Hello!
A month ago I set up OpenWrt on my new router. I told my brother about it who is a Pen tester for a big multinational company. He says he is VERY confident that he can cause some damage to my setup.
So now he will be coming over sometime in next few days to try to find security weaknesses and cause as much harm as possible. Here are the restrictions I put on him:
- He cannot try to come through internet/WAN as that would be more of a pen test for the devices
- At first, he will not be given any access to WiFi password or Ethernet and has to attempt to do whatever he can with that
- Then, he connects to my WiFi by either getting into my WiFi if he can or else I'll just give him the Wifi password, and then he attempts to do whatever he can with that
- Lastly, he will be allowed to plug in his device via Ethernet to the router and then again he attempts to do whatever he can with that
- (I might even let him come through internet/WAN if he's not able to do anything locally)
So now the question: what all can I do to reduce his chances of being able to do anything to my network. Sacrifices to convenience and usability are acceptable. I hope this will also be of help to OpenWrt as he is basically doing a free extensive security audit of the maximally secure configuration of OpenWrt.
(Free for ya'll, I'll have to pay him $50 for each thing he is able to do 
)
My setup is as follows:
- Router WAN port connected to ISP modem
- 1x Router LAN port connected to a self-hosted server
- 2.5G WiFi AP point enabled with SSID "okayokay"
- 5G WiFi AP point enabled with SSID "fastfast"
- Up to date secure devices connected via Ethernet and Wifi.
(Isolate clients checkbox is checked/enabled for both AP)
I mostly have a default out-of-box config (only changed root password and set up WiFi APs through the web interface only). My router has enough RAM, Flash, and CPU power for mostly anything and is on latest OpenWrt 24.
I really appreciate any inputs.
Thank you in advance!!
Then this really is not OpenWrt
Make him work on WPA3 only; WPA2 has been cracked and only long passwords protect it now.
That is not a test: that is letting a bull loose in a China shop.
Again not really OpenWrt.
And again:
If you get penetrated it is because you removed all the protections.
OpenWrt is not intended to secure your local network:
OpenWrt is a firewall that routes traffic, safely, to your lan and some other perks added along the way.
I'm not sure how your brother thinks anything different.
I have a pretty good idea how he is paying for his dinner tonight.
8 Likes
Thanks for your response!
I think it is a test of OpenWrt. I am basically simulating if a malicious person gets onto my network, or if one of my devices become compromised, what all can they do? As a network should be set up in a way to prevent harm even if one gets on the network. For instance, isolating clients is a feature of OpenWrt and of OpenWrt fails at it then it is a problem in OpenWrt.
Yeah, my WiFi APs are WPA3 only
They will do everything because you let them in; in the ways I pointed out.
Donate $50.00 to OpenWrt and tell your brother we told you he is playing a nomenclature game with you and you do not appreciate it.
7 Likes
What "everything" implies isn't clear, you did not point out specific things.
And it certainly isn't everything as, again, for instance one client cannot affect another on the same WiFi AP as "Isolate clients" checkbox is checked/enabled.
Edit:
I already plan donating $200 if he is not able to affect anything.
I'll play this game one round:
I get a Pi and a USB dongle, spoof your WiFi, make all your devices connect to the internet through my Wi-Fi.
Same SSID and you gave me the password.
Suddenly your clients are no longer 'isolated'..
That's it; one round.
This is not OpenWrt related.
5 Likes
What if I connect all clients to OpenWrt via Wireguard with pre-shared key with lockdown/kill switch. Now you can't spoof my WiFi.
Round one mitigated, in your terms.
Thus I say it is OpenWrt related.
For? I mitigated your attack.
I had to point it out.
Is this what your brother can expect?
$50.00
large.
2 Likes
If he does anything then he will get $50 for each thing because at that time the setup is secure against what I described in original post.
Right now I don't claim it to be secure and that is what I am here to seek help for.
You, already, have a workload to mitigate a security issue.
Get to work.
1 Like
What security issue? I already mitigated the WiFi spoofing right?
Then you should isolate all the clients, wired and wireless, and implement IEEE 802.1X. Otherwise, this is like pretending that your reinforced front door is going to prevent your invited guests to open the fridge.
6 Likes
Go implement that.
It should take you a day to figure out how to stop a spoofed Wi-Fi AP in every way.
So basically follow the following guide and set up WPA3 Enterprise? https://openwrt.org/docs/guide-user/network/wifi/freeradius
On it. Do you think what @eduperez mentioned would be sufficient to prevent spoofing?
I would really appreciate if you are able to point me to any docs/guides
Do you see his credentials compared to mine?
You could not be fixing these issues IRT.
So you, appear to be more interested in listings than solutions. I'd be re-scheduling and re-negotiating with my brother right now if I'd started your thread.
Honestly, I miswrote earlier:
I have a pretty good idea how your brother is going to pay rent this month; if you really have a brother that would mislead you in this way.
1 Like
I didnt understand.
What do you mean by listings?
Not a problem, this is something I want to genuinely learn. Worst case having to send my brother a couple grand is no big deal. If talking only about my bet and relations is all you want to do rather than discussing the main topic constructively, please do not reply any further. I do really appreciate you pointing out the spoofing attack though.