Hello, Early this year I got help here to setup tinc tunnels between users and a company LAN. Now I would like to try something different for a home usage and I have a question regarding security.
The setup would look like as follows: - My home LAN has a classical topology where my ISP router is doing NAT and is blocking all incoming connection. I'm planning to enable port forwarding on the router: port 655 (tinc) and 656 (ssh) to a Raspberry Pi running Raspbian. It would have a static IP. - The ssh daemon listening on port 656 on the Rapsberry Pi will be hardened (only one user can login, strong password, protocol 2 only, fail2ban installed, etc.). - Tinc daemon will be listening on port 655. - I would use a DDNS service to find the current public IP of my router. The goal is to be able to establish a Tinc tunnel from a laptop outside the LAN to the Raspberry Pi and access all computers behind my router from that point on. Thanks to the previous help I know how to setup Tinc and the routing rules to achieve that. Now I'm wondering if and why I would need to implement any additional precaution, like a firewall on the Raspberry Pi with that specific setup. I'm assuming that: - It is impossible to reach any other port than 655 and 656 from the outside as only those two are forwarded. - It is impossible to directly reach any other computer than the Raspberry Pi so they don't need to be protected. - It is impossible, or very hard, to defeat ssh and tinc daemons security. - It is thus impossible to access the Raspberry Pi otherwise than through a tinc tunnel or a SSH connection so no firewall is needed. Am I right there? Thanks, Julien
_______________________________________________ tinc mailing list [email protected] https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
