Internet tunnel to home network... For playing Minecraft with the kids

[T-Nuts]

I know I can set up my laptop to connect to a VPN but how do I set up the other end at home to either access my NAS, home computer or...*cough* play Minecraft with my kids who are using the Xbox... 

[Eigenvektor]

You could check if your router/modem supports it. I know that e.g. FritzBox! should have built-in VPN server capabilities.

[T-Nuts]

It does not. I looked. It's a run of the mill free modem from Telus

[Eigenvektor]

11 minutes ago, T-Nuts said:

It does not. I looked. It's a run of the mill free modem from Telus

In that case you would need to set up a VPN server in your home network and open/forward the port(s) for the type of VPN it supports, so that you can connect to it from the outside.

 

Here's a starting point: https://www.howtogeek.com/221001/how-to-set-up-your-own-home-vpn-server/

Edited November 22, 2019 by Eigenvektor
Add link

[Noah0302]

24 minutes ago, Eigenvektor said:

In that case you would need to set up a VPN server in your home network and open/forward the port(s) for the type of VPN it supports, so that you can connect to it from the outside.

 

Here's a starting point: https://www.howtogeek.com/221001/how-to-set-up-your-own-home-vpn-server/

Only works if you actually get an IPv4 from your provider and you dont get a tunnel like me.

[T-Nuts]

I guess I could get a book shelf PC and set that up as a VPN server...

[sphbecker]

Unless you have your own Minecraft server (which may honestly be an easier solution), you will need to configure OpenVPN to use a TAP interface, that allows you to be on the same subnet as clients at the house. Minecraft, like most non-internet multiplayer games, uses broadcast packets to establish the connection. Broadcast packets will not (by default) cross from the LAN subnet to the VPN subnet if you use the default TUN style connection.

 

If Minecraft is the main game you are playing together. I would really look into the idea of hosting your own server. Its pretty easy and will allow you to connect across the internet (assuming you setup port forwarding). VPN is a little more complicated to setup, and once working, could still be problematic.

[sphbecker]

8 hours ago, Noah0302 said:

Only works if you actually get an IPv4 from your provider and you dont get a tunnel like me.

Yes, CGN is becoming more and more of a problem. There are a few ways around it, but most involve a service you have to pay for. You might ask your ISP if they have an option to give you a real IP address (probably extra cost).

 

The other option is that if they offer IPv6 (more and more ISPs do) you could look into using that. I would never suggest IPv6 for something you intend to publish, too many corporate networks don't allow it. For some kind of home project, if you have IPv6 on both ends, you may as well use it.

[stevecat]

I wouldn't recommend opening up UDP ports for inbound VPN connections into your home network unless you have DDoS protection, a physical router that supports it or are pushing your packets through port 443. Either way better idea would be to get a VPS and setup the Openvpn on their as a peer network so whoever connects to that VPN server can play minecraft together.

[sphbecker]

2 hours ago, stevecat said:

I wouldn't recommend opening up UDP ports for inbound VPN connections into your home network unless you have DDoS protection, a physical router that supports it or are pushing your packets through port 443. Either way better idea would be to get a VPS and setup the Openvpn on their as a peer network so whoever connects to that VPN server can play minecraft together.

Could you explain the attack vector you are concerned about? As a network professional, your first sentence does not make sense to me. Running a service on a router vs a computer make no difference to the risk of a DDoS attack. You mention port 443 (I assume you mean SSL), but that doesn't help either, if anything SSL puts you at a higher risk of DDoS due to the CPU time used by encapsulation.

 

A DDoS attack is not going to effect a home user the same way as a business. I don't see why it would, unless you are a somewhat notable person like a streamer. But lets say it does, then what, your internet is slow for a few hours? Worst case, maybe you waste time calling tech support because you think it is an ISP issue. Not exactly a huge issue.

 

Maybe you just used the term DDoS without meaning to. In that case, yes, you need to be careful when opening ports, but opening ports is not a "never do" kind of thing, just make sure you understand what you are doing. Other than the router perhaps being a little more dummy proof, it is not more safe than a properly configured host providing the same service, in fact, it probably has fewer security features, such as brute-force protection. Starting the OpenVPN service on your router, causes it to open a port to itself, its the same thing, you just don't see it happening.

[T-Nuts]

I don't want to make a Minecraft server because that kinda shoehorns you into one thing. I prefer flexibility... The more I dig into this, the more I think I should just play the $10/month for a realm... Yuck...

[stevecat]

On 11/22/2019 at 6:19 PM, sphbecker said:

Could you explain the attack vector you are concerned about? As a network professional, your first sentence does not make sense to me. Running a service on a router vs a computer make no difference to the risk of a DDoS attack. You mention port 443 (I assume you mean SSL), but that doesn't help either, if anything SSL puts you at a higher risk of DDoS due to the CPU time used by encapsulation.

