Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Help about MediaWiki
FUTO
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software
(section)
Main Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Special pages
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Why OpenVPN? Why do I need this? == Because opening ports for personal use is a bad idea! “'''''but louis, every website & hosting provider opens ports!”''''' Webhosts and datacenters open ports so that millions of people can access their services. You’re opening ports to access a porn server in your closet. You’re not the same. <span id="listing-the-ports-wed-have-to-open."></span> === Listing the ports we’d have to open. === Each one of these things needs its own open port on your router. That’s like having a house with 15 different doors, each one made of cardboard with a cutout in the middle allowing them to see in. No, we’re not doing that. * '''Immich''' to do machine learning on your photos, because your self-image isn’t ''[https://imgur.com/a/HVr6oAz bad enough as it is]''. * '''Home Assistant''' to pretend you’re Tony Stark * '''Syncthing''' because [https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html screw Google]. * '''MailCow''' because you think you can run email better than Google (if you’re reading this guide, you probably can’t) * '''Frigate''' to catch your neighbor stealing your packages * '''OnlyOffice''' because you’re too cheap for Microsoft 365 * '''FreePBX''' because… actually, I don’t know why you’d torture yourself with that. [https://www.youtube.com/watch?v=vWrkDOt_IfM&pp=ygUNbGVubnkgZnJlZXBieA%3D%3D Lenny] makes it worth it. Maybe <span id="why-opening-every-port-is-dumber-than-an-820-2330-macbooks-hinge-design"></span> === Why Opening Every Port is Dumber Than an [https://rossmanngroup.com/unibody-macbook-pro-display-assembly-repair-replacement-service/ ''820-2330 Macbook’s hinge design''] === Here’s why exposing all of this directly is a terrible idea: '''You’re Advertising What You’re Running''': Any script kid with a port scanner can see exactly what you’re running. '''Your Software is Probably Full of Holes''': These projects are great, but they have 10,000 users, 5 of which believe they are entitled to 25 years of updates & bugfixes after a $3 donation, maintained by [https://www.explainxkcd.com/wiki/index.php/2347:_Dependency one person in their spare time], whose users are assholes that think [https://www.reddit.com/r/immich/comments/1codh0p/comment/l5rfpu7/ feeding yourself off of your work is too much to ask for]. <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_37a2ee92.png </gallery> </div> If I were smart (and evil), I could make a list of: * Every IP address * What software they ran * What version they ran Then, I’d keep up with exploits/vulnerabilities that are announced in the news. I’d go back to my list & double check to see who’s running that software, and see if they work. At best, you become part of a botnet and waste some electricity mining my crypto. At worst, I’ve stolen all of your data & use it to blackmail you. I like these programs; they’re fun software! But, similar to my taste in relationships; it isn’t about '''who I''' '''''like.''''' It’s about '''who I''' '''''trust'''''. The software I have the most '''fun''' with isn’t who I’d trust with banking credentials (or my future children). Maybe I got that the wrong way around…. <span id="openvpn-only-1-port-to-open-with-better-security"></span> === OpenVPN: Only 1 Port to open, with better security: === '''One Port to Worry About''': Instead of 15 points of failure, we have one potential point of failure. <blockquote>'''NOTE:''' OpenVPN uses a single port for all traffic, which is usually port 1194 UDP. Most OpenVPN servers will default to port 1194. Make sure your ISP didn’t block this. Bad ISPs will block ports commonly used for running servers so you pay 5x as much for the same internet unless you buy a “business”(extortion) plan. I paid $409.99/mo for 10 mbps upstream when I had a store in New York; hint, you’re not paying extra for better internet.. </blockquote> '''Stealth Mode''': To the outside world, you’re just running OpenVPN. They can’t see your unpatched version of [https://github.com/pjenvey/hellanzb hellanzb] from 2007. ''(shout out to pjenvey if he’s reading this today!)'' <span id="openvpn-security-in-four-pictures"></span> === OpenVPN security in four pictures: === Here is what it’s like opening ports to a bunch of random open source projects people make in their spare time: <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image55.jpg </gallery> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image56.jpg </gallery> Here is what it’s like only opening a port for OpenVPN. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image57.jpg </gallery> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image58.jpg </gallery> When you use OpenVPN, you are opening one port to get access to your network, with a door that many commercial interests have a stake in keeping strong. When you open ports for random crap, you have windows people can look through, and doors that look like… Well… Yeah. And 2 guys watching them. <span id="decreasing-attack-surface-with-openvpn-is-a-best-practice"></span> === Decreasing Attack Surface with OpenVPN is a best practice === OpenVPN isn’t a hobby project coded by your cousin’s methhead roommate. This is used by everyone, from companies with more money than sense to just about anyone who doesn’t want their data plastered all over the internet: * Having '''''ONE''''' service open to the public rather than 10 means a smaller attack surface. * Having one service * OpenVPN is designed with one purpose in mind, a secure connection. * It is over 20 years old. * Commercial interests (aka people actually paying money for software that rely on it for their infrastructure, not ''[https://www.reddit.com/r/immich/comments/1codh0p/comment/l5rfpu7/ this guy)]'' use & rely on it. * There are more eyes on the code of OpenVPN than <code>hellanzb</code>. <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_f3e2603c.png </gallery> '''Marketing wankery? …Kind of, but they’re not lying here.''' <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxaty_tmp_29f791ff.png </gallery> '''Is this 100% accurate? No.''' Are more people for whom millions of dollars rides on the security of their software using OpenVPN than hellanzb. Yes! Having a home server is cool. But the programs we’re talking about are used by [https://wiki.futo.org/index.php/FUTO:General_disclaimer 0.0001% of 0.000001%] of the world. OpenVPN can still have vulnerabilities; it isn’t perfect! But remember, in the world of network security, '''nothing is perfect!''' This isn’t about being perfect. It’s about controlling what we can control, and minimizing risk & attack surface every chance we can. A UFC fighter makes a better bodyguard than a mall cop, regardless of the fact that they’re equally useless against a bomb or a comet. This guide walks you through the process of setting up OpenVPN on '''pfSense'''. OpenVPN allows you to access your home network as if you were there. All of the services we want to use require having access to this network we are placing our server on, from anywhere. This setup will make sure that all traffic from the phone is routed through the VPN with no DNS leaks, which will be important for our adblocking-via-router section that comes after. <span id="setting-up-openvpn-within-pfsense-for-secure-access"></span>
Summary:
Please note that all contributions to FUTO may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
FUTO:Copyrights
for details).
Do not submit copyrighted work without permission!
To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:
Cancel
Editing help
(opens in new window)