7. That is a pretty robust setup as far as I can tell from the info provided. Good on you!
The BananaPi R3 is definitely going to be a bottleneck as far as performance goes. I recommend OPNsense installed on a dedicated firewall over just a router with OpenWRT.
OpenWRT uses the Linux kernel, is really more for WiFi and access points, laggs behind OPNsense which uses FreeBSD and is much more powerful.
But I digress, since OPNsense won't fly on a BananaPi R3.
Also, wireguard is faster and laner and definitely the way to go for most people and in most usecases, but it has a significant limitation as far as privacy and obfuscation goes...it only UDP.
Fun fact: This is why Mullvad VPN is well known for getting blocked by many sites as well as not being a good option for streaming, or circumventing geographical-blocking and censorship by oppressive governments.
Wireguard also forces you to use ChaCha20 encryption and Poly1305 which is definitely more modern, but not as battle tested as other algorithms.
OpenVPN while being code heavy and slower can also use ChaCha20 in addition to other well established encryption protocols. They also have a complete zero logs policy and do not store user IP addresses on the VPN server, whereas WireGuard requires the user’s IP address of the user to be stored on the server until the server reboots. Good on Mullvad for making theor servers RAM only!
WireGuard uses UDP and doesn't support use over TCP, it can't use TCP port 443, which makes the fact you are using a VPN trivial to detect and block. The creator of WireGuard has emphasized that the protocol does't focus on obfuscation and that deep packet inspection is a known limitation.
In contrast, OpenVPN is better out of the box at evading censorship and deep packet inspection since it can use both UDP and TCP, and also supports traffic packet obfuscation through features like Scramble.
If you're going to run Mullvad/Wireguard, check out ProxyGuard. It's a good balance between simplicity and level of obfuscation.
---
"Proxy UDP connections over HTTP(s). The main use case is to proxy WireGuard packets.
It does this by doing a HTTP upgrade request similar to how websockets work.
This means we can tunnel the protocol behind a reverse proxy."
https://www.eduvpn.org/running-wireguard-over-tcp-a-solution-for-udp-blocking-issues/
https://codeberg.org/eduVPN/proxyguard
---
A couple of other things to note:
Did you spoof its MAC address before plugging it into your ISP modem? Otherwise your ISP will have a record of that device attached to your IP/identity. This may be considered extreme for many threat models, but it's easy to do, so why not?
Also, I'm sure you know this, but it's generally better to not have remote access to your server. Opening it up to the internet/leaving SSH access on etc opens you up to being hacked, so you will need to be diligent with good OPSEC setting up and maintaining.
Also, check out wazuh if you want an awesome SIEM. Installing the agent plugin on the Protectli firewall (posted above ) running OPNsense and the manager on your server is good stuff for network security.
https://wazuh.com/
Although there is no wazuh agent that can be installed on a OpenWRT Pi, wazuh does provide agentless monitoring.
https://documentation.wazuh.com/current/user-manual/capabilities/agentless-monitoring/index.html
Hope you (and anyone else reading) finds this note useful :)
#cybersecgirl
Ava
npub1f6…azcka
2024-06-02 05:09:40
in reply to nevent1q…0xau
Author Public Key
npub1f6ugxyxkknket3kkdgu4k0fu74vmshawermkj8d06sz6jts9t4kslazckaPublished at
2024-06-02 05:09:40Event JSON
{
"id": "1a7adc516eb7bf8b9a1f7c5930e1a29e3e1518f71f3ff3f28982b964ea123a48",
"pubkey": "4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d",
"created_at": 1717304980,
"kind": 1,
"tags": [
[
"e",
"6e25baa116aeffea5edb7aa55f4b9b3e80e6260e9c663c71ea1cc608389dc353",
"",
"root"
],
[
"e",
"06bbc51989c637ee571ae3f9b66e8f7bd3a406e562826dbe168900b00691f161"
],
[
"e",
"6a0209368d23238154002e5903d460be0221fb7c0d9af7d4fa57e781701c7483",
"",
"reply"
],
[
"p",
"4eb88310d6b4ed95c6d66a395b3d3cf559b85faec8f7691dafd405a92e055d6d"
