|
PRADA SLUT posted:I have a 5-6 services running on a Synology NAS (ie, Calibre). If I want to access them from outside my network, what's the best way to do this? VPN? yeah, a wireguard VPN or the synology vpn server.
|
#
?
Jun 6, 2021 17:27
|
|
|
|
| # ? May 16, 2024 18:43 |
|
|
Wireguard is going to be the long term global standard, but you might find more tutorials right now for how to integrate your services via OpenVPN. As far as I know there are no plans to make them interoperable but I haven't looked into it much.
|
|
#
?
Jun 6, 2021 22:17
|
|
|
I just run OpenVPN on my pfsense router, and use that to access everything on the LAN when I'm away. I might move to wireguard eventually, but for now it works just like I need it to.
|
|
#
?
Jun 7, 2021 00:26
|
|
|
IPsec ESP with NAT-T and AES-GCM-256 with fallback to ChaCha20-Poly1305.
|
|
#
?
Jun 7, 2021 00:38
|
|
|
BlankSystemDaemon posted:IPsec ESP with NAT-T and AES-GCM-256 with fallback to ChaCha20-Poly1305. Did you just tell me to go gently caress myself? But seriously Wireguard is made to be idiot proof in its setup. Openvpn came around because ipsec is so hard to get right, and Wireguard is because openvpn can be a real pain as well. It's great.
|
|
#
?
Jun 7, 2021 03:14
|
|
|
Besides probably being easier to set up, is there any security benefit to using VPN for remote access versus an Nginx reverse proxy protected by a LetsEncrypt cert? I finally got all that going a while ago for an Ubooquity server on my NAS and being able to go to mydomain.duckdns.org and have it auto-forward me to HTTPS and use the auto-renewing LE cert is pretty sweet now that the initial Learning How To hump is over. At a certain point Nginx config files basically become programming code 
|
|
#
?
Jun 7, 2021 04:57
|
|
|
Takes No Damage posted:Besides probably being easier to set up, is there any security benefit to using VPN for remote access versus an Nginx reverse proxy protected by a LetsEncrypt cert? I finally got all that going a while ago for an Ubooquity server on my NAS and being able to go to mydomain.duckdns.org and have it auto-forward me to HTTPS and use the auto-renewing LE cert is pretty sweet now that the initial Learning How To hump is over. At a certain point Nginx config files basically become programming code Probably a stupid question, I only failed to set up a reverse proxy for a few hours one time. How is it protected from unauthorized access?
|
|
#
?
Jun 7, 2021 05:10
|
|
|
Takes No Damage posted:Besides probably being easier to set up, is there any security benefit to using VPN for remote access versus an Nginx reverse proxy protected by a LetsEncrypt cert? I finally got all that going a while ago for an Ubooquity server on my NAS and being able to go to mydomain.duckdns.org and have it auto-forward me to HTTPS and use the auto-renewing LE cert is pretty sweet now that the initial Learning How To hump is over. At a certain point Nginx config files basically become programming code with a reverse proxy you're putting all those services on the open net, which means you have to trust that none of them have an exploit ever. with the VPN you only have the VPN as an attack surface, and it's a much smaller and more stable attack surface. attackers would have to get through the VPN before they could get to any other services. (although if your vpn does have an exploit, without some further VLAN'ing or something, at that point they're basically inside your network - but odds are overwhelming they won't, whereas you're rolling the odds that none of your exposed services would ever have an exploit, there's a strong chance sooner or later at least one of them will.) basically yes, VPNs are far stronger and far smaller an attack surface than putting a web service on the public internet tuyop posted:Probably a stupid question, I only failed to set up a reverse proxy for a few hours one time. How is it protected from unauthorized access? you'd be protected by whatever username/password authentication is on the service. if there's an exploit that doesn't need authentication, or bypasses authentication, then you're boned. Paul MaudDib fucked around with this message at 05:13 on Jun 7, 2021 |
|
#
?
