Saturday, December 2, 2017

How To: Make your home Internet connection more secure and private

It has been a while since I have written anything on my blog. Perhaps bit too long ago, but this does not mean that I wasn't busy with creating something to help my readers or anyone other for that matter.
Although I am working as a Lead Information Security Officer and overseeing a Security Team with Security Analysts, I am still a techy in my heart. Therefore, in May 2017 I bought a Raspberry Pi. Pretty much just for the purpose of tinkering with it. A good friend of mine uses it for RC-automation and home-automation, but I have found another purpose.

I wanted to create a device that makes my home Internet connection more secure, and more private. And these features needed also to be utilizable while not at home. I thought that I have set a nice goal with that and started working on it.

When buying a Raspberry Pi you soon are going to install the Debian-based distro called Raspbian Stretch (previous release was Jessie). And with the objective I had set to myself one will be installing Pi-hole also. But I wanted to go further, which I did.

This is the feature set I aimed at and which are now included in the guide.
  • Pi-hole for blocking (malicious) ad-services and malware infected sites.
  • DNSSEC to validate DNS-responses for integrity.
  • DHCP to make sure that every device gets the proper internal DNS-server.
  • VPN (OpenVPN by PiVPN) to enable the possibility to have the same level of security and privacy with any of family’s devices when not at home.

That are the functional requirements in a sense. I have also some other requirements.
  • DNS requests needs to be forwarded to Quad9 DNS-servers.
  • Internal DNS capability.
  • The VPN must behave the same as the internal LAN without any DNS-leaking.
  • Modern encryption for the VPN-tunnel using TLS 1.2 with a strong key.
  • The setup must be reasonable hardened.
  • Important system events needs to be emailed to my email-address.
  • Blocking brute-force login attempts with fail2ban.
  • Fire-walling with iptables in a block everything and white-list specific ports manner.
  • Disabling non-used hardware that enables wireless connectivity (WLAN and Bluetooth).
  • IPv6 wherever possible (for the moment, not the VPN-tunnel).
  • All vulnerabilities fixed that are found with a scan by Nessus Vulnerability Scanner, when the needed fix can be applied by myself (succeeded in that!).
  • The entire setup needs to be updated automatically on at least a weekly basis.

I also have set some constraints to keep the project feasible.
  • Apart from OpenVPN, there is nothing that can be reached from the outside world. I always assume that there is a network-firewall present between the Internet, and the actual Pi.
  • The networking-services this device delivers are meant to enhance security of other network-connected devices in a non-intrusive manner.
  • And although this device delivers services in a (reasonable) secure way, it is not meant to be a device that delivers security services by it self, such as network-scanning and vulnerability scans.
  • It is meant for home or small-office use. Larger companies or institutions should look at other solutions to protect their people.

My wishlist consists of the following. Although not sure at the moment if all can be done.
  • Full IPv6 VPN-tunneling.
  • Implement either DNSCrypt or DNS-over-TLS.
  • Two-factor authentication on the VPN-tunnel.

The hardware I used is listed below.
  • Raspberry Pi 3 Model B 1GB
  • SDHC card - 16GB
  • Pi-Blox Case for Raspberry Pi – Black
  • Costs: roughly € 70

The base image that is used to build this guide is the following:
  • Image with desktop based on Debian Stretch
  • Version: November 2017
  • Release date: 2017-11-29
  • Kernel version: 4.9

This guide was created using Debian Jessie first, but it is now adjusted to also work for Stretch.
It took a while though to get where I am now. I even needed to start over, but that was not an issue. I then met Debian Stretch so the restart had its use. Why o why did I do a “sudo apt-get remove python”….?

I have documented it using GitHub, so hop over to there to see more.

A special word of thanks goes to Jacob Salmela with his up-to-date manual (PDF). This guide is inspired on his, although I go a step further in terms of features. Nevertheless, his contribution to (not only) this guide is worth my sincere gratitude. Thanks!

Any questions, remarks or suggestions? Please let me know!

Share:  

2 comments:

  1. Nice , have a similamr project over here.
    Not a pi, but Ubuntu vm. 512mb ram only.
    Pihole, upstream DNS opendns family security with personal filtering settings.
    VPN from Home to internet cliënt to site.

    ReplyDelete
    Replies
    1. Thanks for your share and comment! Using Ubuntu as base OS certainly possible also! Did you do additional hardening too?

      Delete