OP25 Security Warning for OP25 Users

krutzy

Member
Feed Provider
Joined
Sep 17, 2004
Messages
141
Location
Culpeper, VA
Let me see if this is right - usually if know what is supposed to happen, then I can work from there.

I should change my rx.py to not use 0.0.0.0 I should make that IP the local fixed IP address of the pi. Then if I want to access it away from home, I only need to port forward the vpn connection port. There is no need to define any other port forward, correct? Is that how it should work?

If I can take from there if that is true. It is when you get me trying to figure out subnets, how and where is where I get lost (I know what they do though).
 

lwvmobile

DSD-FME
Joined
Apr 26, 2020
Messages
1,250
Location
Lafayette County, FL
I should change my rx.py to not use 0.0.0.0 I should make that IP the local fixed IP address of the pi.

Well, whatever the fixed IP address of the Pi is, just change the last number from the static IP address to 0. That SHOULD specify the entire subnet of your local area network, assuming you don't have multiple subnets, so you can access your Pi from anywhere in your local area network, but the httpd service won't allow anything trying to connect from an outside IP address. Theoretically, if you have that port closed on your router, that should be good enough, but for security sake, best practice to eliminate all vectors if at all possible.

For example.
Raspberry Pi is 192.168.7.5
Use subnet 192.168.7.0
that way, you can connect from all home devices that have an IP address of 192.168.7.X
Then test it and see if it works, if not, then you may need to specify the exact address of the Pi.
Really depends on how OP25 works in this regard, not sure if we are setting the interface to listen on, or which addresses we want to allow to connect. So, if first option doesn't work, try the second.
 

KA1RBI

Member
Joined
Aug 15, 2008
Messages
799
Location
Portage Escarpment
... how OP25 works in this regard, not sure if we are setting the interface to listen on, or which addresses we want to allow to connect.

The IP address/port specified in the "-l" option is for binding purposes, it's not a network address nor a range of addresses.

It must match the IP of one of the network interfaces assigned to the machine - or the "zero" address. Typically the machine only has a single external network connection and its IP address is something like 10.x.x.x or 192.168.x.x. Accordingly in such a case there are three legal addresses that could be specified via "-l": 192.168.x.x (or 10.x.x.x), 127.0.0.1, or 0.0.0.0.....

Max
 

krutzy

Member
Feed Provider
Joined
Sep 17, 2004
Messages
141
Location
Culpeper, VA
Max,
I figured it out. Tried 10.0.0.0 that didn't work. However the Pi's fixed IP worked locally.
So next is the pivpn setup itself. Just ran out of time last night. Trial and error is the way I figure things out.
 

belvdr

No longer interested in living
Joined
Aug 2, 2013
Messages
2,567
Max,
I figured it out. Tried 10.0.0.0 that didn't work. However the Pi's fixed IP worked locally.
So next is the pivpn setup itself. Just ran out of time last night. Trial and error is the way I figure things out.
So everyone understands, if your machine only has one IP assigned, and you wish to access its services remotely, you can bind to 0.0.0.0 safely. Binding to its real IP address offers no additional security.
Well, whatever the fixed IP address of the Pi is, just change the last number from the static IP address to 0. That SHOULD specify the entire subnet of your local area network, assuming you don't have multiple subnets, so you can access your Pi from anywhere in your local area network, but the httpd service won't allow anything trying to connect from an outside IP address. Theoretically, if you have that port closed on your router, that should be good enough, but for security sake, best practice to eliminate all vectors if at all possible.

For example.
Raspberry Pi is 192.168.7.5
Use subnet 192.168.7.0
that way, you can connect from all home devices that have an IP address of 192.168.7.X
Then test it and see if it works, if not, then you may need to specify the exact address of the Pi.
Really depends on how OP25 works in this regard, not sure if we are setting the interface to listen on, or which addresses we want to allow to connect. So, if first option doesn't work, try the second.
I'm not aware of any software that works this way, other than firewall rules.
 

Outerdog

T¹ ÆS Ø
Premium Subscriber
Joined
Jul 1, 2016
Messages
640
In all honesty, whether OP25 is running with a binding on 0.0.0.0 or some specific ip like 10.0.0.5 makes no difference in terms of security. Your VPN solution needs to be correct and robust enough when exposed to the open internet. Once the VPN is compromised, your entire network is exposed (unless network segmentation is used) and a Pi running OP25 will be the least of your concerns.

