Note: please move this thread to a different subforum if more appropriate.
Here’s a straightforward Home Assistant setup:
============
| Internet |
============
|
|-------------| |-------------------|
| OpenWRT on | Ethernet | Home Assistant on |
| home router |------------| RasPi/SBC/MiniPC |
|-------------| |-------------------|
:
: WiFi
:
|-------------------------|
| Misc. home WiFi devices |
|-------------------------|
In such a setup, an owner wanting secure remote access could run a Wireguard server on the router - or instead on the RasPi/SBC/MiniPC. But which of those two options is best?
I’m trying to puzzle that out, Here are some tentative pros/cons of each approach, albeit dependent on the specific hardware involved:
Criterion
OpenWRT on home router
HA on RasPi/ SBC/MiniPC
Low vulnerability to networked branch prediction attacks (NetSpectre, etc)
Y
N
Built-in hardware random number generator (HRNG)
N
Y
Flexibility to route VLANs via Wireguard
Y
N
Unlikely to impact network speed
N
Y
Am I correct? What am I missing? What do you think are the pros/cons of each approach?
I guess the comments I have are based on the intent. And there are more options too.
Intent = most secure
This totally depends on the vulnerabilities in the router and the hardware behind the router. This can change daily/hourly or any interval.
Intent = ease of use
Not sure anyone has this answer. It depends on the individual user’s abilites.
As far as other options, I recently went from ESXi to Proxmox for my HA install. In playing with that, I also setup Wireguard in its own Proxmox LXC.
I also run Nginx Proxy Manager and Ad Guard Home in separate LXCs. I moved my DHCP from the router to my Ad Guard Home.
I left out a couple of intents above. There are also ‘fun’ and ‘learning’.
Am I more or less secure with this setup? I am thinking more secure. My thinking is moving things off of my router and my router has zero day hacks that are used by a bad actor then they ONLY get into my router and need to identify the other hacks needed to get into my other systems.
Am I delusional? Maybe. Am I also fighting against a script kiddie that is going off of a fun or learning intent and just helping them? Maybe.
Did I install my LXCs using the tteck’s scripts? Did I use the defaults? Or did I build them manually? Did I use other base linux distros? Which is better?
WG is only used for ME to access my LAN from outside.
Remote HA in my setup is done using the NC service. I do use webrtc to pass video from Blue Iris to HA that can be accessed from outside and do not open any ports for BI.
I do have another test WG setup going outside that I have not integrated into anything else. Testing is still in progress.
I did not have WG previous to these recent changes. I used OpenVPN on the router to access my LAN from outside. I changed to WG while ‘remaking’ all of this. I get that WG is faster than OV probably due the smaller MAX key size (which bothers me). I may switch to OV. Not sure yet.
The move from OV on the router to WG on Proxmox does not seem to have changed anything for my usage in any way.
I think I hit all of your questions. Please reply if I missed anything.
I did miss adding that what I have done also has the possible issue of the bad actor getting through my router into Proxmox and all Proxmox systems being at risk. No idea yet.
Thanks again for your replies. Good for stimulating my grey cells in this area!
If anyone else reading this wants to chime in, that would be great too, to learn how other HA users solve the problem.
Doesn’t having both Nabu Casa and Wireguard increase your attack surface? Two points of entry instead of just one? If either is compromised, the attacker gets past your firewall.
Is your concern about post-quantum vulnerabilities of small asymmetric keys? Would enabling WG’s symmetric pre-shared key option alleviate your key-size concern?
Jason Donenfeld, WG’s founder, discussed that in 2021 - though he was wary of committing to a PQ solution, especially before the NIST PQCrypto standardisation competition ended in Aug 2024. Judging by this Reddit thread, I’m not the only person trying to figure out if WG has decided on a long-term PQ approach since August, or if WG intends to leave this to third-party extensions.
Yes, if an attacker e.g. escapes one of your LXCs as root, they can access and tamper with your other containers (DNS, HA, etc), your Proxmox host, and your LAN.
Maybe put HA, WG, and other externally-accessible servers on a separate box in a DMZ?
Rosenpass seems to be the best 3rd-party PQ Wireguard at the moment.
However:
It relies on liboqs, so only supports x86_64 and ARM architectures. That rules out any OpenWRT routers that use other architectures.
