Truism: Doing security right, is subtle and full of snags for the clueless.
Concern: I haven’t ever set up a connection between 2 computers using RSA/SSH keys or certificates, in my life. Realistically, I’m very aware of the theory, and I’ve read most of the steps piecemeal in security writeups, but for practical purposes, I’m still one of the clueless (for now).
Conclusion: Step by step help appreciated, so I do my Wireguard setup right, and also begin to learn “properly” and gain confidence for future connections (whether they are certificate or key based – SSH, 802.1X, web HTTPS certs, etc).
I’ve tried to follow the principle that what I can’don’t know enough to do reasonably safely, I at least try to avoid and not do insecurely.
LAN gateway – runs OPNSense FreeBSD soft router (fork of pfSense running on HardenedBSD, a hardened derivative of FreeBSD, so I can use pfSense analogies and find the same functionality on mine if needed). There’s separate NICs for wired and wireless LAN. Almost all wireless traffic is blocked from the LAN, so I’d open a port for “trusted device” traffic and then limit its access according to minimum needs (no help sought on that).
Wifi AP – The router’s wifi NIC is connected by ethernet to an OpenWRT Wifi router. Because it’s got virtually zero access to the LAN (ping router NIC and reach one dumb isolated printer server IP/port) and can only reach the WAN, there’s actually no security on this at all at the moment (I don’t have a problem running an open wifi network where I am; I’m also running a public tor exit node on one IP on the LAN).
Network services – DHCP4 and Unbound (resolver) on the router. No AD/directory services. No certificates/CA/RSA in use currently except automatically created ones for router/file server WebUI etc. Password based logins (ugh! Hope to learn + fix that someday!).
Mobile phone – Runs LineageOS 16 (Android Pie) with MicroG (FOSS Google services package replacement). Would like to move to 802.1X but again, lack knowhow of the certificate or key setup process done right.
VPN software – Wireguard seems quite well suited to my situation – I use public transport a lot, and theres a lot of intermittent disconnection and short lived reconnects, so a FOSS VPN that needs less config, auto uses decent tunneling setup, seems well reputed, and is designed for quick reconnects, seems better for me than, say, OpenVPN, although I’m sure both would work.
VPN endpoint/IPs – The VPN terminates on the OPNSense router so the open Wifi device isn’t an issue. The LAN uses 192.168.0.0/16, with 192.168.0.1/20 allocated for router, static, DHCP, and all non-VPN devices. So I can use 192.168.32.0/24 for any VPN-connected devices.
Broadcast domain – I’d like to have level 2 OSI broadcast not just switching, I * think * this is typical with VPN but not sure? I don’t expect broadcasts to flood the network 🙂
- SSH/FTP/SMB/RDP/ADB-over-TCPIP and perhaps media streaming between phone and LAN devices. Moving 20-40 GB dirs between phone and file server will become much quicker if I can use Wifi (when available) instead of waiting till home and using USB/SDCard.
- VPN tunnel to route all phone network traffic via LAN when away from home when using unknown wifi networks
- Moving some functionality from phone to LAN (Example: calendar/notes/feed via a LAN-based web server rather than locally as phone apps).
- Once more confident, doing similar for laptop, to allow remote working from laptop via VPN to LAN via RDP.
VPN security choices
A large part of any key/cert setup is about “how secure/hardened do you want to make it?” To make this simple, assume “hard enough that I probably don’t have to worry for 15 years”, other than deal with any publicly identified vuls (which I’ll leave to the software writers to fix). Assume plenty of CPU power for more rigorous at both phone+LAN ends, and roughly, enterprise level rather than home LAN style security for the VPN aspect. Meaning, I’d like to begin learning to do it right, even if patchwork/piecemeal at first (I’d like to avoid “no point in doing much, as more serious vuls exist”).
So I’m happy to use RSA 4096 rather than 2048, or more processor intense but secure algorithms; if a cert is needed, I’d rather have steps that create an intermediate CA so I can keep my top level CA totally offline. If there’s additional hardening options that a conscientious security pro would choose for say, CEO/CFO of a SME size business, that’d be about my kind of level.
Mobile phone – overall I’d treat it as trustworthy. AFAIK I haven’t ever had a security issue with it, or an unsafe app, and in a way it’s unavoidable that I need to trust it somewhat. I can also set rules to block all but limited usage, either in the router or in my main servers, so that it’s got limited capacity for usage/harm and no root access to any device even if exploited. But that’s separate.
Connectivity/tunnels – I don’t feel comfortable just with WPA2/PSK. I’d like to ensure its the actual expected device, via some form of mutual authentication, if there’s a way to do it. Hence even where I can trust the network, at home, I’d like not to just connect via WPA2, but only via VPN, even if I’m going to access the LAN from my phone while at home, using my home router.
Own ignorance of correct setup+security processes/good practices for this – See below. I think this, and threats arising from it, are the main risk. I’m especially thinking, if I open the LAN to one device, I’ve potentially opened it to all, so I need to make sure I do only open it to that one device, as best I can, and not to others. I think that’s the biggest risk, and the motive for the question.
SUMMARY WHAT I AM HOPING FOR
I’m worried about my “Unknown unknowns”.
I don’t know what keys/certs I might need, nor how to correctly generate them. There are writeups but not a good start-to-end walkthrough I feel comfortable with. Basically, what recommended software+commands to use? What is good practice for the settings/CLI options/config used to generate them? What .conf settings should I also consider setting in Wireguard’s server/client?
I also don’t know which if any keys/files to generate on a “known safe” machine, and which if any files generated, should be stored airgapped/offline. I think it’s pretty much that simple.
So what I’m hoping for is a step by step recipe for my 1st time. A bit like this –
“Use package X or Y on BSD. These are the important switches/config choices. Use (or don’t use) a password. These are the commands to run on package X, or these commands on package Y. 3 files/keys will be generated. Put this one here and that one there. Hide this one on an airgapped system or USB stick. Configure Wireguard server/client .conf with these extra options. Done.”
I’d like to use CLI packages such as OpenSSL (already installed) rather than the router’s built-in GUI functionality, to generate any keys/certs, as this will help me be more competent in future.
Hopefully if I get this right, I’ll also learn quite a lot of what I need, to do other (certificate|priv+public key) based connections like 802.1X and SSH properly, both between the mobile devices and the OpenWRT bridge, and between LAN devices, and also be well on my way to getting RADIUS or other AAA running at some time to harden the LAN a bit more internally.