Access your in-home IoT devices securely, using your own VPN.
BUILD TIME: 3 Hours
DIFFICULTY RATING: Advanced
A major issue that makers face with IoT technology is how to securely access their in-home devices remotely. You probably don’t want to go opening up your webcam to the broader internet just so you can check your home-brew while you’re on the train home.
For a variety of reasons, you may not want to use a cloud service to overcome that hurdle, especially true if you want to remote view your Raspberry Pi, or some other bandwidth critical function.
So what is there to do? Build your own Firewall!
WARNING: While all care is taken, no responsibility is taken for the implementation of this guide as a security measure. All systems (yes - all systems) are capable of hack and data breach, even if the method isn’t currently known. Regular security patching, complex passwords and general diligence will go a long way, but ultimately anything is hackable. This system will probably be more secure than an off-the-shelf router however, or at least as-secure with more configurable options.
THE BROAD OVERVIEW
Sure, your average internet router has some firewall functionality, but they’re often lacking features or can have poor security or reliability. In this guide, we’ll explore solutions that are suitable for a home network to gain access to your devices in a secure way. We will achieve this by building a firewall and using a VPN connection to connect.
One of the best secure methods to route through a firewall is by using a VPN (virtual private network). A VPN allows you to leave things secure, but still gain access to your local network remotely when you need to. The technology is robust, with low overhead and high functionality.
VPN: A virtual private network (VPN) is just as it sounds. It creates a tunnel through the firewall so your computer can act as though it’s inside the local network, when in fact it can be anywhere in the world.
FIREWALL: A firewall blocks unwanted traffic from entering your local network, which could potentially gain access to systems, computers, and create absolute havoc. A good firewall has a host of configurable options for what is allowed to come in and out, based on what you need. It also monitors all network traffic (almost a byproduct of allowing and disallowing).
How do they work together?
While a firewall looks at all traffic for malicious/unwanted traffic, a VPN only provides security for the traffic that is being transmitted through the VPN itself. It provides no protection for any other traffic that might be received by the Firewall (and in fact, could be used as a door to then perform malicious acts). Once a VPN connection is established, all access that would be given if you were physically connected via Ethernet to the internal network, is available to you remotely, while still maintaining absolute security.
Many modern home routers have simple firewalls built in but only provide basic protection and can lack advanced features. For this reason, we will create our own firewall.
Choosing Firewall Software
There are many great and free software based firewalls to choose from. Some popular choices:
We’ve selected pfSense for this tutorial. Not only can it be configured as a firewall, it also supports OpenVPN out of the box. A close runner-up for us was the ClearOS Community Edition.
pfSense is an open source software distribution based on the FreeBSD operating system.
what will you need?
- An Internet connection with modem/router (AKA gateway)
- 2 × Ethernet cables
- A spare computer with capacity for two ethernet connections
You could use a spare computer you have laying around. It doesn’t need to have the latest and greatest hardware, however, you will be limited by its Network Interface Card (NIC) capacity, so it is recommended that you have a NIC/s with at least two ethernet ports; one for the internet connected side of the firewall, and one for the local/internal side of the firewall (that is, your local network). Ideally, they should support gigabit transfer speeds (though not critical, your internet performance may suffer). It also needs to be compatible with the FreeBSD operating system, which supports a large range of cards/motherboards. To learn more, visit: https://www.freebsd.org/releases/11.1R/hardware.html
- CPU: 500MHz
- RAM: 512MB
- CPU: 1GHz
- RAM: 1GB
For details on hardware considerations, visit: https://www.netgate.com/docs/pfsense/install/installing-pfsense.html
In theory, it’s possible to run this firewall with a single ethernet port via a computer virtualisation. You could create two virtual NIC cards.
SETUP COULD LOOK LIKE THIS: Ubuntu machine running a virtual pfSense machine through software such as VirtualBox and then directing traffic from your router through the pfSense instance. However, this is beyond the scope of this article and not the best security practice.
Download pfSense software
To download the software head over to: https://www.pfsense.org/download/
We’re using Version 2.4.3 (64-Bit). You can download this as a USB Memstick installer img file or an iso file if you’d prefer to burn onto a CD/DVD or set up on a virtual machine.
