Subscriber Discussion

Simple And Cheap VPN Setups Against Hacking

U
Undisclosed #1
Oct 07, 2017

Today I had some home networking chores to do, my old router's wifi had broken so I had to reconfigure a new one (well, another old one actually).

While working on that I thought that since I had some tiny gear around, I'd try to whip up a bare-bones, but effective example of a super cheap (and super simple) VPN that could be used for administration and connecting to DVRs etc.

This is an absolutely minimal PoC just to discuss about these things, but still (if correctly configured) much more secure than exposing the devices directly with port forwards.

I wanted it to be as compact and tidy as possible, so I used a Raspberry Pi Zero W, which cost about $10, has built-in wireless and just needs a phone charger to operate. It can also handle this task just fine. Any other RPi or an old PC works just as well, so money isn't really an issue here. Here's a picture of it all in operation (excl. router):



So, you just take any computer you trust and set it up. In the case of the RPi I had to:

  • Install Raspbian: just copy image to SD card and configure the system (network, language etc.)
  • Install PiVPN: run installer and mostly just press enter, add clients and get config files (*.ovpn)
  • Configure port forward: someport -> pivpn:1194 (tweaked also VPN config to only route some nets)
  • Import config files to clients (Android required just a bit of tweaking with regard to key format)

Done!

After that, the configured clients could access a camera subnet where I had an old Axis (that only supports 8-char passwords...), securely over the VPN. I tested it with Ubuntu and Android over 4G.



That's it, basically. Initially there's of course some settings to set, but even if it takes an hour in a simple case, the nice thing is that the SD card is simple to backup and copy for redundancy after the most important configuration is in place.

The biggest hurdle I see here is a lack of consistent manufacturer support for this stuff so that in a typical scenario you could just expect to press at most one button to mean "do it, give me the key", with no extra cost. At home a simple DIY thing like this might be just fine though if you can get along with Linux or want to learn.

I noticed that in the Dahua wiki there's also some instructions how to set up VPNs with DD-WRT routers, that's kind of nice.

Edit: Quick start guides should maybe be something like this:

Mock-up

(6)
Avatar
Brian Karas
Oct 10, 2017
IPVM

If I understand this right, the Pi is acting as a VPN server, providing a VPN tunnel to the camera that is behind it? From a client, you connect to the Pi's VPN service, which then gives you access to the camera network?

U
Undisclosed #1
Oct 10, 2017

Yes, it's just a VPN server. It goes like: Internet -> Router:someport -> PiVPN:1194 -> camera/LAN. Since it's the only device exposed via the router, someone needs to break OpenVPN first (or, the router) before they get to the camera.

(2)
Avatar
Brian Karas
Oct 10, 2017
IPVM

It is a neat hack. Any idea how much throughput the Pi Zero can sustain?

U
Undisclosed #1
Oct 10, 2017

I haven't really tried yet, but quickly googling you might expect around 30Mbit/s or thereabouts.

The device draws about 130mA when streaming a camera, ~45mA idle.

JH
John Honovich
Oct 10, 2017
IPVM

How can one productize this so that it requires minimal knowledge / time to use? I believe the product components are inexpensive but the concern could be the troubleshooting or errors for an inexperienced tech setting this up. Thoughts?

(2)
U
Undisclosed #1
Oct 10, 2017

In my mind, it would minimally require just a nice, durable case and a user-friendly setup procedure and that should be it. Then the tech should just remember to take along "the admin dongle" when they're installing something, and plug it in somewhere before they leave the site. The device could have a little screen that says whether it's working or not. For example, if it was plugged into the wrong port it could inform the user that the connection is not working.

Of course, the details of each site may make things much more complex, and generally it's a good idea to have someone knowledgeable set it all up. This was just an example of something that might work as a "no-brainer" solution for small sites with just a typical router on default settings. Then all the installer would need to do is set up a port forward (could this be an actual valid scenario to use UPnP...?).

I almost started writing simple bootstrap scripts to accompany a semi-configured image, so all you'd need to do is copy the image, start it up, tell it what you want in some menu and then never touch it again, unless you need to revoke keys or plug it in at some other location. But I didn't do that for now, since I've way too much to do anyway, and who would trust some simple hack by an unknown person ;) Some company should offer such basic security solutions with support.

(1)
UE
Undisclosed End User #2
Oct 10, 2017

I think you would need a USB HUB to accommodate 2 USB Ethernet adapters, one to camera (or camera network) the other to router.

Pi Zero W could theoretically connect to router via Wi-Fi, so in that case only one USB Ethernet adapter would be needed.

Also, if router connects to internet with DHCP, may need to incorporate DDNS, either on router or Pi.

UE
Undisclosed End User #2
Oct 10, 2017

Correction/retraction:

I am so use to having OpenVPN running on my routers I was probably incorrect in thinking that two interfaces would be needed. Though I am still a little fuzzy picturing this working with only one interface, I suppose one could use IP Alias to accomplish?

