Pfsense router behind a backdoor'd modem?

Security thread on maintaining privacy online:

I have been considering using my own home built pfsense router. After playing with this software for a week or so I am impressed as hell with it. I have to confess that I have been reading around on "dark" issues with respect to the NSA and their over reach. In addition to missing cool control features, I am somewhat convinced that retail home routers have "weaknesses" built into them to facilitate exploit. That hopefully won't be the debate of this thread. This project is also important as throughput can be exceptional on pfsense router systems.

Spring boarding on the assumption of the above being correct, another question comes to mind:

My commercial ISP requires everyone in the area to use their supplied modem, which is a Motorola, and they don't charge for it (publicly anyway). Its fast and can easily supply 75 meg all day long. If I were to construct a solid pfsense router with flawless security, but the modem itself is compromised, how would you recommend dealing with that? First off, I sleep well at night this is not some tin foil hat lose sleep thing. If I use pfsense and configure it to lock down 100% to a specific VPN and only their dns, wouldn't that cover me even if the modem attempted to "sell me out"? If the answer to that question is YES, then how is pfsense better than my current setup? - My wireless laptop is currently locked down to only one starting VPN connection and its exclusive dns. Anything else is totally blocked. How could a compromised router do anything with a 100% encrypted wireless payload?

Strictly from a security standpoint, based upon your knowledge of my wireless protocol, what would a pfsense router benefit me over an every day retail home router? I do know how to secure and lockdown the router. My limits are based upon the software they use and of course any "unknown" weaknesses.

One concern I have is that should someone come into my home, a well constructed pfsense router clearly makes a person stand out as something other than a "normal" user. Whereas my current scenario is all stealth from a physical hardware standpoint. I know pfsense is completely legal and makes perfect sense to use. The fact is that normal home systems just don't really use such a setup.

 

Given your setup, with a wireless laptop, running your VPN client in a pfSense router would be less secure. That's because the VPN tunnel would end at the router, and you'd have just WiFi security between it and your laptop.

On the other hand, with the VPN client in a router, multiple devices could use the VPN tunnel. And with enough NICs, or using vLANs with a smart switch, you could have two LANs, one straight through your ISP, and the other via the VPN tunnel.

However, any device using the VPN-connected LAN could determine which VPN service and exit IP that you were using.

It might be possible to run the VPN client in a pfSense router, and to also run an OpenVPN server to secure traffic with wireless devices.

None of that would appear even vaguely normal, however.

 

I have set something like this up in the past.

I'm pretty sure you'd be able to get rid of the backdoored router as well though. normally you just need your ISPs config settings.

My pfsense setup looked something like:

secure lan -> pfsense hardware/vpn --|
.................................................................|-----> ISP router
insecure WiFi / lan ----------------------|

(ignore the periods, couldnt get it to indent properly!)

where the router and insecure lan were dmz'd / blocked from accessing pfsense and the secure lan, and with pfsense as a VPN client to a secure openVPN server

I think the main benefit to this kind of setup is pfsense is a great firewall (and can also act as an IDS with snort) so you have better seperation / security (e.g. blocking all outbound except VPN, and blocking all inbound) than just going laptop --> router.

Also this might just be excessive paranioa, but I wouldn't use WiFi for anything secure.

 

Thanks for the responses. You have pointed out exactly what I was thinking. While pfsense is amazing, my use of a vpn'd router would end the tunnel short of my laptop. That is the ONLY machine that I use from my home network that matters in this scenario. All the other "family" machines are normal home use applications. I employ normal firewall configs and various security settings to connect to my bank and personal email accounts on those. Connections happen outside of any tunnels, but are all done inside confirmed ssl.

So back to the security question of this thread. A retail router and retail modem might contain "designed backdoor access". If that is the case but my wireless laptop is securely tunneled to exclusively one particular dns/vpn as my first hop, would those "designed backdoors" (if they exist) be of addressable concern? In any scenario my ISP will always see the first hop. The payload is encrypted so the content will be hidden but the connection (entry IP) cannot be masked. Assuming "designed access" is real, they still only see the entry IP, which is what they would see without "designed access". All the subsequent hops would be concealed in the obfuscated bridge formed between my laptop and the first hop, so those are of no additional concern.

In my case does the notion of "designed access" change anything that I should try and address? Please feel free to express any thoughts.

Once I resolve this thread in my mind, I am going back to my other thread here. Securing this laptop via castrated 7 host - pfsense VM - linux VM, OR pure linux all the way (linux host + all linux VM's). I think I am going to at least attempt the concept that Mr. Brian suggested and see how I like it. Can I REALLY shut down 7's ability to talk and yet use its ability to connect the pfsense VM. We'll see!!

 

I don't think that it changes anything substantively.

Even without a backdoored router, adversaries with access to your ISP could mess with your routing to the VPN server, attempt MitM attacks, and so on. But OpenVPN, if configured properly, should not be susceptible.

Both server and client have the provider's CA (but not the key) and each has a certificate signed by that CA. They won't set up a VPN tunnel unless the signatures are good. A MitM could also have the provider's CA and a client certificate signed by that CA. And it could establish a connection to the VPN server. But I don't see how it could merge with your connection, because (if for no other reason) the session keys would be different. Authentication with a username and password would also accomplish that, I think.

If a MitM compromised your VPN provider's access server, it could create a clone, and force your connection to use it. And that, of course, would destroy anonymity. But that's an independent attack, and doesn't depend on compromising your router.

 

Mirimir,

And to add to your thoughts; the security compromise aspect becomes quite a bit more difficult because my VPN carrier utilizes PFS to boot. Even if they were to grab a decryption key and somehow pull off breaking down my tunnel, it would become ineffective a few minutes later when PFS changed it all again.

You sort of get a better picture of how the "handshake" works when you connect via Linux. I think the windows client does pretty much the same thing but somehow it appears more transparent when you set up the linux handshake.

I think I am going to spring board back to the other thread where the discussion will still debate pfsense on a windows OR linux host. You remember, the compromise over windows being hidden and linux while not hidden is likely more secure (common assumption without proof).

 

PFS is always good, and essential for the innermost VPN.

I don't know the guts of OpenVPN well enough to have an opinion about sniffing plaintext from a tunnel. We probably want to understand that risk better. But in any case, partitioning trust reduces the risk.

As I recall, running "openvpn.exe foo.ovpn" in a Windows terminal shows essentially the same information as running "openvpn foo.conf" in a Linux terminal. There are differences because Windows clients set up tap interfaces, whereas Linux clients set up tun interfaces. Increasing N in "verb N" provides more detail, but going above 5 provides too much information It's hard to see much detail running clients in Linux Network Manager, and there may be similar limitations in some Windows clients.

Yes, I do