It has no official packages for mobile platforms. Jetbird, a FOSS Netbird mesh-VPN Android client, does support it, though. So will the official FOSS iOS Netbird client if this bug gets fixed.
So, stock WG with symmetric PSK is probably as good as it gets right now for users needing bug-free WG on: other OpenWRT archs; iOS; or Android without Netbird.
Sure it does. But there are always trade-offs depending on everyone’s unique situation.
WG is in case I need to get in to ‘fix’ something. It runs on a high non-standard port that bad actors don’t generally scan.
NC is for the wife factor.
Basically, yes. I’ll look into that. Thanks.
ETA: The bad actors are really not after MY network. My setup is just like my front door lock. It keeps the honest people honest. Someone really wanting in is going to get there.
Thanks. I think we agree on everything about this except maybe security fatalism :)
If Brian Krebs taught us anything, it’s that cybercriminals are after your network - and mine, and any they might recruit into a botnet or target with ransomware.
If whistleblowers like Snowden and Mudge taught us anything, it’s that APTs are likewise after our networks, both for surveillance (“collect it all”) and to establish headlands for cyberwar.
And if Ross Anderson taught us anything, it’s that we should avoid binary thinking about security, and also that we - users, developers, hardware manufacturers - can and should deploy every available cheap improvement that will make attacks expensive.
Measures like Wireguard are cheap to deploy (zero money, little time), and help to keep out not only honest people, but also a big chunk of the spectrum of dishonest people.
You have the choice between a router accepting WG and HA.
So I’ld choose the router unless it does not have enough performance.
It also makes maintenance and configuration easier. HA needs to restart regularly for updates and reconfiguration, your routeur does not and restarts faster.
Upgrading this “dedicated” device is also easier.
OpenWRT probably lets you configure more of WG in the UI.
I use OPNsense, a possible upgrade path for you
OPNsense proposes a UI to manage WG.
If you’re using Proxmox on a device with to ethernet ports, you can also run OPNsense there and assign one of the ports directory to OPNsense as the WAN port. Use the other port for the local network and attach you HA VM to that network.
You’ld “need” a manageable switch (with OpenWrt I think you can do that as well).
I have OPNsense on a dedicated PC with that can handle high speed internet, block lists, etc.
I agree that we ‘mostly’ agree on all of this and I have really enjoyed this discussion.
When I say the bad actors are really not after MY network, I mean they are not trying to get ‘inside’ my network.
The botnet actors are looking for many vulnerable routers. Not the services I am running inside. Because they are easier. Again, what keeps ‘honest’ people honest is the easiest attack.
I am not saying I disagree with SOME of what you said. But that thread was a complete turn off and probably got you blocked by many smart folks that are active here.
Your craziness in that thread most certainly limited the interaction in this one.
Thank you for your questions here and all of the insights along with the links provided!
Mirai, BASHLITE, Linux.Darlloz, and various other botnets intentionally infected devices behind routers/firewalls. For zombie-masters, the more bots per network, the merrier: more trouble for homeowners or sysadmins to eradicate, and more scope for DDoS/spam/crypto-mining/lolz/whatever.
The more I think on this, the more I reckon @le_top and @buz above have the right idea: better to avoid port-forwarding if possible. Failing that, I guess DMZ. And harden the LAN and its devices regardless: segmentation, VLANs, on-device firewalls.
Microsoft is one of many companies that would love Free Software to disappear. For most of my life, BillG and Ballmer waged war against software freedom. The only difference since then is an opportunistic pivot from hard to soft power. If Nadella had a button that would kill open source, he’d push it now. MSFT share price would skyrocket.
Proprietary software is dystopia. How many times has your data, or mine, been collected without consent by unethical software and sold to data brokers? Or stolen in a breach because a business or hospital or government department caved in to lobbying or marketing and ran Windows or Office365 instead of something fully auditable, controllable, affordable, and securable? How many times have working hardware, or perfectly good files in old formats, been left unusable because a company withdrew support? And why was smart home tech routinely overpriced or incompatible until projects like Home Assistant emerged?
If not for a few “batshit-crazy” folks since the 1980s publishing the GPL and the GNU userland and toolchain, and founding the FSF, and more people fighting the good fight alongside them, we might live in a world with no real alternatives to proprietary software, and certainly no Home Assistant or Open Home Foundation. I don’t take that for granted. GitHub lock-in is still proprietary lock-in, which is the opposite of what the OHF claims to stand for.
Me too.