Raspberry pi as a vpn router

Having issues with your DietPi installation, or, found a bug? Post it here.
User avatar
WarHawk
Posts: 525
Joined: Thu Jul 20, 2017 7:55 am

Re: Raspberry pi as a vpn router

Post by WarHawk » Fri Sep 13, 2019 4:37 am

Just found this...maybe it will help

https://hackaday.io/project/2040-web-se ... everywhere

User avatar
MichaIng
Site Admin
Posts: 1728
Joined: Sat Nov 18, 2017 5:21 pm

Re: Raspberry pi as a vpn router

Post by MichaIng » Fri Sep 13, 2019 5:33 pm

Generally the vulnerabilities are exactly the two software titles that you have installed: The WiFi hotspot and the VPN software.

The hotspot is implemented with hostapd, and supports WPA2 encryption by default. WPA2 is known to have some security leaks meanwhile, but it is still very widely used, e.g. by all common home routers. EAP has better security but requires a much more complicated setup (with host and user certificates and keys, so password is not sufficient to connect), e.g. used for the eduroam network and larger company networks and such.

The VPN is implemented either with OpenVPN or WireGuard. The first is very well known and probed, the second is a very new promising approach that allows much faster transfer rates and higher security etc, but it is new and did not yet reach official stable stage: https://www.wireguard.com/
In both cases, it is essential that you keep and transfer the private keys for server and client safe and secure. In case of OpenVPN this is true for the .ovpn file which contains the private key as well. This must never be readable by anyone else as the client software or to related user. If this is the case, then the software itself can be considered as secure (both, OpenVPN and WireGuard IMO).

Assure that, as long as you only need to connect to the VPN remotely, only the related VPN port is forwarded to the RPi and no other port.

About logging, I am not 100% sure what is logged by default with hostapd, OpenVPN and WireGuard. But all persistent logs (stored on disk) can be found in /var/log. journalctl allows to see all system logs, which includes user authentication and AFAIK some from those software titles as well, but the journal by default is not stored to disk but only hold in RAM. It would be stored to disk automatically, if you create the directory /var/log/journal.

ghettopi
Posts: 37
Joined: Tue Jul 30, 2019 8:17 pm

Re: Raspberry pi as a vpn router

Post by ghettopi » Fri Sep 13, 2019 11:32 pm

All of your questions would:

1. Be better answered in your own thread, not in this one which is a completely different topic
2. Be better answered by an introductory video into computer security or netsec on Youtube

Short answer is:

Anything that you connect to the internet is vulnerable to being breached (hacked).

The only truly secure way to use your Diet-Pi is to keep it off the internet completely, and do not allow the device to be connected via WiFi. That is, make sure it's not possible for anyone to access it when connected to your network over WiFi (so don't use WiFi on the network the Diet-Pi is connected to). This means that someone would need physical access to the Diet-Pi to break into it.

Otherwise you should learn about subnets and network zones. You can put some network devices on a zone that's basically hidden and almost inaccessible from people outside your network.

As for logs. The Diet-Pi logs some basic things mostly for troubleshooting. However, passwords are stored encrpyted except for in the main setup file, but if you were smart you would have changed the defult password from dietpi to something else on the first setup.

Post Reply