VPN, bridge, router or firewall?

Please, help me figure out which implementation path to take for the following task:

I have a blackbox device that acts as a webserver (I can connect to it locally by typing its IP address in the browser's address field.) The box does not implement any security measures except simple user name and a password. This is certainly fine when this server is on an isolated network, but I wish to have the access to it from the internet - that is from anywhere in the world. With this, I wish to use TLS security for data encryption.

Having a Rasbperry PI available (and openVPN software), I thought it would fit this application. There are many different tutorials on how to implement VPN, bridge, router and firewall using Raspberry PI, but I can not figure out which one out of the four functionalities is suitable for my application. The conceptual diagram is shown below:

The Raspberry Pi will have two network interfaces for internet access: one through ground ethernet (eth0), the other - using cellular internet (eth1) - which ever is available favoring the ground internet connection. The IP addresses for both interfaces will be known. The third ethernet interface (eth2) will be connected to the local network through the switch. The server will be also connected to the switch. I have no control over the server (it's a black box) - I only know its IP address.

The idea is to have Raspberry PI to act as a middleman between me and the server, so I could securely connect to its web application using my web browser. But which functionality Raspberry Pi must implement: a VPN, router, bridge or firewall?

EDIT:

The task that I stated above was too steep for me (lack of competence) and I decided to simplify the setup to start with. I did not want to remove the top part of the question just in case someone will find it and its corresponding answers useful. Instead, my new (simplified) setup would look as follows:

The RP would be connected to the cellular internet through the ppp0 interface and route all traffic to eth0 interface which would be directly connected to the server:

  1. dynamic ppp0 IP address (given by cell service provider)
  2. static eth0 IP address (assigned by me)
  3. non-secure internet connection
  4. RP is connected to the server directly (no switch needed)

I found several solutions like this and this, but they do not clearly explain why things are done that way. They also provide command line directives which I will not know how to undo. Instead, I wish someone would reference the actual system/config files which I could edit and revert if needed.

Currently, when I connect RPi to the webserver, I can browse it from the web browser. The goal is to be able to access the webserver from the internet through RPi. Could someone provide an educational tutorial on how to properly setup routing, taking into consideration that ppp0 interface would go UP and DOWN depending on the cellular connectivity as well as its IP address would be different and unknown every time.

Nazar

Posted 2018-06-08T23:43:11.537

Reputation: 113

What's the use-case? How do you see yourself connecting remotely to the web server? What's the "cellular" device? What are its capabilities? – Robear – 2018-06-09T00:36:48.440

Answers

TLDR;

You need a firewall to secure your web server, and your router probably already provides this functionality.

DETAILS

All you really need is a firewall & SSL to secure your web server. If your home router already provides this, then the Raspberry Pi isn't going to give you any more security.

You should use SSL to secure communication to your web server. You could potentially use the Raspberry Pi as a reverse proxy to provide SSL functionality, but reverse proxies exist because SSL encryption is compute-heavy and the proxy takes the SSL load off of the web server. The Pi probably has far less compute than your web server, though. But if you're looking for a Pi project, that could be fun.

A common misconception is that VPN is "more secure" than without. A VPN is simply encryption + tunneling. Tunneling is what lets both networks believe they're on the same network. Unless you're trying to "marry" two networks, you don't need VPN. SSL + firewall should be fine.

Robear

Posted 2018-06-08T23:43:11.537

Reputation: 186

1The "ideal scenario" will not work, because, as Nazar said, the web server is a black box, he has no control over it. And... VPN could be safer (IMHO), if the router and "cellular net" are looking closed from internet, except VPN port. I think it, because VPN can authenticate users with certificates, while the web server can use only username/password... What do you think? – None – 2018-06-09T00:20:43.793

Thanks, that's a very good point - I overlooked the "black box" comment. SSL out of the web server is not an option then. VPN or SSL are both single ports and both require authentication, so I see them as the same surface area. I tend to see VPN's as less secure, just as my opinion, because a compromised VPN gives you access to the entire backbone, where SSL just gives you access to the web server. VPN also adds complexity and compute overhead. If the Pi serves VPN, the router / cellular would need to be set up as bridges OR have really good NAT (cheap NAT doesn't play well with VPN). – Robear – 2018-06-09T00:31:21.373

That being said, if the router / cellular can bridge OR the NAT for both has good VPN support, a VPN is just as viable an option. I would personally go with the reverse proxy, though. I just feel like it's simpler (like, you don't need a client VPN connection to reach the web server remotely. Just type in the address and go). – Robear – 2018-06-09T00:36:05.270

Do thank you for the detailed answer. I tried to set up openVPN, but never had it working - need to spend more time researching and learning. Can not afford at this point. Would you have a implementation suggestion for the second part of my question? Maybe I should make it a separate question? – Nazar – 2018-06-22T12:12:26.840

@Nazar I would make it another question. Essentially You'd need to set up routing. If you create a new post with your use case AND specific, exact IP addresses in Network Engineering, I'd bet someone would give you the exact solution.

– Robear – 2018-06-28T15:53:13.270

@Nazar To answer some of your other questions, unfortunately there's no configuration file which you can edit to change the routing - it all happens via commands. I'd recommend reading up in IPv4 routing and then Linux IPTables. Playing with it is 1/2 the fun, so if you have a multicore CPU you can install centOS or Ubuntu in VMs on a virtual network and play with their IPs and routing in a sandbox. You could also use machines on Amazon's Free Tier

– Robear – 2018-06-28T16:00:33.023

The simplest solution would be to configure your Pi as a router/firewall device - ie you would want to firewall requests to the web server so that they will only traverse the PI if they come through the VPN interface which terminates on it, but will not isolate the Pi from other devices on your LAN. This means it will only work all Internet connections are forced through the Pi as per your diagram. If another device on the LAN is compromised, access to the web server can be acquired through it.

(If you are after a simple solution, and moderately secure solution you can ignore everything below)

There are more complex and expensive scenarios which you could use instead. Instead of using a regular switch, you could use a managed switch and configure the web server on its own VLAN which is only visible to the Pi (ie the Pi will talk on multiple VLANS). You would also put the web server on its own IP address, whereby allowing other devices in the LAN to talk to it, but only through the Pi.

You can further expand on the switch idea above, by firewalling the VLAN that the web server is on such that only packets originating on the VLAN interface of the PI can talk on port 80. You can then add a reverse proxy (for example using Apache) to the Pi which can answer on port 443 and then fetch requests from the webserver on port 80. By using a client side and regular certificate you can ensure that only people who can get access to the router, and people with a client certificate will be able to connect.

davidgo

Posted 2018-06-08T23:43:11.537

Reputation: 49 152

I edited my answer. Do I still need to use VPN with my current setup? – Nazar – 2018-06-22T00:32:37.663

That depends on the IP address provided to the Pi over the PPP link. If its a regular, routed IP address then no, you don't need a VPN. That is a big IF though, because most cellular connections are behind Carrier Grade NAT. What are the first 2 octets of the IP address associated with PPP0? – davidgo – 2018-06-22T00:39:08.117

I will take a look what IP Ting gives me, but the setup is intended to be used in Europe, and I do not know yet what it is going to be. – Nazar – 2018-06-22T12:09:00.000

If in doubt, use a VPN – davidgo – 2018-06-22T19:49:03.067