It’s a TP-Link AX5400. It doesn’t have IKEv2. According to that article, PPTP is no longer totally secure (maybe the NSA can get in) and L2TP/IPsec is slower. But those concerns sound overblown to me. I try to avoid anything that require creating an account somewhere and/or installing an app, so the built-in VPNs appeal to me.
The article says that L2TP/IPsec might be blocked by some firewalls, and that concerns me. I might need to access my VPN in a public place like a restaurant or hotel where the wifi might be years out of date.
For what it’s worth, I do L2TP back to home router from my phone, and I let VPN on, on my phone, 100% of the time. Have not experience any blocking event.
Well it turns out the built-in Android VPN clients aren’t an option, and neither is the OpenVPN Android app. They all require a lock screen with a PIN and that is, for me, a total and absolute non-starter.
Looks like I just wasted a lot of time on VPNs. Is there ANY other reasonably secure alternative to Nabu Casa?
My router is running a StrongSwan VPN service.
StrongSwan is open-source based on Linux.
You could go with a StrongSwan Service behind your router.
It still requires an app, but its also open source and provide features like app selection.
You might actually be able to find an image for a StrongSwan server and use that, but make sure that it is from a reliably source.
It seems every VPN Client app requires a lock screen on the phone.
For now, I’ve set up port forwarding and I’m using TP-Link’s dynamic DNS which is built into my router. That works fine and I don’t need Duck DNS. I’d like to add SSL but that doesn’t seem dead simple. I’ve cancelled Nabu Casa for now - maybe I’ll try it again someday.
I understand at least some of the risk of port forwarding - what can I can do to reduce it?
SSL is securing some part of your communication, especially the login parts.
Without SSL it can be easily read, if the network is open for this.
Typical WIFI networks would be open to this sort of sniffing, so avoid public WIFI networks in cafees, airports and the likes , until you have SSL set up.
If you have portforwarded port 8123, then you are already using a non-custom port.
It does not give much security, but some of the scanner scripts might miss that port, since the only check typical http ports, like 80, 1080 and 8080.
If you can then you might be able to limit the access a bit by using some of the restrictions in the router, like only allow access to the portforwarded port from certain IP-addresses, like the range for you mobile service provider, or MAC-addresses, like the MAC-address on your phone, but this depends on the network setup, since NAT can prevent this, especially Carrier Grade NAT at your ISP.
You also need to make sure that you have a tight control of all usernames and passwords for HA and have configured your own credentials for all addons and integrations where possible.
A reverse proxy with page control might be a good way to limit access to integrations and addons, but can be a bit tricky to set up too.
And of course have long and “gibberish” passwords, so dictonary attacks is prevented.
Atleast , even thou you click “keep me logged in”, then make sure you have a “very” strong password ( Long with kapital, lower, number, and “special characters” if supported, as the “port forwarding” goes direct to your HA-Device, use that Device only for HA, and other simple tasks, have another device(laptop) for “household” tasks, like mail/bank etc ( also with strong password , and if windows 6Pin code login
PS: if you are curious you could set up a “sniffer” on your HA-devices IP number, thou most “unvanted” incoming Traffic would be from “harmless” crawlers like i.e. google, and you’ll notice traffic from china, chech-rep(most likely spoofed russian) … “curious” crawlers, who “initially” don’t know your login ( Name / Password ) , and they don’t even try to look for other open ports etc. i.e It’s search-engines, thou China tend to use whatever info they “initially” discover to “block” the domain-name/ip for China citizens , im sure RU increased this “behavior” lately
Yeah it would be interesting to see all that port scanning activity directed at my forwarded part (and yes I chose an odd port number and a strong password. I’ll get around to adding SSL at some point.
My HA is on an RPi which isn’t doing anything else. I have the perhaps-naïve belief that “Home Assistant OS” is at least something of a sandbox, hard to get out of.
Obviously a VPN would have been better, and I’m really annoyed that all the Android clients did a corporate suck-up by demanding the users have lock screens. That’s none of their business. Ironic that a system calling itself “Open” VPN won’t allow users to make their own decision on how to manage their phones.
I think it depends of which “Integrations/Add-Ons” you have, and as any “webserver/app” they have to pass through “web-root first” , so your HA-Login/username is essential here ( don’t use “jimh12345” ), it’s too “exposed” in Google already
Most likely a good “recommendation” and a “cover for their own Brand” to minimize the risk of being sued, due to people claiming it’s not secured, which it per definition is NOT, if anyone can use your passwordfree phone
Seems like the thing to do would be to restrict access to the forwarded port via an IP whitelist. I’m surprised my router doesn’t seem to have any such capability. It has ACLs for devices on the LAN
In general, how does one restrict outside accesses at router level, by IP?
Am curious - what kind of lock screen we are talking about? System lock screen? Or some lock screen from the VPN client? Or, are VPN clients enforcing system lock screen? What’s on the lock screen exactly?
And when the lock screen would popup? Is it something that would pop up in your face like every one hour?
Trying to understand why those lock screens are such a big problem, and what they are about.
I mean, I use VPN that is built-in as part of the Android OS, but can’t say I recall there is any lock screen step required. Is something else going on?
Programs can require a certain level of security on a device and a VPN client would typically do that as default, but I wonder if it can not be configured to accept another security level.