PC Tech Any networking guys here?

[Stickey]

 Im looking to enhance my smart home setup and in order to really do that it requires me to open ports. I've done this before for the xbox, but I havent done this for a PC. I have a Ubuntu install housing my home automation (homeassistant), Plex server, and I was also looking into setting up a VPN (Link to video). So what can happen when opening a few (3?) ports to this PC? I understand encrypting the information being send in and out, but does leaving these ports open leave the rest of my network at risk? If you have any warnings or tips to help secure things better I'd love to hear them. Thanks all!

 

[Ghost_MH]

You're looking to host your own VPN? I would not use anything inside your network to host the VPN. Ideally, the VPN would be hosted outside your network in a DMZ. Those open ports would be open to the Internet, so there is an inherit risk there. It would be the same if you were hosting your own website. You need to keep that website hosted in a DMZ outside of your internal LAN. From there, you can poke some holes in the firewall separating the DMZ computer from your internal LAN to allow computer/s VPNing in to actually be able to access internal resources.

 

The end result would look something like this...

Computer > Internet > External Firewall > DMZ (VPN Host) > Internal Firewall > LAN

[Stickey]

Jesus, why the fuck are people making this look easy? The VPN would just be for myself if that makes any difference, even then I was questioning if I really needed it. So would I need, or you recommend I still have the same setup just to open a few ports?

[dualhunter]

Do you just want the VPN for remote access? If that is the case it's not that complicated if you have a router with VPN support. You'll want a static IP or dynamic DNS if you don't already have one of them.

[Stickey]

I have DuckDNS, Ill check out my router. I have an ASUS AC forgotthemodelnumber. Any tip's about open ports and security risks?

[dualhunter]

Only open ports as needed and keep whatever uses those ports updated, other than that don't worry too much about it. It's not so much the open ports that's the issue, it's what's listening on the open port. There's some risk just in using the internet but the more internet facing servers you're running the greater the chance that one of them has an unpatched vulnerability that can be exploited. So running a webserver that you don't bother installing security updates for with a no longer supported version of Wordpress or Joomla would be a bad idea. 

 

If the router is a decent firewall it'll protect better but some filtering features can potentially slow your internet down. I wouldn't expect a consumer router to have anything like that though. Basically keep everything patched and make sure you have the latest firmware for the router (keep an eye open for any news about vulnerabilities for that brand of router). Use a good password for the VPN and consider changing it periodically. If you decide you no longer need it (whether permanently or if you know you definitely won't use it for say a month), disable the VPN and any servers you're no longer using.

[Stickey]

I plan on encrypting my traffic that is going to use the ports, but should I be worried about regular internet use or when getting updates for Plex?

[dualhunter]

Regular stuff won't be affected within the network. Regular stuff over the VPN will be encrypted but check whatever encryption you use to make sure it isn't obsolete. Keep your software updated, use a good password for VPN access and don't worry about it. You'll technically be at greater risk but if you take those precautions it's not worth worrying about. Do keep an eye out for news about zero day vulnerabilities for your software. If something comes up consider temporarily disabling the VPN until it gets patched.