Make iot device the only accessible device from the internet

ashold7 · March 31, 2021, 8:14pm

Hello,
I want to communicate with an iot device over the Internet when I am on vacation. However in order to minimize the risks I want to make sure that this device is the only accessible device and that a potential attacker would be only able to access this device and no other device or the internet if the password is hacked.

How can I achieve this? I think I should probably use a VPN, but which? If you have any recommendations i'd like to hear them.

vgaetera · March 31, 2021, 8:32pm

Yep, set up a VPN, preferably WireGuard:

ashold7 · April 6, 2021, 9:17pm

Thank you for your advice. I was able to successfully setup a WireGuard VPN. However I have a ds-lite connection, therefore I need a portmapper or a similar service to reach my VPN from ipv4. In Germany we have the following service: https://www.feste-ip.net. It roughly costs 5$ per year. However it only supports TCP. Are there any similar cheap services for UDP (because WireGuard works with UDP) or do I need to switch to OpenVPN?

vgaetera · April 6, 2021, 9:45pm

If the client side ISP supports IPv6, then you don't even need IPv4 to establish the tunnel.
Otherwise, OpenVPN over TCP or something like ZeroTier should work too.

ashold7 · April 7, 2021, 7:28pm

I tried installing OpenVPN over TCP. The VPN connection is working flawlessly through LAN. However if I want to connect through ipv6 over the internet it is not working (i have not checked ipv4 yet).

This is my server config:

user nobody
group nogroup
dev tun
port 1802
proto tcp
server 172.16.0.0 255.255.255.0
server-ipv6 2001:db8:f00:bebe::/64
push "route-ipv6 ::/0"
push "route-metric 2000"
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "route 192.168.178.0 255.255.255.0"
push "dhcp-option DNS 192.168.178.1"
push "dhcp-option DOMAIN 192.168.178.1"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
***
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
***
-----END OpenVPN Static key V1-----
</tls-crypt>
<key>
-----BEGIN PRIVATE KEY-----
***
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</ca>

This is the firewall-rule I have created.

Do you have an idea?

vgaetera · April 11, 2021, 12:09pm

The important parts are listed here:

If OpenWrt creates a route for the entire prefix, you can skip the sourcefilter option.
Also skip the ip6class option since it's for the client side.
Specify your domain instead of IP:

And remove that:

ashold7 · April 11, 2021, 11:26am

Thanks for your help again. It is now working perfectly.