Select the USB Memstick installer with VGA option so that we can initially use pfSense with a monitor and keyboard. Once downloaded write the img file to a USB flash drive. We recommend using Etcher for this: https://etcher.io/
Configure your home router
CAUTION: Please do your own research on your particular router and Internet Service Provider (ISP) before making changes to your router to ensure you don’t break your connection, potentially resulting in ISP fees to restore. Proceed with caution.
pfSense works best when the router is set to bridge mode, which allows pfSense to manage all traffic between the ISP and Local Area Network (LAN). This basically turns the router into a simple modem that just passes all data onto our firewall to handle. The idea is that we want to pass our WAN IP address directly to the firewall instead of the router's IP. Our firewall will also manage authentication, routing rules, port forwarding and DHCP.
A disadvantage of not running in bridge mode, for instance, is that port forwarding would need to be configured in both pfSense and the router. We will explain port forwarding in more detail later in this article.
Consult your router’s documentation to learn how to set up in bridge mode as steps vary across different vendors/models. The model can usually be found at the back or base of the router.
Our internet connection uses the PPPoE protocol to authenticate, so we had to make sure to set PPPoE Bridged type. If the connection uses IPoE then you would need to use IP Bridge Type instead.
There are some things to be aware of when using bridge mode:
- If your router has VoIP (Voice over IP) integration, you could potentially lose VoIP functionally if not configured correctly or the router doesn’t have a dedicated VoIP port.
- You will lose internet access until the firewall setup is complete.
- On some routers, you may lose access to manage the router via the admin interface. In these circumstances, the only way to gain access again is to reset the router (holding the reset pin). This will restore the router to its factory default settings, in which case you need to set it up again with your ISP username and password.Some routers will keep a default IP address such as 192.168.0.1 however you will need to set up a custom route to reach this.
- If your internet connection uses the PPPoE protocol to authenticate then take note of your username and password. We will need these details for pfSense.
Setup firewall computer
Once your firewall computer is assembled and ready, attach a monitor and keyboard.
WAN INTERFACE: Connect an ethernet cable from one of the firewall’s ethernet ports to a LAN port (usually LAN 1) on your router.
LAN INTERFACE: Connect a second ethernet cable from a remaining ethernet port on the firewall computer to your main computer. We will use the main computer later to configure and test the firewall.
Now we’re ready to install pfSense onto our firewall computer.
Plug in the bootable USB flash drive and turn the computer on. Please note that installing pfSense will erase all the data from this hard drive.
Next, boot the system from the USB drive. Usually your computer will already be configured to look for a bootable USB drive and will prompt you to press Enter. If not, look out for a message such as “Press F12 to select a boot device”. Failing that, you may need to enter your BIOS settings and change the boot order to look for USB first.
Once booted from the USB, you should be presented with the following screen. Press Enter to Accept.
Select Install then OK.
Select the keyboard layout for your region.
Next, we recommend using ZFS partitioning here. ZFS partitioning is more resilient to UFS especially when it comes to data corruption, UFS can become corrupt on power losses rendering the firewall unusable. ZFS is more memory intensive then UFS, around 2GB of RAM should be sufficient.
Select Install to accept the default ZFS configuration.
Seeing that this is our home network, it isn't "mission critical" to setup raid redundancy. We’re just going to proceed with no redundancy.
Press space to select the hard drive to install on, then select OK.
Select YES to destroy the contents on the disk.
Select No to manual modifications.
Finally select Reboot.
Ensure to remove the USB Drive before the computer restarts, otherwise you will be prompted with the installation process again.
Now, when your computer boots it should load into pfSense.
From here we can manage our pfSense firewall and configure our network interfaces. Now let's assign our WAN and LAN interfaces.
Once the system has finished initialising you should be presented with the following screen. If you do not see this screen you may have to press 1 for Assign Interfaces.
Type n for the VLAN question, as we will not be creating any VLAN’s.
You should be able to see your NIC interfaces listed. It can be trial and error depending on how many ports you have to determine which is what port. A helpful method is to have them all unplugged then plug in your modem/router, the link state should change and inform us which interface name it’s using.
Enter your WAN interface name. This will be your internet port (router).
Now select your LAN interface name.
