Internet facing logon platform to your SoHo

SecCon

Member
May 26, 2022
34
4
8
There are a number of ways you can expose your desktops or servers or routers or monitoring systems to the internet and thus be able to access them from anywhere.
Among those I know of and have used in the past the simplest is probably RDP on a custom port and with some additional security like a vpn tunnel and / or MFT, like Duo. Many NAS have inbuilt options to access them outside your network and probably most routers and monitoring systems have ways of doing this with some additional configuration, plugins and what not.

My question is whether there is a way to tie a few or all resources /devices together granting you access to everything in your network behind a secure logon? As if you were on you home desktop through which you manage it all anyway? I guess you could just RDP that desktop and problem solved of course, but if you wanted it accessible and presented via a web interface on a sub of a site you own? Kind of a SoHo Portal to your lan?

Does it make any sense?
 

Stephan

Active Member
Apr 21, 2017
401
233
43
Germany
RDP on custom port is useless, scanners like Shodan will find it anyway, fast. Will only keep away Stupid. Last time that worked was 2005.

I recommend to setup internal DNS correctly and then just use OpenVPN into your LAN, with DNS going over entirely or per xy.local.yourdomain.com over your DNS, so you can browse everything and it will just work.

Never open up any ports other than VPN without also configuring fail2ban.

If you want to avoid VPN, stuff like nginx reverse-proxying is possible, but very tricky to set up correctly, without holes. It will also expose your containers or whatever to the internet directly. Not recommended, ever. In 2022 it is all about reducing attack surface.

I once implemented and improved upon a custom solution based on a separate username/password scheme, some special sauce in openresty which is nginx+Lua, and a script, which will present a login interface. Only if you enter correct credentials will it give you a temporary cookie that will allow you to even reach a service inside. No cookie, back to that login page, no exceptions, and the internal service is shielded from any access whatsoever. Thing is I never published it. It is raw, and I have too little time to even answer questions about it.
 
  • Like
Reactions: BoredSysadmin

gb00s

Active Member
Jul 25, 2018
694
246
43
Poland
With the above, you don't need to expose anything to the public with a simple mesh via Tailscale as an example or with a centralized solution like NetMaker/Nebula/Zerotier.
 

acquacow

Well-Known Member
Feb 15, 2017
660
351
63
40
I use sshuttle in linux to basically VPN in over ssh and I can hit all my internal IP's ports just fine remotely once the connection is established.

 
  • Like
Reactions: gb00s