It’s been some time since I’ve made a post. But I do have a new favorite router, pfSense. For a Linux/Unix guy like me, running a firewall on my own hardware is fun, not a hassle. So, I bought a server room pulled used server from Ebay, put in an inexpensive SSD from MicroCenter, and had it up and running in less than an hour.
Setting up a killswitch for your VPN provider under Ubuntu
Run these commands to allow your Ubuntu machine to connect over VPN, but deny other traffic, so that if the VPN goes down, the server only allows local subnet access (for SSH so you can fix it).
#allow UDP traffic so that VPN works.ufw allow out 1194/udp
ufw allow out 1194/udp
ufw allow out 1198/udp
#Allow DNS queries
ufw allow out 53/udp
Allow connections over all interfaces of Ubuntu updates:
ufw allow out proto tcp to 23.246.0.0/18 port 80
ufw allow out proto tcp to 23.246.0.0/18 port 443
ufw allow out proto tcp to 54.239.54.0/23 port 80
ufw allow out proto tcp to 54.239.54.0/23 port 443
ufw allow out proto tcp to 54.239.13.128/25 port 80
ufw allow out proto tcp to 54.239.13.128/25 port 443
for x in 54.239.122.0 54.239.126.128; do for y in 80 443; do ufw allow out proto tcp to ${x}/25 port ${y}; done; done
ufw allow out proto tcp to 64.15.0.0/16 port 80
ufw allow out proto tcp to 64.15.0.0/16 port 443
for x in 54.239.145.0/24 54.239.145.0/24 64.15.119.0/24 91.189.91.23 91.189.91.26 91.189.88.149 91.189.88.152 91.189.88.162 91.189.88.161; do for y in 80 443; do ufw allow out proto tcp to ${x} port ${y}; done; done
#Get the interface addresses and allow stuff on the local subnet(s)
for y in $(ifconfig | awk ‘/inet/ && / 192/ || / 172\.16/ || / 10\./ {print $2}’); do ufw allow to ${y}/24; ufw allow in from ${y}/24; done
#get the IP addresses for the VPN servers. In this case, privateinternetaccess.com
for z in $(for x in ca ca-toronto sweden swiss france germany israel; do host ${x}.privateinternetaccess.com; done|awk ‘{print $NF}’| sort | uniq); do ufw allow in from ${z} to any; done
#allow traffic on tun0, the VPN interface.
ufw allow in on tun0 from any to any
ufw allow out on tun0 from any to any
#Deny connections by default
ufw default deny incoming
ufw default deny outgoing
#Enable the firewall
ufw enable
My Favorite Router for the Home
I’ve been a longtime OpenWRT user. I still use it, however, I have finally found a router suitable for the home which made it worth my while to use in its stead: the Ubiquiti Edgerouter X. I listened to Steve Gibson of GRC sing its praises on the Security Now podcast and discovered, to my delight, that his praise was well-earned. The ease of use, throughput, feature set, and amazingly low price combine to make it a nearly ideal home router. For $50, you get five gigabit ports, and the router is capable of providing nearly that amount in throughput. For people who work from home, the ability to have multiple WAN connections for failover is a godsend. It allows you to set up your own OpenVPN server as well. Some might consider the lack of wifi to be a negative. I am not among that number. Decoupling wireless access from the actual Internet allows for much more flexibility and much lower cost.
Get a UPS (or several)
Given the reasonable prices, a home uninterruptible power supply (UPS) is a good idea for computer enthusiasts. It can save a hard drive as well as reduce wear and tear on your equipment. If you have your own DVR which you own, I’d suggest getting one for it as well. While I do not live in an area prone to frequent extended outages, I get power fluctuations and brownouts on occasion, and having a UPS has saved me a bunch of hassle. Also, since I have an enterprise network switch, it keeps my network from being down when those fluctuations occur. The switch takes about a minute to reboot, and I’d be offline the entire time. And if there are several power events over a short time, the repeated reboots would take me down for even more time, in addition to the stress on the equipment. Amazon has a good selection of them, and I’ve had good experiences with APC.
Bizarre issue using the xfinitywifi hotspot (solved)
OpenVPN over UDP is broken. I get a connection, but rarely pass traffic, and never make an https connection. When I switch to TCP port 443 on my server, everything works.
Slightly less Random Ramblings