Jun 7, 2021 05:11
|
|
|
Takes No Damage posted:Besides probably being easier to set up, is there any security benefit to using VPN for remote access versus an Nginx reverse proxy protected by a LetsEncrypt cert? I finally got all that going a while ago for an Ubooquity server on my NAS and being able to go to mydomain.duckdns.org and have it auto-forward me to HTTPS and use the auto-renewing LE cert is pretty sweet now that the initial Learning How To hump is over. At a certain point Nginx config files basically become programming code A reverse proxy does not offer any protection over exposing the bare services to the internet. Standard tls authentication like you are describing is authenticating the server to you, something your attacker doesn't care about and has disabled verification of. You could slap up a self signed 512bit rsa cert that's expired, uses a broken signature, and for the wrong common name and your adversary wouldn't notice other than literally having library incompatibility issues. Same protection. Now if you alternatively add *client*, alternatively known as mutual, authentication, now you're adding protection akin to a VPN. You issue your client computer a certificate signed by a private CA which your nginx proxy verifies. Fails? 403 forbidden. Verifies? 200 OK. The problem is its a pain in the butt compared to a VPN.
|
|
#
?
Jun 7, 2021 05:34
|
|
|
I use a nginx reverse proxy with basic auth to expose some services to the web. Basically you get a username/password prompt from nginx in your browser before you reach whatever service is behind it. Reverse proxy means only 443/80 is exposed, so bots scanning IP:Ports only see an nginx server. It keeps your services from being indexed and added to shodan.io at least I trust the authorization mechanisms of nginx more than whatever I'm exposing Using the linuxserver/swag container (formerly linuxserver/letsencrypt) which includes fail2ban monitoring for basic auth logins. That container is also nice because it handles renewing a letsencrypt cert, has most common security headers and things set up and their git page says when to update ssl, nginx, proxy, etc conf files. I think the only thing I have exposed without basic auth is Emby just because it would break most apps.
|
|
#
?
Jun 7, 2021 07:36
|
|
|
Using a reverse proxy is for running a public web server, that's it Running a VPN is for everything else. Public web servers and VPN walled gardens should not live on the same privileged network. Unless you're doing something like Google's Beyond Corp, but if you're asking this question that's not on your radar.
|
|
#
?
Jun 7, 2021 08:55
|
|
|
seriously opHadlock posted:Using a reverse proxy is for running a public web server, that's it edit: don't do this THF13 posted:I use a nginx reverse proxy with basic auth to expose some services to the web. Basically you get a username/password prompt from nginx in your browser before you reach whatever service is behind it.
|
|
#
?
Jun 7, 2021 09:17
|
|
|
H110Hawk posted:Did you just tell me to go gently caress myself? To illustrate this, I have to describe how IPsec support works: With IPsec (which I admit isn't the simplest to configure, but it is learnable and if not there are solutions like algo), I can log into that without installing any third-party software, and more importantly, if I want other people to use it, they don't have to install something either. Instead, I can just send them a profile which their OS will know how to handle. Further, each implementation is largely independent and made to a spec which has been through multiple iterations throughout an iterative process (the RFC process), rather than to the evolving code, documentation and thoughts of a single creator who we all hope doesn't intend to introduce breaking changes. Now, you may rightly say, that this is something that WireGuard can get, and in principle I would agree - but Jason has unfortunately shown himself rather resistant to independent implementations, in three separate instances. What happened with the NetBSD, OpenBSD, and FreeBSD differs in the details - but all three had enormous pushback from Jason and two out of three projects ended up getting abandoned by the original people involved and picked up to be finished by someone else.
|
|
#
?
Jun 7, 2021 10:42
|
|
|
I do use a reverse proxy for nextcloud since its purpose is to be a google drive replacement, which means it needs to be able to share, and be accessed by, people outside of my network.
|
|
#
?
Jun 7, 2021 10:55
|
|
|
BlankSystemDaemon posted:Now, you may rightly say, that this is something that WireGuard can get, and in principle I would agree - but Jason has unfortunately shown himself rather resistant to independent implementations, in three separate instances. I find it very interesting that you decide to blame Jason when it was Netgate's contractor pushing insecure, subpar code into FreeBSD that led to the whole shitstorm. Seems very insincere to me, but I guess pfSense must be defended at all costs as one of the last bastions of relevance for FreeBSD.
|
|
#
?
Jun 7, 2021 15:44
|
|
|
Ipsec apologists/enthusiasts claim its interoperable through sending a configuration however the reality on the ground is that everyone and their brother implemented it slightly differently over the years. The only way to reliably "just send a profile" is if both ends of the tunnel are using the same devices, and even then it is a pain in the butt to troubleshoot. Algo helps with this certainly but ipsec's relevance is dwindling rapidly. Good riddance. It was a solution to a problem of the times. We now have much better options to actually get work done. They only support modern ciphers, methods, and has someone guarding quality zealously. (Right or wrong, I don't know enough, however I like that I can trust it for what I'm doing at an enterprise level.) I cannot wait for the day it is merged out of mainline Linux in 2221 by cyborg Linus. 
|
|
#
?
