Secure Remote Access With DD-WRT
I am not a security expert or network engineer. I have been progressing toward providing myself the ability to remotely access my home network. With each step I grow more aware of the security risks.
With no need for remote access, security is straightforward — disable all WAN side access.
When I do not need the remote access I can keep all WAN services disabled. When remote access is needed, the less that is open on the WAN side the better.
Convenient during testing, I no longer need remote GUI access to my router. I do not need to keep port forwarding enabled as long as I have SSH access to the router. Likewise with any VPN access.
One approach is to SSH into the router and use the command line to toggle desired features. With DD-WRT this is done using the nvram
command. Eventually I will add some shell scripts stored in /jffs
When not needing remote access, the single port SSH access to the router provides a secure tunnel and a SOCKS5 proxy port to surf the web when using unsecured open access points.
Keeping only one WAN side port open seems saner and safer than allowing a slew of ports.
I configured the remote access with SSH keys and the private key is pass phrase protected. Should I lose my laptop then I need not worry about the keys being useful. Upon returning home I would replace all key pairs throughout my LAN.
Other than some music files I do not store data or personal files on the laptop. That is one reason I wanted secure remote access — to access those files when away from home. Thus, any thief would not find anything useful on the laptop. Even if compromised, I do not store personal information such as credit card or bank account numbers on the server.
One WAN port only Vasily.
Posted: Tutorial, Usability Tagged: DD-WRT, General
Category:Next: New Router Connection Speeds Redux
Previous: Port Forwarding VNC With SSH