More than 5 years they’ve been saying turn off UPnP. Not just tech sites even local news has stories about turn off UPnP.
If UPnP is on they have two problem.
First is that UPnP is on
second is any router with UPnP on probably have big exploit
too late to secure network need to just burn down and start from scratch
It’s not Home Assistants responsibility, but what about a check when HA installs to see if UPNP is enabled and tell the user to disable it? Just an idea
It sounds super complicated, in a good way, so I’d like a guide.
Whether I will be able to follow and implement it I is another thing!
I’ve come across that too. I remember almost using it for some simple. err, synching between PCs and NAS drives here. I think I used another solution (I think it was FreeFileSync) but I will look again at synchthing.
It will take me some time but I’ll put together an end to end guide with some networking explainations.
What category in this forum should it go under?
Run a vpn as well one the secure browsing reason as well. Occasionally I will use WiFi out and about instead of LTE, I run the Openvpn client program on my phone that will automatically start the tunnel if it sees a wifi name that isn’t whitelisted, when wifi goes down, the tunnel is torn down.
This would make your experience a little less seamless, but have you considered making the VPN 2FA? With Google Authenticator - it would add time to your ‘get connected time’, I might be a bit paranoid, but say I lost my phone, someone could get on my VPN if I didn’t use something like 2FA (something I have + something I know)
Unfortunately I probably wouldn’t use it like before I never used wifi and just used LTE since it was easier. I guess it would solve the case where I lost my phone while unlocked. I have other ways to revoke the one device key or just turn off the vpn altogether.
I just had a look at this again and it is not clear to me how I would use it with hassio as every device needs to have it installed. I don’t want to divert this thread so unless the answer is trivial I am happy to let it hang for now and maybe I’ll raise a new post for it.
BUT:
The synchthing website front page says:
“Syncthing doesn’t need IP addresses or advanced configuration: it just works…UPnP will do [my italics] if you don’t want to port forward or you don’t know how”
And there is the problem with network security. It’s so complex. Most on here talk about UPnP as though it is the spawn of the devil and yet Syncthing promotes it as a valid protocol.
UPnP = 66n6
Not sure if has practical purpose anymore or when first created by really. It is like 5yr old child acting as security for bank vault
It’s worth noting that my router is a Cisco, that for the avoidance of doubt is a “We make the Internet work” Cisco router and UPnP is on by default. It’s the stupid default in the Samba plugin that’s the real problem here. Whilst VPN tunnels and 2FA are a great idea, I use 2FA on all my business stuff every day, I don’t want that getting in the way of my family using the iPhone app which should be fully trusted by HA but the more I look at it, the more it looks like an HTML app. There should be a trust mechanism though so that only authorised apps can access directly and then require 2FA on the web interface.
What model# is router?
Only the devices you want to sync with need it installed.
But the benefits?
You can easily turn this off with a tick of a box.
Syncthing uses it in a VERY different way than what others are talking about here. In order to add a device to Syncthing, you are required to have a ‘device id’, and both ‘sides’ have to agree to the device addition
Yes but how does one get Syncthing on the Pi running hassio?
(i’m happy to take this elsewhere if it is diverging too much from the original topic)
The 2FA etc is only when accessing remotely via open vpn. Locally it just works like your on the LAN
How much stuff do you do remotely? Or off-site
It was an add-on in hassio when I tried it last year.
Ah, ok.
But I just looked and I can’t see it on the official list of add-ons of the community add-ons.
It must have been pulled. Which is a shame.
Thanks anyway.
I’m pretty sure you can add repos
Yes, but how would you find out which one to add??
I love that you use 2fa and VPN, I personally use them together too but not to access HA. It seems like the ”hassle” kills the user experience.
This is what I’ve settled for:
This provides for me, a level where I can use my services comfortably but securly. A couple of users have contacted me regarding setting up 2FA, you’re more than welcome to set up a guide that I can point at.