Jun 7, 2021 15:56
|
|
|
There we go, that should keep everything reasonably cool.
|
|
#
?
Jun 7, 2021 15:58
|
|
|
KozmoNaut posted:There we go, that should keep everything reasonably cool. Pro mounting.
|
|
#
?
Jun 7, 2021 16:37
|
|
|
Didn't even need to break out the duct tape 
|
|
#
?
Jun 7, 2021 17:51
|
|
|
I think my pro-est job was to wedge a fan between the new larger heat sink and a ISA (yes ISA) card above it. The corner of the card held it in snugly and only covered like 10% of the fan. The CPU went from burn-yourself-hot (its factory spec was a cpu-integrated heat sink and nothing else) to cold to the touch.
|
|
#
?
Jun 7, 2021 18:15
|
|
|
Hello storage thread, I have 8 10TB drives sitting in a USB enclosure, set up as RAID 1, so 40TB usable, and about 80% full. While I don't plan on anything catching fire anytime soon, no one ever does. This is all longterm storage that isn't changing (20 years of digital photos) that I don't want to go up in flames if something bad happens. The people involved have another house, I was thinking of just grabbing another 4x10 drives, and leaving them in a safe place at the other location. I was looking at Backblaze based on skimming through the thread, but the other issue is the network connection here is kind of worthless for upload (240 down, 10 up). I could upload from my place with gigabit up, but it looks like that would require me bringing the computer over since Backblaze is tied to the device? It's not an impossible task, but I'm wondering if anyone has any other ideas I'm not thinking of. There are various services offering "lifetime" cloud storage that seem to pop on sale, but I have no idea if any of these are are going to be around in 5 years.
|
|
#
?
Jun 7, 2021 22:14
|
|
|
Keito posted:I find it very interesting that you decide to blame Jason when it was Netgate's contractor pushing insecure, subpar code into FreeBSD that led to the whole shitstorm. Seems very insincere to me, but I guess pfSense must be defended at all costs as one of the last bastions of relevance for FreeBSD. My critique of it was that there are some issues with the fact that the code is the specification, so it can change any time if he wants to. NetBSDs implementation was an independent protocol implementation, not the ABIs or KBIs used for the Linux binaries - and in spite of this, Jason tried to have it reverted from NetBSD, so it seems like he thinks he owns everything to do with WireGuard?
|
|
#
?
Jun 7, 2021 22:15
|
|
|
tuyop posted:Probably a stupid question, I only failed to set up a reverse proxy for a few hours one time. How is it protected from unauthorized access? Well you see it's Paul MaudDib posted:you'd be protected by whatever username/password authentication is on the service. if there's an exploit that doesn't need authentication, or bypasses authentication, then you're boned. ah, yes. In Ubooquity it's optional to define user accounts, so when I go to my URL I get a username/password input, and that's (I guess in this case the only thing) protected by the LetsEncrypt cert from being passed back and forth in the open. In my specific scenario I think it's probably still OK as Ubooquity is running in a jail with a read-only mount to my media, but I do agree with the counterarguments about <randomapp> very likely being less secure than almost any dedicated VPN software. At a minimum I'll look up the options for having authentication through Nginx itself, just for best practice if nothing else. edit: OK this is actually easy, just use any hashing client to gin up an encrypted password (I used openssl since it was already installed), put it in a file and prepend the line with the desired username ( username:$apr1:$passwordhash ) and reference it in your nginx config with 'auth_basic' and 'auth_basic_user_file' Now I have to log in twice with two different sets of credentials to read my mangas on the go  KozmoNaut posted:Didn't even need to break out the duct tape I was at my parent's house this weekend and one of their neighbors had 3 old Dells out on the curb for trash. They already took the RAM and drives but I did score some cheapy Core2 Duo CPUs and head sinks, as well as a few case fans, one of which looks pretty similar to yours. I really need to remember to finger check my own LSI next time I'm over there. The NAS case is stuffed full of fans but I believe the LSI is still just passively cooled. Daedalus1134 posted:Hello storage thread, I've asked similar questions in the past, and my understanding is that if you're looking to backup your entire NAS the only remotely economical/convenient way to do so is to just build another NAS of equal or greater size and send stuff over direct. Cheap cloud storage is going to be painfully slow when trying to move around terabytes of stuff, and any service faster than that becomes prohibitively expensive at those data sizes as well. What I've got out of the thread is that cloud backup is only a good idea if you can narrow down your backup footprint to a few TB of stuff you can't replace, your Plex movie library is 
Takes No Damage fucked around with this message at 01:03 on Jun 8, 2021 |
|
#
?