Next, confirm the details are correct then press y.
Great, now your firewall should be running. Take note of the IP address assigned to the LAN interface, in our case it’s 192.168.1.1. This will be the gateway to access our pfSense admin from a web browser.
Head over to your main computer that should be connected to the LAN port of your firewall.
Open a web browser and navigate to your pfSense admin (for example https://192.168.1.1).
Default login details are:
You will be welcomed with a setup wizard, which will walk you through completing the setup process. Click Next.
Now configure your WAN interface. These settings may vary depending on your ISP so you may want to confirm with them the connection type for the SelectType field. If PPPoE, enter your username and password provided by your ISP.
For the General Information section, enter your preferred DNS providers, we will use Google’s DNS 220.127.116.11 and 18.104.22.168
Now continue with the remaining steps and choose a password to login to the pfSense admin.
Great, now your pfSense firewall should be up and running! By default pfSense comes with security enabled which is great. It does not allow ports through until you create rules to specify which ports you would like opened. pfSense also takes care of the DHCP for the LAN range that you’ve set. Of course, these things are fully customisable. There’s a lot you can do with pfSense.
We can now extend our LAN by removing the computer from the LAN interface of our firewall and connecting a switch. The computer can then connect through this switch.
Next, we will explore setting up a VPN.
A static IP from your ISP will make life easier. A static IP address does not change so you will know exactly which IP to connect to. The average home user though will not have a static IP address. You can usually request a fixed IP address from your ISP, but this will come at an additional cost.
No static IP? No worries! If you’d prefer to use a dynamically assigned IP address, there are DNS services you can use as a workaround. We will discuss this later in the article.
OpenVPN comes installed with pfSense, we just need to configure it.
There’s an optional package we can install that makes setting up our VPN even easier.
From the pfsense admin click on System › Package Manager. Next, click available packages and search for openvpn.
Install the openvpn-client-export package.
The openvpn-client-export provides us with pre-configured downloadable bundles which contain the configuration and certificates used to connect and authenticate with our VPN Server. This is especially helpful when its time to set up our VPN clients saving us from manually entering these settings.
Before our clients can connect, we need to set up our VPN server.
Setup VPN Server
To set up the VPN server, click on VPN › OpenVPN, then click on Wizards.
Select Local User Access and click Next.
Create a CA Certificate by filling your details then click Add new CA.
Now fill out your details to create the server certificate then click Create new Certificate.
For the next part, we can leave most fields as default, but we will need to type in a description and enter the tunnel network IP. We are using 192.168.100.0/24. This IP subnet range will be assigned to the remote device connecting through the VPN, ensure to use a range that’s not already in use on your network.
We will give this remote connection access to our local network. Under Local Network enter your LAN range, i.e.: 192.168.1.0/24. Lastly, enter your preferred DNS server. Again we will use Google’s 22.214.171.124 for DNS Server 1, then click Next.
For the last step ensure both checkboxes are checked to auto-generate the rules then click Next.
That’s it for our VPN Server, click Finish!
Create VPN User
Next, we need to create a user to give access to our VPN.
Click on System › User Manager.
Click add and fill out the user’s details.
Under Certificate Check “Click to create a user certificate”. If you prefer, you can turn this extra layer of security off in VPN settings if you want simple user authentication.
We’re almost there! Now that we have a VPN Server and a user, next we just need to set up the VPN client on our remote computer/device.
Since we installed the openvpn-client-export package earlier we can now benefit from the simple export options. The OpenVPN Client Export package automatically creates a Windows installer to download, or it can generate configuration files for OSX, Android and iOS clients, and others.
Navigate back over to VPN › OpenVPN then click Client export.
Scroll down to OpenVPN Clients. From here can find the client installation files and config bundles for your OS.
For iOS/Android, download the configuration file. Then, you will need to install the OpenVPN Connect App or similar. Once installed you can import the configuration file.
If you're using Windows, you can simply download the Windows Installer package. This comes with the VPN client software (OpenVPN). The software also comes pre-configured with your VPN server configuration and certificate.
We will only cover Windows setup instruction in the guide, please refer to the online documentation if using a different operating system located at https://www.netgate.com/docs/pfsense/vpn/openvpn/using-the-openvpn-client-export-package.html
Download the Windows installer bundle and run. Use the default installation settings.
Once installed, run the OpenVPN shortcut from your desktop. This will start the service and you should now have an OpenVPN icon in the system tray. Right-click this icon and select Connect.
We should now be connected. To confirm, open a command prompt and ping your firewall's LAN IP.
You should receive a reply:
You can also check the pfSense admin to see if the connection was made by adding the OpenVPN widget to the dashboard.
If you are having trouble connecting, check your Windows firewall settings. If you still cannot connect, there is a known bug in the VPN server creation wizard which can cause the issue. To fix, from the pfSense admin go to Firewall › Rules › WAN. Edit the VPN connection and change protocol to TCP/UDP then click Save.
Dynamic IP Address
Please note that if you do not have a statically assigned IP address from your ISP then you must use a service in order to connect to your VPN server. Since dynamic IP addresses change frequently we need a way to track these changes so that our VPN client knows where to find your server.
For this solution, it is required that your router is in bridged mode, as our pfSense firewall needs to see the public IP address assigned on the WAN interface.
We will walk through setting this up with No-IP. Create a free No-IP account at: https://www.noip.com/sign-up
The limitation of a free No-IP account is that you will need to confirm every 30 days that you still require the hostname otherwise the hostname will be released. You will receive an email warning prior to the hostname being released.
Choose a preferred hostname. We will use diyodelab.ddns.net then complete the signup process.
After you've confirmed your No-IP account via email confirmation link go to the No-IP account page and create a username which pfSense will use to authenticate.
That's all the configuration we need for No-IP. Now, head back over to the pfSense admin and navigate to Services › Dynamic DNS. Then, under Dynamic DNS Clients click Add.
Under Service Type select No-IP (free). Select WAN for Interface then add your No-IP hostname, username and password and Save.
That’s it. Your firewall will now send an update to No-IP informing the service everytime that your IP address changes.
Now you can edit your VPN client configuration settings and enter your No-IP hostname.
If you don’t need the security that a VPN provides then a simple solution would be to enable Port Forwarding through Network Address Translation (NAT) for a particular IoT device, such as a Raspberry Pi running a HTTP web server.
Note: Be mindful that this exposes our device to the open Internet.
If your Pi is running Node-RED you can configure authentication for the admin portal to provide better protection. However, if someone manages to gain access to the Node-RED admin they could potentially write a program to access other devices on your LAN. You can improve security by having these shared devices on a separate subnet of your network with firewall rules in place that prevents access to your trusted LAN.
If your device is just running a simple web server to serve weather station data then maybe you don’t care who sees. The risk is (albeit low) if someone gains access to the device rather than its HTTP server.
Port forwarding can be set up on most routers without using a firewall but we prefer to have the added layer of security when opening parts of our network to the outside world.
First, you want to configure your IoT device with a static IP address. Next, open the pfSense admin and navigate to Firewall › NAT then click the Port Forwarding tab and Add a New Rule.
From here we will create a rule on the WAN interface that redirects TCP traffic from port 1880 (Node-RED’s default port) to our local device on port 1880.
After applying the new rule you should be able to navigate to your public IP with selected port or if you're using a dynamic DNS service like us, that should also work. For example: diyodelab.ddns.net:1880/ui
Where to from here?
IoT devices can attack your network from within, especially those cheap IoT devices or even a guest coming over with their own possibly infected devices. Should we really have our high tech coffee machine or toaster sharing the same network as our computers or servers? Perhaps not.
Network separation is a good idea here. We can restrict devices to their own IP range and only allow them to access the internet and not our trusted network. pfSense makes this easy to implement.
Other improvements achievable using pfSense:
- Add WiFi, either by connecting a WiFi network card into your firewall computer and creating a new WLAN interface in pfSense or connecting a WiFi access point to the existing LAN interface
- Add a content filter to keep the internet safe for your family, by blocking inappropriate or malicious sites
- Setup website caching: speed up browsing of regularly visited sites using the Squid package
- Implement an intrusion detection and prevention system (IDS / IPS) using Snort
Computer hardware, ISP providers and routers differ. Some further troubleshooting may be required. If you run into issues consult the pfSense community.