Opening your network up to the internet with a VPN is really an advanced topic beyond the scope of a hobby radio forum, in my opinion. Tread carefully. "Trial and error" is not a good plan when you're talking about opening your network up to the internet.
 

krutzy

Member
Feed Provider
Joined
Sep 17, 2004
Messages
141
Location
Culpeper, VA
Max et al,

The light bulb is lit. I finally figured out my mental roadblock - which it was truly was. Seems so simple now.
Thank you all!
 

amusement

Member
Joined
Aug 23, 2004
Messages
395
In all honesty, whether OP25 is running with a binding on 0.0.0.0 or some specific ip like 10.0.0.5 makes no difference in terms of security. Your VPN solution needs to be correct and robust enough when exposed to the open internet. Once the VPN is compromised, your entire network is exposed (unless network segmentation is used) and a Pi running OP25 will be the least of your concerns[/QUOTE

It's great to see so many become interested in network security.

OpenVPN is the best open source client or server application.
Recommend purchasing a VPN service and setting up your HTTP server as a VPN client.
My VPN service provides a static address.
Setup includes an option if there is a failure VPN connection fails and the port is closed.
I have some older mature routers as DMZ between the Internet router and a LAN router.
This is where my servers are. It's like a Internet security sandwich, hold the mayo.
Best servers are the ones that never existed, virtual machines.
Virtual machines can be isolated from the rest of the local area network via subnet or virtual lan.

In summary, use VPN client or server or shutdown the port. Never rely on just once security measure to hold back a script kiddie from crushing your dreams. Netgear and other routers have logs. Look at them and see what's going on. Syn Ack attack? Fin Ack attack? Those are two common ways to see if a router port will answer the "Are you home" and "Are you sure you are home" requests from a hacker.

Here's some software I use:
OpenVPN client and server 128-bit encryption (256-bit is available)
Wireshark network packet analyzer
Oracle VirtualMachine


I use Private Internet Access as a service and domain name resolver (not sponsored). There are many out there, suggest shopping around
 

bucket772

Member
Feed Provider
Joined
Oct 27, 2006
Messages
70
I took the advice from the group and changed the way I have my OP25 server setup.
Backstory, I host two separate feeds for my county and a neighboring county. They both feed to broadcastify. The latency sometimes makes it a pain, so I would VLC into an open port (I know, I know) and listen in near real time remotely from work or phone.
I purchased a hardware firewall/VPN and set it up to move the OP25 server to its own VLAN and this is the only device on the VLAN.
Any network gurus have any advice if I'm doing this right?

Thanks

Dave
 

Outerdog

T¹ ÆS Ø
Premium Subscriber
Joined
Jul 1, 2016
Messages
640
I purchased a hardware firewall/VPN and set it up to move the OP25 server to its own VLAN and this is the only device on the VLAN.
Any network gurus have any advice if I'm doing this right?

Without diving into the details, this is the correct approach.

Keep an eye on the access logs of your fw/vpn device. Look into white/blacklist access controls by IP address for the device. Regional IP restrictions are helpful, but not at all as robust as they once were.
 

belvdr

No longer interested in living
Joined
Aug 2, 2013
Messages
2,567
Without diving into the details, this is the correct approach.

Keep an eye on the access logs of your fw/vpn device. Look into white/blacklist access controls by IP address for the device. Regional IP restrictions are helpful, but not at all as robust as they once were.
Agreed, you should limit the access the OP25 machine has to the other VLAN (i.e. none).
 

bucket772

Member
Feed Provider
Joined
Oct 27, 2006
Messages
70
Agreed, you should limit the access the OP25 machine has to the other VLAN (i.e. none).
That is what I have done. I think. So far I only have one VLAN setup and OP25 is the only device. I have rules preventing traffic to LAN. I can ping the server from LAN but
Agreed, you should limit the access the OP25 machine has to the other VLAN (i.e. none).
Good grief. I really need to learn more Linux. I had the firewall rules setup to block traffic from VLAN to LAN. When enabled, I couldn't ping the LAN but I could ping 8.8.8.8. Figured all was well. I would reboot the server and the feed would go offline. Turn off the rule and reboot and the feed would work. Tried a ton of different settings, rules, routes, rain dances and other rituals. Turns out that I had the resolve.conf file still looking for the LAN address. Dummy me never changed it to the new subnet.
Hope it helps anyone else having any issues
 

jets1961

Member
Joined
Jan 21, 2002
Messages
224
So if I am using ip/port: http:127.0.0.1:5000, does this point only to my internal network so no worries, I just cant access it from outside of my network?
 
Top