Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Help about MediaWiki
FUTO
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software
(section)
Main Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Special pages
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
= Why Build Your Own Router? = <span id="regular-security-updates-openvpn"></span> === Regular Security Updates & OpenVPN === Let’s start at the very beginning with OpenVPN. We are not opening ports to the internet for ANYTHING, except for receiving self-hosted mail. We’re running a bunch of different open source services that less than 0.1% of the population (if I’m being generous) actually use. I '''LIKE''' <code>Immich</code>, <code>Home Assistant</code>, <code>Syncthing</code>, <code>FreePBX</code>, <code>OnlyOffice</code>, <code>Nextcloud</code>, <code>Mailcow</code>, <code>Frigate</code>. But I don’t want them just open to the internet. They’re nice software, but they’re [https://wiki.futo.org/index.php/FUTO:General_disclaimer used by 0.0001%] of the population. Further, even if they WERE secure, by opening ports to the internet, I am letting every Tom, Dick & Harry who wants to peek in see what I am running on my IP address. OpenVPN is used by companies in the S&P 500, banks, and governments; it’s everywhere! The beauty of OpenVPN is that if there’s ever a security breach, it’s going to get found and fixed because there are tens of millions of eyes on it at any given moment. There is too much ''investment'' in OpenVPN for it to wither on the vine and become fundamentally insecure. OpenVPN is as secure as it gets, and while it’s not ''perfect'', we are massively reducing our ''RISK'' of being hacked & exploited by utilizing OpenVPN to get into our home network vs. opening ports willy nilly to 10 different pieces of software. I don’t want people to be able to see that these services are all running on my server. That means there are four, six, eight, or 15 different points of failure. I’d rather have one point of failure that’s managed properly. And that’s what a VPN is for—a way to create a secure, encrypted tunnel between your phone and your server. <span id="why-cant-i-buy-a-30-router-at-walmart"></span> == Why can’t I buy a $30 router at walmart? == <span id="short-lifespan-for-firmware-updates"></span> === Short lifespan for firmware updates === Consumer routers you find in stores may offer features like OpenVPN, but the problem is that many [https://www.bleepingcomputer.com/news/security/netgear-leaves-vulnerabilities-unpatched-in-nighthawk-router/ stop receiving updates shortly after you buy them]. <span id="buggy"></span> === Buggy === Many of the lower end store routers are buggy and can cause problems with what I am showing you how to set up. Certain TP-Link routers have randomly messed with SIP traffic in the middle of a call, and the router that Spectrum and Verizon provide have <code>SIP-AlG</code> turned on by default; which will mess with our phone system. They don’t let you turn it off in the configuration settings either! Back to my point; using a router where you are at the mercy of the manufacturer to provide you with updated firmware leaves you vulnerable to security risks as new exploits are discovered. For example, three years down the line, there might be a very important update for OpenVPN, but your router’s manufacturer might have stopped supporting your model after just six months. Now you’re screwed. <span id="increased-likelihood-of-getting-hacked-over-time"></span> === Increased likelihood of getting hacked over time === You’re making it harder for yourself by using a router that will become vulnerable to exploits in OpenVPN. OpenVPN is exceptional software: these holes get plugged, and they get plugged fast. …if the manufacturer actually updates the firmware. They often don’t. Think about it: # You already paid for the router. # Providing you with updated firmware costs them money & time. # But they already have your money. # So they don't care. '''You might think I’m being bombastic; what’s so bad about using an older version of OpenVPN?''' <span id="openvpn-exploits"></span> === OpenVPN exploits: === A '''CVE''' is a common vulnerability & exploit - aka, a way to hack into something. These are a small number that have occurred over the years. Finding CVEs isn’t a bad thing, every piece of software ever created is going to have security vulnerabilities. It is only bad if you are running hardware that you cannot update once a fix has been released. <span id="cve-2024-27459-cve-2024-24974-cve-2024-27903-cve-2024-1305"></span> ==== 1. CVE-2024-27459, CVE-2024-24974, CVE-2024-27903, CVE-2024-1305 ==== * '''Discovered''': March 2024 * '''Description''': Multiple vulnerabilities were found, mainly affecting OpenVPN’s client-side on Windows, Android, iOS, macOS, and BSD. These included stack overflow, unauthorized access, & plugin flaws leading to potential remote code execution (RCE) and local privilege escalation (LPE). Users were advised to update to OpenVPN versions 2.6.10 or 2.5.10 to mitigate the risks. ''You can only update OpenVPN versions if your router lets you.'' <blockquote>'''Terminology note:''' “client-side” means the part of the software that runs on your device (like a computer or smartphone), as opposed to “server-side”, which would be the part running on a remote server (Apple/Google’s server). “Remote Code Execution (RCE)” is a vulnerability that lets a hacker run code they want to run on your device. “Local Privilege Escalation (LPE)” means a vulnerability that lets a hacker get higher permissions (i.e. becoming an admin rather than being a regular user) allowing them to do things they shouldn’t or gain full control over your system. </blockquote> * '''Sources''': ** [https://cybersecuritynews.com/openvpn-vulnerabilities-rce-attack/ Cybersecurity News] ** [https://openvpn.net/security-advisories/ OpenVPN Security Advisory] ** [https://campustechnology.com/Articles/2024/08/16/Report-Increasing-Number-of-Vulnerabilities-in-OpenVPN.aspx Campus Technology] <span id="code-signing-key-intrusion-openvpn-2.5.8"></span> ==== 2. '''Code Signing Key Intrusion (OpenVPN 2.5.8)''' ==== * '''Discovered''': December 2022 * '''Description''': An intrusion was detected involving OpenVPN version 2.5.8. There’s no evidence suggesting the key was misused & OpenVPN proactively re-released the software signed with a new key for security. This is why updates matter. * '''Sources''': [https://openvpn.net/security-advisories/ OpenVPN Security Advisory] <span id="cve-2022-0547"></span> ==== 3. '''CVE-2022-0547''' ==== * '''Discovered''': February 2022 * '''Description''': Enabled authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, '''''which allows an external user to be granted access with only partially correct credentials.''''' aka, I can have a sawed off copy of your house key & still get in. * '''Sources''': [https://community.openvpn.net/openvpn/wiki/CVE-2022-0547 OpenVPN Community] <span id="cve-2020-15077-cve-2020-36382"></span> ==== 4. '''CVE-2020-15077, CVE-2020-36382''' ==== * '''Discovered''': 2020 * '''Description''': These vulnerabilities affected OpenVPN Access Server, with risks of information leakage and potential denial-of-service (DoS). Patches were released fast to address these security issues, which requires you have a router that allows you to continue updating it after the manufacturer has given you the middle finger & told you to buy a new one. * '''Sources''': [https://openvpn.net/security-advisory/access-server-security-update-cve-2020-15077-cve-2020-36382/ OpenVPN Security Advisory] <span id="cve-2018-9334"></span> ==== 5. '''CVE-2018-9334''' ==== * '''Discovered''': 2018 * '''Description''': A denial-of-service vulnerability in OpenVPN’s handling of authentication processes, potentially allowing attackers to disrupt services was patched. * '''Sources''': [https://openvpn.net/security-advisories/ OpenVPN CVE List] <span id="cve-2017-7521"></span> ==== 6. CVE-2017-7521 ==== * '''Discovered''': 2017 * '''Description''': A memory exhaustion flaw was found where an attacker could exploit OpenVPN’s message handling to cause service disruption. * '''Sources''': [https://openvpn.net/security-advisories/ OpenVPN CVE List] <span id="guaranteed-long-term-compatibility-updates"></span> == Guaranteed long term compatibility & updates == Even a cheap 10-year-old desktop PC can be a good router for the next ten years; as long as it has a good network interface card. If it runs out of RAM or new network technologies come out, you won’t throw it away; you’ll buy a new network card for $40 or more RAM at a yard sale. Ten years from now, going from 2 GB of RAM to 8 will probably cost less than $10. Using a standard x86 PC as a router, with known good Network Interface Cards, means you are less likely to encounter compatibility or longevity issues when using any of these open source router systems. It gives you more control, and if you’re reading this, you probably have an old desktop PC in the garage or closet you’re not using anyway. Get it two good network interface cards and get it back in commission! <span id="what-about-openwrt"></span> == What about OpenWRT? == There are open source packages like [https://openwrt.org/ OpenWRT] doing the lord’s work to keep these routers going. This is a good project, run by good people. I do not want to denigrate them in any way; what I am about to say is in no way their fault. They do their best to keep routers running with their firmware for as long as possible, but eventually, it becomes too difficult or untenable to provide updates for older chipsets & hardware, and they [https://openwrt.org/toh/start fall off the list]. Those old routers will only work with older versions of OpenWRT (especially for those [https://openwrt.org/supported_devices/openwrt_on_432_devices 4/32 devices]). But it’s a lot of work to support 100s of different makes & models, all using their own specific hardware. When we build a router using a standard computer, we can install router software like '''pfSense''' or <code>OPNsense</code>, which means the chances of our hardware not getting updates/not being supported shrinks to almost nothing. These open source projects do not have to support a gazillion different hardware configurations. They support x86, and if you have x86 (most normal desktop computers are x86), you’re good. It makes it easier to maintain on a mass level & provide ''regular'' updates to. The likelihood of your “hardware not being supported” with an open source router distribution when it is a desktop PC with a good network card shrinks to near 0. By building your own router using '''pfSense''', an open-source firewall, and cheap, dedicated hardware, you guarantee long-term support and control over your setup. With '''pfSense''', you can get regular updates, customize your network settings, and even block ads across all devices using '''pfBlockerNG'''. <span id="building-our-own-router"></span>
Summary:
Please note that all contributions to FUTO may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
FUTO:Copyrights
for details).
Do not submit copyrighted work without permission!
To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:
Cancel
Editing help
(opens in new window)