compromised?  The way we choose our passwords is predictable, which significantly lowers the brute force guesses these cracking programs use. A widely used and poorly chosen password  is of the form:

1 upper case letter followed by several lower case letters and ending with a number and/or symbol.
 
Do you choose dictionary words and substitute specific characters? The hacking programs are set up to try the common substitutions listed below:
 

  • ‘0’ for an ‘o’
  • ‘@’ for an ‘a’
  • ‘3’ for an ‘e’
  • ‘$’ for an ‘s’
  • ‘1’ for an ‘i’
  • … and more

 
Attached is an updated table from Hive Systems which shows how long it takes a hacker to crack a carefully chosen password. If a common password pattern is used, time to crack a password can be significantly faster.

Next time you update your password consider increasing the password length. Doing so can make a big difference.  As import, be UNPREDICTABLE, in choosing your password.
 

Image Attachments: 
nc8q
nc8q's picture
how at risk is my LAN from being accessed via the tunnel itself?

"how at risk is my LAN from being accessed via the tunnel?"

Is your end of the tunnel a client or server?

If client, your end should be protected by your home router due to the blocking of all unknown inbound packets.
i.e Only established and related inbound port:5525 packets are accepted.
How vulnerable is your home router?
Is its firmware current?

If your end of the tunnel is a server, then you have port:5525 redirected to your tunneled node.
I then assume the security is limited to the vulnerability of vtun.

Beyond this, I plead ignorance.

73, Chuck

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer