- Joined
- May 19, 2017
- Messages
- 1,829
Hi everyone,
The ransomware blog got me wondering if I recently made a wrong VPN choice. Specifically, I had to get two networks with edgerouters to connect - both featuring a dynamic IP address and a Ubiquity Edgerouter. While Edgerouters support all sorts of VPNs as long as you are willing to put varying degrees of work into setting them up, I settled on IPSEC since Edgerouters feature a basic IPSEC GUI setup window and IPSEC hardware offload support to speed up throughput.
Even so, getting IPSEC to work was really challenging. The initial example with a pre-shared secret is not suitable for use with dynamic DNS. The FQDN setup suggests dynamic DNS compatibility, but it doesn't work either out of the box. The VPN link may show as UP, but no traffic moves from one network to another. Various blogs promise relief, but nothing worked until I found these instructions over in the UI forums detailing how to modify the firewall for IPSEC. Given my level of expertise and no OOB access to both routers at once, it's hence likely not surprising that this process took a few weeks.
So, I'd like to keep this setup, if possible, since it took so long to set up in the first place. Yet, the ransomware blog mentions OpenVPN as the VPN of choice to help avert issues. None of the research I've read online so far suggests that IPSEC is inferior to OpenVPN but I wonder if there is something I may have missed? Also, does the above approach using a IPSEC VPN with FQDNs and a modified firewall pass the laugh test?
I presume it would be a good idea to only expose a limited set of IP addresses on either end of the VPN tunnel (i.e. a /30 subnet) and/or restrict traffic to SSH for ZFS send?
Also, I wonder to what extent even a TrueNAS system can protect against all forms of ransomware if "high-profile targets are compromised and analyzed months in advance before a ransomware attack". But that's a discussion for a different thread.
The ransomware blog got me wondering if I recently made a wrong VPN choice. Specifically, I had to get two networks with edgerouters to connect - both featuring a dynamic IP address and a Ubiquity Edgerouter. While Edgerouters support all sorts of VPNs as long as you are willing to put varying degrees of work into setting them up, I settled on IPSEC since Edgerouters feature a basic IPSEC GUI setup window and IPSEC hardware offload support to speed up throughput.
Even so, getting IPSEC to work was really challenging. The initial example with a pre-shared secret is not suitable for use with dynamic DNS. The FQDN setup suggests dynamic DNS compatibility, but it doesn't work either out of the box. The VPN link may show as UP, but no traffic moves from one network to another. Various blogs promise relief, but nothing worked until I found these instructions over in the UI forums detailing how to modify the firewall for IPSEC. Given my level of expertise and no OOB access to both routers at once, it's hence likely not surprising that this process took a few weeks.
So, I'd like to keep this setup, if possible, since it took so long to set up in the first place. Yet, the ransomware blog mentions OpenVPN as the VPN of choice to help avert issues. None of the research I've read online so far suggests that IPSEC is inferior to OpenVPN but I wonder if there is something I may have missed? Also, does the above approach using a IPSEC VPN with FQDNs and a modified firewall pass the laugh test?
I presume it would be a good idea to only expose a limited set of IP addresses on either end of the VPN tunnel (i.e. a /30 subnet) and/or restrict traffic to SSH for ZFS send?
Also, I wonder to what extent even a TrueNAS system can protect against all forms of ransomware if "high-profile targets are compromised and analyzed months in advance before a ransomware attack". But that's a discussion for a different thread.