Jun 8, 2021 00:27
|
|
|
Takes No Damage posted:
I mean there's gsuite business accounts that have unlimited cloud storage for like $10 a month. There are people running petabyte size Plex shares off of that poo poo. I wouldn't treat it as a stable or permanent place to leave anything, but if you're just moving bits it would do well. You can even use rclone to move it over. E: google says on the box that their gsuite business accounts require 5+ users and have 1tb space limits, but they don't actually enforce this and people have ran with it. El Mero Mero fucked around with this message at 04:45 on Jun 8, 2021 |
|
#
?
Jun 8, 2021 04:37
|
|
|
Takes No Damage posted:
It's a tiny little 40mm Noctua fan, I would be surprised if Dell used something so tiny as a case fan. It really doesn't move the amount of air required for that. But then again, Dell It's small and quiet, and I run it on a splitter with the rear case fan, controlled by the MB temperature sensor. It doesn't matter that much exactly how fast it spins, as long as it moves a little bit of air over the SATA controller. As someone who's been building and tinkering with PCs for a long time, and gone through the whole spectrum of PC fans, from trying to keep overclocked Athlons and Celerons reasonably cool with salvaged PSU fans, over Delta, Pabst, Sunon, case manufacturers' mediocre own-brand fans, I barely even look at anything other than Noctua and BeQuiet! these days. They're just so drat good. And this cute little 40mm fan came with rubber mounts, a low noise adapter, extension and adapter cables, and even a little kit with plugs and 3M Skotchlok connectors, to adapt it to proprietary plugs in non-PC devices. It feels well thought out, and I appreciate that. KozmoNaut fucked around with this message at 07:40 on Jun 8, 2021 |
|
#
?
Jun 8, 2021 07:36
|
|
|
El Mero Mero posted:E: google says on the box that their gsuite business accounts require 5+ users and have 1tb space limits, but they don't actually enforce this and people have ran with it. That's one thing I have heard of, spoofing 5 Google accounts to get their 'bulk rate' service. Depending on what you're doing, 5x Google service fees can still be cheaper than the next alternative: https://www.youtube.com/watch?v=y2F0wjoKEhg KozmoNaut posted:It's a tiny little 40mm Noctua fan, I would be surprised if Dell used something so tiny as a case fan. It really doesn't move the amount of air required for that. But then again, Dell The little fan wasn't one for the case, I think. Each case was a different proprietary format with weird hinges and different parts swinging around, good for keeping things compact but loses a lot of compatibility with aftermarket parts. But if my LSI is running  then tying a dinky little fan that moves any amount of air would probably take care of things, my NAS doesn't see that much sustained traffic anyway.
|
|
#
?
Jun 8, 2021 08:28
|
|
|
If I never see that guys face again, I'll be a happy man
|
|
#
?
Jun 8, 2021 09:58
|
|
|
Hadlock posted:If I never see that guys face again, I'll be a happy man Or hear his voice.
|
|
#
?
Jun 8, 2021 12:30
|
|
|
Oh don't worry you will always have a friend or relative who watches his stuff and thinks he's a genius and is really keen to tell you about it.
|
|
#
?
Jun 8, 2021 19:16
|
|
|
Takes No Damage posted:That's one thing I have heard of, spoofing 5 Google accounts to get their 'bulk rate' service. Depending on what you're doing, 5x Google service fees can still be cheaper than the next alternative: Yeah I don't want to click on that dude's face, but they don't even enforce the 5+ user fee requirement. You can literally do just the one user account under gsuite and run up the storage past the 1tb limit without consequence (at the moment and for the past few years.)
|
|
#
?
Jun 8, 2021 19:31
|
|
|
El Mero Mero posted:Yeah I don't want to click on that dude's face, but they don't even enforce the 5+ user fee requirement. You can literally do just the one user account under gsuite and run up the storage past the 1tb limit without consequence (at the moment and for the past few years.) They've been sending emails about enforcement of that recently, maybe just for the more egregious users? I feel like I saw one recently*. * Time has no meaning this could be years ago now.
|
|
#
?
