Hi everyone, seeking a bit of guidance please

[G+_Happy Macer]

Hi everyone, seeking a bit of guidance please. My family want to be away from home and able to connect home and connect to their NAS, but nobody else's. So say son wants to connect, he would be automatically linked to his NAS. Let's assume he wants to backup his photos or something similar

 

I thought I could use my DDWrt tplink WDR3600 as the router. (Just started playing with it so a bit of a noob!) I understand I could use ssh tunnels, or Open VPN, or port forwarding.

 

Which is the best way to go? Where do I start to set it up? NAS first, then port forwarding, then tunnel? I've read the DDWrt tutorials and while they are handy, they are typically a recipe rather than an explanation of what you're doing. Am currently digging around the net to see what I can find.

 

Is the DDWrt router "powerful" enough?

 

I would appreciate any thoughts, thanks in advance.

[G+_Travis Hershberger]

OpenVPN is probably the easiest way to go.  Once configured properly it makes the network think you are at home no matter where you are connecting from.

 

You can do the same sort of thing with ssh tunnels, but lots of how tos and guides are around for Open VPN while not very many good tutorials are around about how to accomplish the same thing via ssh tunnels (which won't work natively in Windows anyway.  It's built into UNIX/Linux/BSD.)

[G+_Happy Macer]

Thanks Travis I will go look for some OpenVPN how tos.

[G+_Ben Reese]

It's considered less secure, but I've had good success with PPTP on DD-WRT - even able to connect from the native Android VPN client.

[G+_Ben Tyger]

What about something like owncloud? Depending the user's skill, that may be easier to use than a VPN.

[G+_Happy Macer]

Thanks Ben, if I fail to get OpenVPN working I will try PPTP. I'm looking at the DDWrt tutorial for OpenVPN and it looks fairly easy to follow, and I've found I can set the destination addresses (routed), so I'll fiddle with that a while and see what I can achieve.

[G+_Happy Macer]

Thanks Ben, I did a quick look at OwnCloud but as I understand it, it runs everyone's cloud on 1 NAS, and as I already have the NAS boxes I decided not to go this route.

[G+_Ben Tyger]

Happy Macer just so you know, PPTP is completely broken in terms of security. It can be snooped reguardless of configuration.

[G+_Happy Macer]

Thanks for the update Ben! I'll persevere with Openvpn in that case.

[G+_Ben Reese]

I've heard that PPTP is broken, but haven't really seen anything explaining how it's so bad. Only thing I could find is somewhere in the initial key exchange a very persistent MITM could intercept the decrypt the keys. Anyone have more information on the flaws?

[G+_Happy Macer]

Now that I think about it, I have heard Steve Gibson on Twit (Security Now podcast) talk about the problems with PPTP, and if I recall right he said it uses 56 bits for encryption. I remember him saying "It's better than nothing". Steve transcribes his podcast so if you have time maybe search for it?

[G+_Ben Tyger]

Happy Macer? You are correct, Steve Gibson? did talk about it. PPTP is okay in a few cases but none of them are because of security. If your just using PPTP to avoid geo-blocking, traffic shaping, or possibly P2P, PPTP is fine. If you are planning on using it to access sensitive document, PPTP is broken.

 

Both PPTP authentication and packet transport are broken. MSCHAPv2 (the strongest non-PKI authentication protocol) was broken over a year ago. You can use EAP-LEAP safely, but setting up a PKI is PITA and many PPTP clients don't support that mode of authentication. While there is RC4 encryption for the traffic once authentication is done, there is no message digesting. While RC4 is still strong, it seems vary hard to implement correctly. This make it impossible to detect MITM attacks/listening.