Securing Node-Red

I'm using Untangle as my router, so I have the luxury of a nicely designed firewall and a choice between IPSec and OpenVPN (I know which choice I make!)

I am not with you here. Imagine I am in a coffee shop which uses addresses 192.168.1.x. When I connect to the wifi (using Ubuntu but the principles are the same with any client I think) it connects over the interface wlan0 and the PC is given an ip address such as 192.168.1.100 on the coffee shop network. If I then start up the vpn a virtual interface such as tun0 is created and the vpn gives it an address possibly 10.8.0.4 for example.
Now I can still access devices on the 192.168.1.x network via wlan0 but I can also access devices on my home network via tun0. This does not mean that anyone on the coffee network can access my home network, or vice versa.

1 Like

That shouldn't happen. Because if malware gets onto your PC, it would now have access to both networks - bridging them together. Since the most likely infection would come from the WiFi network, an insecure network now leaves your home network open to attack via the malware.

When done deliberately, this is called "split tunnelling". It does have a place but is not to be undertaken lightly.

For example, we use split tunnelling corporately to give lower latency access to Skype for Business because the default traffic routing for our corporate devices when on untrusted networks is down the VPN into the datacentre, through the centralised security infrastructure then out to the Internet. However, since SfB only uses secured connections that already meet our security requirements and because it has its own security and audit infrastructure, we don't need it to go through ours. But the default route for all other traffic is down the VPN, once the VPN is active, there is NO ACCESS at all to the local, untrusted network.

It is these things that make VPN's sometimes a less than ideal solution to problems.

I don't understand the logic of that. If I am in the coffee shop and I don't have the VPN running and malware gets onto my laptop from the wifi network, then I take my laptop home the malware has access to the home network anyway.
Similarly, even if I did not have access to the local network when the VPN is active, I might pick up the malware before activating the VPN and then again the malware would have access to the local network.
Of course I do configure the VPN to route internet traffic through the VPN.
I am using openvpn in 'tun' mode (a routed IP tunnel) and I can't immediately see a setting that would prevent access to the local network.

Ah, found it, redirect-gateway block-local.
I remain to be convinced that it fulfils a useful purpose though.

I suspect that this forum is not the place to explain further and we may have reached a natural break point. This is all about assessing risks at the end of the day.

Happy to take this to a different forum or PM if needed.

All I'll say to finish is that if you create an unauthorised split tunnel on a corporate network and someone discovers it, you will get a serious wrist slap at best. After all the risks run both ways if you connect two networks together of differing trust and security levels. This is serious stuff at the corporate level - I know, I was deeply embroiled in dealing with the Wannacry outbreak in the NHS. The reason that Wannacry unexpectedly spread so far through the NHS was largely due to some network misconfigurations that should never have been allowed. Our own network had zero infections.

No corporate networks are involved, I retired 12 years ago :slight_smile:
I am off to google Split Tunnelling to see if I can understand the risks and benefits.
I can see I may need to adjust the settings in my vpn setup blog. One thing that does surprise me is that in all the tutorials and guides that I looked at when building mine and writing the blog I don't remember any suggesting setting block-local.

And we wonder why we still get so many infected machines and networks.

1 Like

I have secured node-RED in the settings.js file and changed my port number. I have my login page when I try to access node-RED, as seen here:
image

I would like to get rid of this: image after I log in or visit my dashboard.

I just purchased this from my DDNS provider (no-ip.com), and it is asking for me to generate a certificate signing request. It gives me server type options, but I do not know what to select and complete adding SSL to my node-RED server. Can anybody help me?

Hi, this new blog post may help.

2 Likes

I like the post, but I am lost due to the fact that I purchased a certificate that was not in your example. I do not understand how to create a certificate signing request via my node red server.

There are plenty of articles on this as it doesn't relate to Node-RED. Some examples:

https://support.rackspace.com/how-to/generate-a-csr/

For local cert generation, I use mkcert GitHub - FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you'd like..

The article "How to secure Node-RED" How to secure Node-RED | Much Ado About IT is 5 years old, are there updated tutorials?

Fyi, I am a beginner, so please recommend better ways than mkcert

My blog not seen much love recently! Best to use the security FAQ here on the forum.

1 Like