Jun 8, 2021 20:44
|
|
|
H110Hawk posted:They've been sending emails about enforcement of that recently, maybe just for the more egregious users? I feel like I saw one recently*. They're sunsetting unlimited storage for schools/higher ed and demanding more money now, so I wouldn't be surprised.
|
|
#
?
Jun 8, 2021 21:59
|
|
|
You mean to tell me that something that seemed too good to be true turns out to be just that? 
|
|
#
?
Jun 8, 2021 23:26
|
|
|
Gsuite is a good value but it's only the 1 in my 3-2-1 strategy and can be replaced.
|
|
#
?
Jun 9, 2021 01:13
|
|
|
BlankSystemDaemon posted:I have absolutely zero allegiance to any downstream consumer of FreeBSD (and not only have I been very public about preferring ipfw for over two decades, I've also made it quite plain in this very thread that I genuinely dislike appliance OS' like pfSense), so why would you automatically jump to the conclusion that I have anything at all to do with Netgate? Can't speak for the other guy, but personally when I read your OP I also thought you were leaping in to defend the honor of *BSD against evil outsiders because you love BSD more than life itself. That's kind of your thing. It seemed likely to be your response since the WG debacle did expose some pretty uncomfortable (for a *BSD zealot) problems with FreeBSD project governance. Namely, anyone with a commit bit can push rancid garbage right into the kernel and get it into production with little review. As for Jason, it seems more like he's trying to fight hard to make sure that all implementations of WireGuard meet his standards, and he's nerd-clumsy about how he offers criticism. But he also volunteers to do a poo poo-ton of work on the code personally, and doesn't seem inherently toxic, just zealous about his baby. Like in this case, if you read the thread, he had the mistaken impression that the code being in git HEAD meant it was close to release, hence his overreaction of "OMG YOU SHOULD REVERT THIS", but actually in that project HEAD is dev, they branch off it to make release forks, and nobody on the project thought HEAD was ready for that any time soon. I don't think it's true that the code is the specification. After all, he's documented the protocol well enough for people to independently reimplement endpoints that generate well formed WG traffic, as in this case. It's that Jason thinks it's Really Important that WG endpoints are internally architected The Right Way, not just that they conform to the wire protocol. Which is appropriate for things like VPN. Your instinct that anyone should be able to just mechanically follow the spec and make a good implementation is wrong; secure cryptosystems are hard that way.
|
|
#
?
Jun 9, 2021 05:03
|
|
|
H110Hawk posted:It bugs me that consumer stuff is still upside down. Flipping it over would help so much. Blame whoever thought it was a good idea to flip PCI slots so boards could be loaded with both ISA (cool and correct way up) and PCI but have them overlap each other, so you could use either one and occupy the same external slot.. Although to be fair, that kind of made sense, it allowed more flexibility. But why the hell was the incorrect orientation kept for PCIe? That makes no sense
|
|
#
?
Jun 9, 2021 11:40
|
|
|
BobHoward posted:Can't speak for the other guy, but personally when I read your OP I also thought you were leaping in to defend the honor of *BSD against evil outsiders because you love BSD more than life itself. That's kind of your thing.
|
|
#
?
Jun 9, 2021 11:54
|
|
|
BlankSystemDaemon posted:Do you just stalk me around every single thread to vaguely insult me? turn on your monitor ?
|
|
#
?
Jun 9, 2021 12:57
|
|
|
brains posted:turn on your monitor ? 
|
|
#
?
Jun 9, 2021 13:04
|
|
|
|
| # ? May 16, 2024 18:43 |
|
|
BlankSystemDaemon posted:Do you just stalk me around every single thread to vaguely insult me? no, I read the threads that I read, apparently we have some overlap, and sometimes you make goofy posts that are fun to dunk on a bit Also I would like to clarify that this: "Your instinct that anyone should be able to just mechanically follow the spec and make a good implementation is wrong; secure cryptosystems are hard that way." was carelessly phrased on my part because now that I reread it, it does sound insulting, and that actually isn't what I intended. Your instinct is a perfectly good one most of the time, but in-kernel cryptography linked up to a deliberately layer-violating chunk of in-kernel network code is an exception to the rule. (tbh, everything done in-kernel deserves intense scrutiny)
|
|
#
?
Jun 9, 2021 13:36
|
|