],
[
"p",
"f32f41b10648013c1e60b5125e875c298bf6a2fc28fbe8b1f2865a9fece4fbd3"
],
[
"p",
"eda96cb93aecdd61ade0c1f9d2bfdf95a7e76cf1ca89820c38e6e4cea55c0c05"
],
[
"t",
"cybersecgirl"
],
[
"r",
"https://www.eduvpn.org/running-wireguard-over-tcp-a-solution-for-udp-blocking-issues/"
],
[
"r",
"https://codeberg.org/eduVPN/proxyguard"
],
[
"r",
"https://wazuh.com/"
],
[
"r",
"https://documentation.wazuh.com/current/user-manual/capabilities/agentless-monitoring/index.html"
]
],
"content": "7. That is a pretty robust setup as far as I can tell from the info provided. Good on you! \n\nThe BananaPi R3 is definitely going to be a bottleneck as far as performance goes. I recommend OPNsense installed on a dedicated firewall over just a router with OpenWRT.\n\nOpenWRT uses the Linux kernel, is really more for WiFi and access points, laggs behind OPNsense which uses FreeBSD and is much more powerful.\n\nBut I digress, since OPNsense won't fly on a BananaPi R3.\n\nAlso, wireguard is faster and laner and definitely the way to go for most people and in most usecases, but it has a significant limitation as far as privacy and obfuscation goes...it only UDP.\n\nFun fact: This is why Mullvad VPN is well known for getting blocked by many sites as well as not being a good option for streaming, or circumventing geographical-blocking and censorship by oppressive governments.\n\nWireguard also forces you to use ChaCha20 encryption and Poly1305 which is definitely more modern, but not as battle tested as other algorithms. \n\nOpenVPN while being code heavy and slower can also use ChaCha20 in addition to other well established encryption protocols. They also have a complete zero logs policy and do not store user IP addresses on the VPN server, whereas WireGuard requires the user’s IP address of the user to be stored on the server until the server reboots. Good on Mullvad for making theor servers RAM only!\n\nWireGuard uses UDP and doesn't support use over TCP, it can't use TCP port 443, which makes the fact you are using a VPN trivial to detect and block. The creator of WireGuard has emphasized that the protocol does't focus on obfuscation and that deep packet inspection is a known limitation.\n\nIn contrast, OpenVPN is better out of the box at evading censorship and deep packet inspection since it can use both UDP and TCP, and also supports traffic packet obfuscation through features like Scramble.\n\nIf you're going to run Mullvad/Wireguard, check out ProxyGuard. It's a good balance between simplicity and level of obfuscation.\n\n---\n\n\"Proxy UDP connections over HTTP(s). The main use case is to proxy WireGuard packets.\n\nIt does this by doing a HTTP upgrade request similar to how websockets work.\n\nThis means we can tunnel the protocol behind a reverse proxy.\"\n\nhttps://www.eduvpn.org/running-wireguard-over-tcp-a-solution-for-udp-blocking-issues/\n\nhttps://codeberg.org/eduVPN/proxyguard\n\n---\n\nA couple of other things to note:\n\nDid you spoof its MAC address before plugging it into your ISP modem? Otherwise your ISP will have a record of that device attached to your IP/identity. This may be considered extreme for many threat models, but it's easy to do, so why not?\n\nAlso, I'm sure you know this, but it's generally better to not have remote access to your server. Opening it up to the internet/leaving SSH access on etc opens you up to being hacked, so you will need to be diligent with good OPSEC setting up and maintaining.\n\nAlso, check out wazuh if you want an awesome SIEM. Installing the agent plugin on the Protectli firewall (posted above ) running OPNsense and the manager on your server is good stuff for network security.\n\nhttps://wazuh.com/\n\nAlthough there is no wazuh agent that can be installed on a OpenWRT Pi, wazuh does provide agentless monitoring.\n\nhttps://documentation.wazuh.com/current/user-manual/capabilities/agentless-monitoring/index.html\n\nHope you (and anyone else reading) finds this note useful :)\n\n#cybersecgirl",
"sig": "796cd8c3766d3a0eca042fa7e9e39a92c4858586aa17f10368df55518d06c838e4a0f0af6ce6b7550c9fb466fe5dd78c3f44766ed6e8e3be908fa95cabf5438b"
}