U
Undisclosed #1
Oct 10, 2017

It does work in this simple scenario at least. With a traditional RPi you would just connect the network cable + power (or even a pricey PoE hat). The VPN clients live in their own subnet, reachable only by access to the VPN server. The server in turn routes requests to things beyond that (local LAN) for the clients, if it's configured to do that. Any fine-grained VPN configuration that might be required is another issue, but what I imagine to be a typical small installation, there's no such complexity.

In my case, since I was just messing at home with this, I told my router to give the camera an IP from another range, then told PiVPN to route that network too. This wasn't necessary, but I just wanted to verify it works as I expected.

(1)
UE
Undisclosed End User #2
Oct 10, 2017

Great stuff! So you did have this up and running?

Another application could be for remote connectivity (RDP, SSH HTTP etc..) for service, commissioning etc... Almost like a "Roll your Own" Domotz, teamviewer etc...

U
Undisclosed #1
Oct 10, 2017

Yeah, it's been running ever since I set it up, maybe I'll turn it off if I need my phone charger for something else :) After connecting with the VPN, I can of course utilize the RPi as the linux server it is, log in with an SSH key and do whatever from there, it's quite versatile.

Surely one wouldn't even need to configure OpenVPN for this, and instead just use a good SSH setup to achieve the same. Using a VPN has its merits though, SSH tunneling with mobile for example isn't as convenient, app-wise.

UE
Undisclosed End User #2
Oct 10, 2017

In addition to the Pi itself, My interest would gain remote access to Windows Hosts, camera and NVR web gui's and any other IP Device needed for commissioning on same subnet that PiVPN would/could route me to.

 

U
Undisclosed #1
Oct 10, 2017

One way to do it, other than tunneling as needed: install "tightvncserver" and "rdesktop" packages on the RPi, then VNC to it after VPN has connected. Now you can run the RDP client from the VNC desktop, and the VNC server will happily hold your session if you get disconnected from the site etc., (likely) keeping your RDP connection intact.

U
Undisclosed #1
Oct 10, 2017

For ethernet, with the Raspberry hardware you'd need to rely on USB, yes (and it's not considered the most reliable of things on the RPi, I think). There doesn't seem to be many miniature, super cheap embedded boards with dual, preferably gigabit ethernet available. If there's a desire to do the job with peanut cost, repurposing an old router should work.

There's some Banana Pi BPI-R1 with even 4 ports, but it's "expensive".

LB
Lee Brown
Oct 11, 2017

I use a RPI3 with a PIA VPN account for streaming video from on-line media sources. I can testify that the solution is workable if you don't mind rebooting the RPI3 at least once a week. The ODROID-XU4, while twice the price, is far better suited for this purpose. For stable good performing VPN access I use  the free and open source Tinc VPN software and have a $5.00 per month Virtual Private server that runs Tinc and acts like a TURN/STUN gateway for video surveillance devices across many different networks. Tinc is described as auto mesh network routing. It can run on RPI's , Linux desktops, servers, Windows and Mac desktop computers easily. Running it on android is significantly more complex and requires a rooted phone.

(2)
Avatar
Brian Karas
Oct 21, 2017
IPVM

Hak5 just released a device they are calling PacketSquirrel, which among other things can be used to create a simple in-line VPN similar what is described here.

(4)
U
Undisclosed #1
Oct 21, 2017

Neat!

UE
Undisclosed End User #2
Nov 19, 2017

That's exactly what I have been looking for, Thanks! Though since it uses terminology like "man in the middle", it may be difficult to get permission from clients to put on their network.

 

I would use the VPN Payload.

UE
Undisclosed End User #2
Nov 19, 2017

Sad thing about this info era:

Shortly after clicking the the link in Brians Post above to Hak5's website, Facebook is now giving me ads to this exact device on a different computer and different web browser, so FB got my meta data from IPVM or Firefox.

 

I certainly hope IPVM isn't selling my meta data since this is a premium pay site....

U
Undisclosed #1
Nov 19, 2017

If you use Facebook, it's already game over.

(1)
(1)
UE
Undisclosed End User #2
Nov 19, 2017

To be fair to IPVM, I am fairly certain this was cookies on Hack5's web site

Avatar
Brian Karas
Nov 19, 2017
IPVM

We are not selling your meta data, browsing info, etc.

It was most likely a retargeting ad that originated with the Hak5 site. Facebook is particularly good at tracking you across devices/browsers.

Not directly related, but here is an interesting piece on how Facebook's friend recommendations work, it touches a little bit on ad cookies at the end.

 

Avatar
Joe Mirolli
Oct 24, 2017
IPVMU Certified

Check out DD-WRT.com open source linux router software. Works on most SOHO routers old and new and is a complete OS replacement to it. Turns every Port and every wifi band into a programmable routable interface. Supports VPN, Vlan, and so much more than a typical Soho router such that you will only be limited by the hardware it's installed on. It is browser based and just as easy as any SOHO router to program.

 

(2)
(1)
DR
Dennis Ruban
Oct 24, 2017

I use Ubiquiti ER-X router which is around $50. When I tested the router performance over the VPN, it gives you around 45-50 mbps. Good enough even for a medium install

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions