Eddie 2.5 and INTRAnet security

[iwih2gk 93]

Just trying to square this away.  I am reviewing the IP tables mode for Linux under the network lock feature.  I would have posted in that FAQ thread but its locked to staff.  I understand why.

 

From what I see the 2.5 client has enabled the "Eddie machine" to communicate within the local LAN network, and probably so that the machine can find the router.  Linux will ARP to the router before the firewall rules anyway.

 

My concerns are that I like for my Air tunneled machine to be invisble to other devices on the local network.  There are numerous devices on LAN.  Family with smartphones, satellite TV, etc.....  I really don't want any exposure where a communication can occur between other devices and my encrypted payload leaving this machine.

 

Does Eddie 2.5 with the network lock feature enabled keep the connected machine isolated from intra network devices?  It appears not to.  Tomorrow I will be able to experiment with a wireless printer vs Eddie.  I literally don't want my machine to even have network printer access.  It doesn't now because I have UFW still running in tandem and using tun0 only rules.  UFW is enabled after tunnel access is made by the client.  I don't need LAN credentials at that point because I am already connected.

[Staff 9894]

Does Eddie 2.5 with the network lock feature enabled keep the connected machine isolated from intra network devices?  It appears not to.  Tomorrow I will be able to experiment with a wireless printer vs Eddie.  I literally don't want my machine to even have network printer access.  It doesn't now because I have UFW still running in tandem and using tun0 only rules.  UFW is enabled after tunnel access is made by the client.  I don't need LAN credentials at that point because I am already connected.

 

Hello!

 

No, it is explicitly designed to allow communications within your local network. You should add rules to prevent that. However, remember that you will need anyway to allow communications with your router and with your DHCP server, if any.

 

Kind regards

[iwih2gk 93]

 

Does Eddie 2.5 with the network lock feature enabled keep the connected machine isolated from intra network devices?  It appears not to.  Tomorrow I will be able to experiment with a wireless printer vs Eddie.  I literally don't want my machine to even have network printer access.  It doesn't now because I have UFW still running in tandem and using tun0 only rules.  UFW is enabled after tunnel access is made by the client.  I don't need LAN credentials at that point because I am already connected.

 

Hello!

 

No, it is explicitly designed to allow communications within your local network. You should add rules to prevent that. However, remember that you will need anyway to allow communications with your router and with your DHCP server, if any.

 

Kind regards

 

 

In my case I connect/tunnel the host OS using the 2.5 client, and THEN immediately enable UFW (via terminal) with tun0 only rules.  At that point anything outside of tun0 doesn't leave or come into this machine.  This forms the host OS obfuscated bridge for my subsequent VMs to run through.  I realize my circumstances may be different from many here, but I need this machine isolated even from my other devices on LAN.

 

Its working flawlessly and the new client is slick!!

[iwih2gk 93]

Staff,

 

FYI

 

Just adding to this thread in case others here have any intra-net concerns.  I know many might not.

 

The network lock feature works flawlessly for "outside" internet security.  However; it re-writes the ip tables and grants quite a bit of intra (inside the LAN) access.

 

In my case I accidentally left UFW enabled during shutdown.  I then booted my linux host later in the day.  Prior to installing Eddie 2.5 and enabling the new network lock feature, the AirVpn client would NOT have been able to connect due to my restrictive UFW ruleset.  However; the re-do of the iptables allowed Eddie 2.5 to connect around my UFW (tun0) rules.  Surprising!!

 

I immediately started examining this event.  By disabling the network lock feature and then rebooting the machine with UFW still enabled, my machine could not connect to Air via the client.  That is what I want because it signifies that NO handshake with the LAN is allowed and only tun0 traffic.  When linux boots it will still ARP to the router before ANY rules so a connection is performed regardless of any rules.

 

It appears that to remain unavailable to other LAN devices I will need to simply enable UFW (tun0 only) after connecting with the client.  It takes a couple of seconds to key a terminal with - sudo ufw enable.

 

 

 

If there are other steps you want me to experiment with let me know.  There are too many other devices coming and going on one of the networks I use.

 

Is there anything I am missing?

[rickjames 106]

Sounds like you just need to make a rule allowing connectivity on eth0 to the airvpn ip in your restrictive UFW rule set.

[iwih2gk 93]

Sounds like you just need to make a rule allowing connectivity on eth0 to the airvpn ip in your restrictive UFW rule set.

 

 

At one time I was using specific allowed IP's in UFW to do exactly what you mentioned.  The client allows me to use any of the 55 servers and I use quite a few from different countries.  I really don't want a list of dozens of allowed IP's in my UFW set.  So, rather than doing that, I simply connect to the desired server for the session and THEN enable UFW locking to the then established tun0.

 

Thank you for taking the time to make the suggestion.  I appreciate how we all try to help each other around here.  Air has some great members.

[rickjames 106]

 

Sounds like you just need to make a rule allowing connectivity on eth0 to the airvpn ip in your restrictive UFW rule set.

 

 

At one time I was using specific allowed IP's in UFW to do exactly what you mentioned.  The client allows me to use any of the 55 servers and I use quite a few from different countries.  I really don't want a list of dozens of allowed IP's in my UFW set.  So, rather than doing that, I simply connect to the desired server for the session and THEN enable UFW locking to the then established tun0.

 

Thank you for taking the time to make the suggestion.  I appreciate how we all try to help each other around here.  Air has some great members.

 

Makes sense, one of my machines I do close to the same thing. I'm still kinda old school though and use openvpn n files ect. But I like the direction the client is heading. Its making it easier to do all this correctly and safely.

 

If you wanted to test/expierement a bit more you could always nmap yourself. Either from another machine with a crossover cable or from the box itself. It would at least verify whats open with different settings ect.

 

-gl m8

[iwih2gk 93]

We are on the same page.  I came back here to post some confirmation/findings.  Just to set the stage; I am currently using Eddie 2.5 WITHOUT the network lock because in my circumstance I want ZERO LAN participation between this machine and any other devices (router excluded).  My rendering (confirmed by staff in this forum) is that the iptables are set with the network lock to protect from tunnel disconnections and internet outside of the tunnel.  It works flawlessly for that.

 

This Eddie 2.5 client is doing exactly what Air designed it to do.  My application needs are outside of their paradigm, but the solution for me was easy.

 

My research is on INTRA net for my needs.  There may be others that have intra net special security needs, and if so you would do well to consider what I have done since the solution is easy.  I have been using Angry IP (aka ipscan) to experiment.  Using Eddie 2.5 with no UFW enabled on my end  ---- Angry IP quickly finds and shows the 7 other devices on the network.  I can confirm them by observation and logging into the router admin panel via another machine.  So while my internet tunnel is secure this machine can still see all 7 devices that share its LAN.  That doesn't work for me because I don't control some of those devices.  I have this machine using encrypted payloads but still I prefer for it to disappear in essence from those devices and vice versa.  Solution:  after connecting with 2.5 I enable UFW with one simple rule.  tun0 is the only allowed entry and/or exit.  After turning on UFW I run Angry IP and the only device seen is the router with all other devices now gone from site.  Obviously they are still on the network but since they don't exist in tun0 they don't exist to my machine.

 

I know I am a cautious user but I just feel better having my tunnel machine completely isolated.  Is it overkill?  Since its so easy to do I say why not.  My two cents.