 

A DDoS attack is not going to effect a home user the same way as a business. I don't see why it would, unless you are a somewhat notable person like a streamer. But lets say it does, then what, your internet is slow for a few hours? Worst case, maybe you waste time calling tech support because you think it is an ISP issue. Not exactly a huge issue.

 

Maybe you just used the term DDoS without meaning to. In that case, yes, you need to be careful when opening ports, but opening ports is not a "never do" kind of thing, just make sure you understand what you are doing. Other than the router perhaps being a little more dummy proof, it is not more safe than a properly configured host providing the same service, in fact, it probably has fewer security features, such as brute-force protection. Starting the OpenVPN service on your router, causes it to open a port to itself, its the same thing, you just don't see it happening.

You can get hit with slow UDP type attacks that knock you off the grid every once in the while leaving you open for sniffing attacks. Even if your bandwidth is high enough for those packets to reach your firewall and not flood your switch, then it will still crush your firewall. Best thing would be to use a proxy server the conceal your IP with DDoS scrubbers if you are planning to have more than a few people on their because of resentment. ie an admin thinks he had been falsely demoted decides to DDoS the server. The computer has insufficient LAN power  to power packets within itself and even a small DDoS attack can crush that. Hardware routers have more power and can sustain even IPv6 DOS attacks. Also opening up certain ports will leave you susceptible to a variety of vulnerabilities: ie. smurf packets. With  a properly configured firewall, however, certain attacks can be mitigated.

[cole0622]

You can use pfsense on an old computer and setup an open vpn server on it and point it to the local network

[AngryBeaver]

Depending on how much you want to spend there are many different self hosted VPN options. If you don't want to leave one of your computers online all the time my best advice would be to pickup a 1gb raspberry pi 4 (full gigabit ports) and set it up as your VPN. Just make sure you have it set to DENY everything except for a single account with a strong username/password or better yet use a certificate based authentication system. 

 

A quick google can get you all the steps needed to do this including forwarding the ports (which you can use a non-traditional port for more security by obscurity).

 

[cole0622]

1 hour ago, AngryBeaver said:

Depending on how much you want to spend there are many different self hosted VPN options. If you don't want to leave one of your computers online all the time my best advice would be to pickup a 1gb raspberry pi 4 (full gigabit ports) and set it up as your VPN. Just make sure you have it set to DENY everything except for a single account with a strong username/password or better yet use a certificate based authentication system. 

 

A quick google can get you all the steps needed to do this including forwarding the ports (which you can use a non-traditional port for more security by obscurity).

 

rpis are good but how well do they handle a heavy payload and encryption with low latency on the fly? I bet it would definitely need some decent active cooling for it to do well

[AngryBeaver]

9 minutes ago, cole0622 said:

rpis are good but how well do they handle a heavy payload and encryption with low latency on the fly? I bet it would definitely need some decent active cooling for it to do well

I mean it might not be able to handle it at full gigabit speeds, but chances are it can handle it faster than the upload limitations on his network (my guess) at least.

 

Found 

looks like 200mbps or so is the average speed depending on which encryption method you use.  Still 200mbps is more than enough for what Op needs.

 

 

[cole0622]

for the vpn I don't like using less than aes-256-gcm but that's me which 189.81Mbps is the max I'm curious as to the average and also latency

[AngryBeaver]

49 minutes ago, cole0622 said:

for the vpn I don't like using less than aes-256-gcm but that's me which 189.81Mbps is the max I'm curious as to the average and also latency

I doubt there is much of a latency impact. As for average I would expect it to be close to the max. Then again if you only have 50 or 100 mbps of upload that is all irrelevant.

[cole0622]

3 minutes ago, AngryBeaver said:

I doubt there is much of a latency impact. As for average I would expect it to be close to the max. Then again if you only have 50 or 100 mbps of upload that is all irrelevant.

true, have you done this? what does it need for cooling for extended periods?

[AngryBeaver]

13 hours ago, cole0622 said:

true, have you done this? what does it need for cooling for extended periods?

I have one with an active fan... so depending on the fan it can be loud or quiet lol

 

To add on to this they also have cases like the flirc case which have a metal body that contacts the cpu and acts as a passive cooler. I am probably going to move towards that more. The one I am using stays nice and cool with the fan, but I have one that is mostly quiet and another one that is loud as hell. It is a shame since they are the same fan and case.

 

Then again I have actual servers at home I can put this stuff on if needed... I just use the pi's since they are fun to play with. I will say though Pi hole is a must and if you are savvy enough with a 4gb pi4 you can put some Ids/ips systems in place too provided you have a way to get the information to it (like a span port).

 

*more talking*

Me being me though I am currently working to deploy my own SIEM at home using ELK and if I can make it correlate correctly I want to place a PI Ids before and after my router. If I can find a way to setup up some type of MX sandbox I will also have it checking various emails that come in. Will just need to make sure gmails are routing into O365 and then coming in that way.

 

Do I need that much security at home? Nah, but it makes for fun projects and with a teenager it is ALMOST needed.