Yes. On Tue, Apr 23, 2019, 1:49 PM Julien dupont <marcelvier...@gmail.com> wrote:
> Hello, > > Early this year I got help here to setup tinc tunnels between users and a > company LAN. Now I would like to try something different for a home usage > and I have a question regarding security. > > The setup would look like as follows: > > - My home LAN has a classical topology where my ISP router is doing NAT > and is blocking all incoming connection. I'm planning to enable port > forwarding on the router: port 655 (tinc) and 656 (ssh) to a Raspberry Pi > running Raspbian. It would have a static IP. > - The ssh daemon listening on port 656 on the Rapsberry Pi will be > hardened (only one user can login, strong password, protocol 2 only, > fail2ban installed, etc.). > - Tinc daemon will be listening on port 655. > - I would use a DDNS service to find the current public IP of my router. > > The goal is to be able to establish a Tinc tunnel from a laptop outside > the LAN to the Raspberry Pi and access all computers behind my router from > that point on. Thanks to the previous help I know how to setup Tinc and the > routing rules to achieve that. > > Now I'm wondering if and why I would need to implement any additional > precaution, like a firewall on the Raspberry Pi with that specific setup. > I'm assuming that: > > - It is impossible to reach any other port than 655 and 656 from the > outside as only those two are forwarded. > - It is impossible to directly reach any other computer than the Raspberry > Pi so they don't need to be protected. > - It is impossible, or very hard, to defeat ssh and tinc daemons security. > - It is thus impossible to access the Raspberry Pi otherwise than through > a tinc tunnel or a SSH connection so no firewall is needed. > > Am I right there? > > Thanks, > Julien > > > _______________________________________________ > tinc mailing list > tinc@tinc-vpn.org > https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >
_______________________________________________ tinc mailing list tinc@tinc-vpn.org https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc