Thanks for the encouragement!
I should change my rx.py to not use 0.0.0.0 I should make that IP the local fixed IP address of the pi.
... how OP25 works in this regard, not sure if we are setting the interface to listen on, or which addresses we want to allow to connect.
So everyone understands, if your machine only has one IP assigned, and you wish to access its services remotely, you can bind to 0.0.0.0 safely. Binding to its real IP address offers no additional security.Max,
I figured it out. Tried 10.0.0.0 that didn't work. However the Pi's fixed IP worked locally.
So next is the pivpn setup itself. Just ran out of time last night. Trial and error is the way I figure things out.
I'm not aware of any software that works this way, other than firewall rules.Well, whatever the fixed IP address of the Pi is, just change the last number from the static IP address to 0. That SHOULD specify the entire subnet of your local area network, assuming you don't have multiple subnets, so you can access your Pi from anywhere in your local area network, but the httpd service won't allow anything trying to connect from an outside IP address. Theoretically, if you have that port closed on your router, that should be good enough, but for security sake, best practice to eliminate all vectors if at all possible.
For example.
Raspberry Pi is 192.168.7.5
Use subnet 192.168.7.0
that way, you can connect from all home devices that have an IP address of 192.168.7.X
Then test it and see if it works, if not, then you may need to specify the exact address of the Pi.
Really depends on how OP25 works in this regard, not sure if we are setting the interface to listen on, or which addresses we want to allow to connect. So, if first option doesn't work, try the second.
In all honesty, whether OP25 is running with a binding on 0.0.0.0 or some specific ip like 10.0.0.5 makes no difference in terms of security. Your VPN solution needs to be correct and robust enough when exposed to the open internet. Once the VPN is compromised, your entire network is exposed (unless network segmentation is used) and a Pi running OP25 will be the least of your concerns[/QUOTE
It's great to see so many become interested in network security.
OpenVPN is the best open source client or server application.
Recommend purchasing a VPN service and setting up your HTTP server as a VPN client.
My VPN service provides a static address.
Setup includes an option if there is a failure VPN connection fails and the port is closed.
I have someoldermature routers as DMZ between the Internet router and a LAN router.
This is where my servers are. It's like a Internet security sandwich, hold the mayo.
Best servers are the ones that never existed, virtual machines.
Virtual machines can be isolated from the rest of the local area network via subnet or virtual lan.
In summary, use VPN client or server or shutdown the port. Never rely on just once security measure to hold back a script kiddie from crushing your dreams. Netgear and other routers have logs. Look at them and see what's going on. Syn Ack attack? Fin Ack attack? Those are two common ways to see if a router port will answer the "Are you home" and "Are you sure you are home" requests from a hacker.
Here's some software I use:
OpenVPN client and server 128-bit encryption (256-bit is available)
Wireshark network packet analyzer
Oracle VirtualMachine
I use Private Internet Access as a service and domain name resolver (not sponsored). There are many out there, suggest shopping around
I purchased a hardware firewall/VPN and set it up to move the OP25 server to its own VLAN and this is the only device on the VLAN.
Any network gurus have any advice if I'm doing this right?
Agreed, you should limit the access the OP25 machine has to the other VLAN (i.e. none).Without diving into the details, this is the correct approach.
Keep an eye on the access logs of your fw/vpn device. Look into white/blacklist access controls by IP address for the device. Regional IP restrictions are helpful, but not at all as robust as they once were.
That is what I have done. I think. So far I only have one VLAN setup and OP25 is the only device. I have rules preventing traffic to LAN. I can ping the server from LAN butAgreed, you should limit the access the OP25 machine has to the other VLAN (i.e. none).
Good grief. I really need to learn more Linux. I had the firewall rules setup to block traffic from VLAN to LAN. When enabled, I couldn't ping the LAN but I could ping 8.8.8.8. Figured all was well. I would reboot the server and the feed would go offline. Turn off the rule and reboot and the feed would work. Tried a ton of different settings, rules, routes, rain dances and other rituals. Turns out that I had the resolve.conf file still looking for the LAN address. Dummy me never changed it to the new subnet.Agreed, you should limit the access the OP25 machine has to the other VLAN (i.e. none).
127.0.0.1 is the internal loopback port which never leaves the host machine.So if I am using ip/port: http:127.0.0.1:5000, does this point only to my internal network so no worries, I just cant access it from outside of my network?