Note: please move this thread to a different subforum if more appropriate.
Here’s a straightforward Home Assistant setup:
============
| Internet |
============
|
|-------------| |-------------------|
| OpenWRT on | Ethernet | Home Assistant on |
| home router |------------| RasPi/SBC/MiniPC |
|-------------| |-------------------|
:
: WiFi
:
|-------------------------|
| Misc. home WiFi devices |
|-------------------------|
In such a setup, an owner wanting secure remote access could run a Wireguard server on the router - or instead on the RasPi/SBC/MiniPC. But which of those two options is best?
I’m trying to puzzle that out, Here are some tentative pros/cons of each approach, albeit dependent on the specific hardware involved:
Criterion
OpenWRT on home router
HA on RasPi/ SBC/MiniPC
Low vulnerability to networked branch prediction attacks (NetSpectre, etc)
Y
N
Built-in hardware random number generator (HRNG)
N
Y
Flexibility to route VLANs via Wireguard
Y
N
Unlikely to impact network speed
N
Y
Am I correct? What am I missing? What do you think are the pros/cons of each approach?
I guess the comments I have are based on the intent. And there are more options too.
Intent = most secure
This totally depends on the vulnerabilities in the router and the hardware behind the router. This can change daily/hourly or any interval.
Intent = ease of use
Not sure anyone has this answer. It depends on the individual user’s abilites.
As far as other options, I recently went from ESXi to Proxmox for my HA install. In playing with that, I also setup Wireguard in its own Proxmox LXC.
I also run Nginx Proxy Manager and Ad Guard Home in separate LXCs. I moved my DHCP from the router to my Ad Guard Home.
I left out a couple of intents above. There are also ‘fun’ and ‘learning’.
Am I more or less secure with this setup? I am thinking more secure. My thinking is moving things off of my router and my router has zero day hacks that are used by a bad actor then they ONLY get into my router and need to identify the other hacks needed to get into my other systems.
Am I delusional? Maybe. Am I also fighting against a script kiddie that is going off of a fun or learning intent and just helping them? Maybe.
Did I install my LXCs using the tteck’s scripts? Did I use the defaults? Or did I build them manually? Did I use other base linux distros? Which is better?
WG is only used for ME to access my LAN from outside.
Remote HA in my setup is done using the NC service. I do use webrtc to pass video from Blue Iris to HA that can be accessed from outside and do not open any ports for BI.
I do have another test WG setup going outside that I have not integrated into anything else. Testing is still in progress.
I did not have WG previous to these recent changes. I used OpenVPN on the router to access my LAN from outside. I changed to WG while ‘remaking’ all of this. I get that WG is faster than OV probably due the smaller MAX key size (which bothers me). I may switch to OV. Not sure yet.
The move from OV on the router to WG on Proxmox does not seem to have changed anything for my usage in any way.
I think I hit all of your questions. Please reply if I missed anything.
I did miss adding that what I have done also has the possible issue of the bad actor getting through my router into Proxmox and all Proxmox systems being at risk. No idea yet.
Thanks again for your replies. Good for stimulating my grey cells in this area!
If anyone else reading this wants to chime in, that would be great too, to learn how other HA users solve the problem.
Doesn’t having both Nabu Casa and Wireguard increase your attack surface? Two points of entry instead of just one? If either is compromised, the attacker gets past your firewall.
Is your concern about post-quantum vulnerabilities of small asymmetric keys? Would enabling WG’s symmetric pre-shared key option alleviate your key-size concern?
Jason Donenfeld, WG’s founder, discussed that in 2021 - though he was wary of committing to a PQ solution, especially before the NIST PQCrypto standardisation competition ended in Aug 2024. Judging by this Reddit thread, I’m not the only person trying to figure out if WG has decided on a long-term PQ approach since August, or if WG intends to leave this to third-party extensions.
Yes, if an attacker e.g. escapes one of your LXCs as root, they can access and tamper with your other containers (DNS, HA, etc), your Proxmox host, and your LAN.
Maybe put HA, WG, and other externally-accessible servers on a separate box in a DMZ?
Rosenpass seems to be the best 3rd-party PQ Wireguard at the moment.
However:
It relies on liboqs, so only supports x86_64 and ARM architectures. That rules out any OpenWRT routers that use other architectures.
It is has no official packages for mobile platforms. Jetbird, a FOSS Netbird mesh-VPN Android client, does support it, though. So will the official FOSS iOS Netbird client if this bug gets fixed.
So, stock WG with symmetric PSK is probably as good as it gets right now for users needing bug-free WG on: other OpenWRT archs; iOS; or Android without Netbird.
Sure it does. But there are always trade-offs depending on everyone’s unique situation.
WG is in case I need to get in to ‘fix’ something. It runs on a high non-standard port that bad actors don’t generally scan.
NC is for the wife factor.
Basically, yes. I’ll look into that. Thanks.
ETA: The bad actors are really not after MY network. My setup is just like my front door lock. It keeps the honest people honest. Someone really wanting in is going to get there.