Which transmission setup is better with respect to security?

20241022_090242600×1300 192 KB

the image above is my current setup

router #1 & router #2 are both currently on openwrt's latest builds,
and
im using the raspberry pi that can be seen on the side to download torrents using transmission,
router #1 is a wifi-client
that gives internet to router #2
all other devices like phones/smart tv/laptop are connected to router #2

i am considering, leaving router #1 on the latest openwrt with a cloudflare warp wireguard and a kill switch for that wireguard using the firewall

since router #2 does not run well with exroot/transmission on the latest openwrt builds was thinking of using openwrt 21.02.3 build which works well for exroot/transmission

considering router #1 will be the bottleneck router, with the latest openwrt build running, with a wireguard profile and killswitch, would it be
better
to use router #2 on openwrt 21.02.3 so i can use transmission to download on it?
or
is it better to use my current setup, where the pi is used to download using transmission

thanks

Define secure?

Hard to understand the intent. Do you want data to not leak without going through your VPN?

Are you worried about attacks from your public facing IP addresses?
Are you worried about attacks from your internal network?

i.e. what's the "threat model"?

Use a UPS? Pick a different file system? Repartition/multiple partitions?

thats not an issue

yes, since once i am downloading torrents my cloudflare warp ip will be seen by anyone/potential attacker

no

yup, am looking at using the pi with overlay filesystem enabled, but it seems like a pain, a ups is just a lot of juice just to download a couple of torrents once in a while

thanks for replying

hahaha no worries. Depends on what sort of UPS you want.
I run telecom UPSes with DC-DC converters which have no interface with the equipment. Just sized the battery so it could outlast any reasonable outage. Given we're talking raspberry pi a 5v "lithium ion battery bank" which can charge at the same time could be sufficient here... =P

Also given we're talking raspberry pi here. Simple GPIO and shutdown script would get you there in terms of power outage shutdown or "sync the FS" and stop torrenting?

OK so no experience with cloudflare warp ip specifically. But i'll try to work the problem in a generic fashion.

So what happens if an attacker sees your cloudflare warp IP?
What happens when they try to connect on the different ports?
Are you going to be authenticating remotely to that IP address?
What happens if there's an issue with the torrent client and then the raspberry pi gets compromised?
What else is on the network that the raspberry pi is on? What could it jump to next? Is there PII on the raspberry pi if it is compromised?
Will the warp ip actually hide your ip address/PII under all circumstances?
Are you monitoring the authentication logs on the raspberry pi or other things on its network for example?

i use the official pi power supply as it does not give me low voltage errors, ive tried other solutions with no joy

so the ups would have to be like one of those that power up a pc or have a plug point, another cost

will read up on the GPIO a graceful shutdown script, to be honest i did not know about this

at the moment, im using the sd card on the pi, only for the os, and transmission is writing to a usb pendrive you can see in the image, so in the event of worst case, ill just flash a backup image on the sd card and the downloaded stuff will remain intact

it exposes your real ip to websites you visit but not when your downloading torrents, as far as i know, websites have headers to find your real ip

they have to hack through the cloudflare network to to get to the router and if they try to get through the router #1 it will be difficult as it will be on openwrt's latest build, im hoping, this is the current logic lol

nothing's open on router #1 not even ports for transmission, transmission just downloads without any ports open, dont ask, i dont even know how

no

nothing on the pi is of any value, but if they use it to hop on to my other devices, is the fear, maybe

laptop/mobiles/smart tv and if its not the pi and the other router #2 older firmware of openwrt router, same fear if they get through router #1, router #2 will be a piece of cake, so will the pi, i guess

no

no, i just use a firewall and allow only local access to samba / ssh

thanks

Yeah so then we're worried about authentication to router #1? make sure the firewall is configured correctly? Don't allow auth on the network that the raspberry pi is connected to. SSH keys only?

Well that's NAT and how the firewall / masquerading at work yeah?

OK I need to read the OP again to figure out the topology. A block diagram would be nice rather than photo.... I need to understand the topology better.

But basically you're talking secure router #1, and then make sure if raspberry pi is compromised you're not leaking your public ip address in that instance either?

firewall is perfectly configured! wireguard drops and internet is down, no leaks

no clue, you lost me at NAT

yeah, sorry about that
i want to either use router #2 , which will be on an older openwrt build (probably not secure) to download torrents
or
use the pi, which will be updated regularly, to download torrents
but
if router #1's security is sufficient, my choice would be to use router #2 instead of the pi
due
to the power cuts

thanks

Check what CVE's are out against the code?
I would say older openwrt build but still supported and on latest patch level should be fine? That gets into areas which are compromise. But also in the case of if there is an issue and no patches available, what then? Turn it off and then go raspberry pi?

I think it's more about mitigation strategies regardless. Worst case is you lose data / wipe it? Or worst case they figure out your public IP then what? How far down the rabbit hole do you want to go?

Similarly if it's appropriately sandboxed/mitigations are in place an older device / older code shouldn't be a problem?

Yeah more about how much hold up time your various power supplies have. But yeah like with a small UPS or even super capacitors etc.... Like if your power supply had a hold up time of 80ms, can you detect source failure, sync and shutdown in that time?

21.02.3 is EOF, afaik, its seem vulnerable based on what this person said Pause all torrents in transmission-daemon on reboot/power cycle - #17 by slh
the pi is currently in play, with both router #1 and router #2 on the latest openwrt build
but
previously, before that person said that, and i shat myself, i was using router #1 with wireguard and firewall and router #2 with older firmware
hence the question of which setup would be more secure? since ideally both work fine, but the power cuts are the problem as well

not too far down, the phone and the pc have seperate proton vpn's running with kill switches enabled, but thats not the point, if i run transmission on router #2 with old openwrt firmware, how bad can things get, considering theyd have to get through cloudflare's network

i really dont know, thats why i asked, here , in the openwrt forum, its mainly for the setup without the pi, that i want to know, how secure ill be

ah, gottcha, pi is a lot of mantainence, that way, lol, she needs so much attention

IDK about "get through" cloudflare's network. I mean by definition your torrent program has to get a connection to a remote untrusted source (i.e. another torrent client, or DHT or tracker.....) and interpret what it receives from them....

hmm, question then is, what all can get through, does transmission open up a can of worms and is best to leave a dedicated pi for those worms to roam in, and leave the rest of the network all pretty
as opposed to let the can of worms in the router thats connected to all the devices
btw, in this current setup, the pi has wireguard with a killswitch, so thats something
i guess it'll be smart to add a wireguard with a killswitch on router #2

sometimes i just think, noone is coming man, im overthinking this lol, like this is my home network lol

appreciate yout time and helping me think through this

No worries.

Is the first two things I found regarding exploits in transmission itself.

So yeah what we want to add to threat model is as follows:
What happens if the cloudflare VPN thing fails and someone can get the other way down the tunnel.
Or the cloudflare VPN daemon itself is compromised etc.
Or What happens when the get your public IP address and then they start attacking that threat surface? (Given your ISP /government shouldn't be hacking you in the first place? But what happens if cloudflare gives your details to government / ISP =P ) Rabbit hole =P

And the other thing separate to cloudflare related issues: what happens if the transmission client itself is compromised. Is transmission running as root for example, does that "own" the whole device if that happens?

And the third thing which you seem to have already handled with VPN killswitch is what happens if the VPN tunnel itself fails.

this is some end of days stuff, but yeah

no way man, not root, but a user hmm,

lol, thats like too deep

interesting though, in openwrt, does transmission affect other modules, i.e. its running as a different user on openwrt as well, interesting

the original question then, still stands

the pi for transmission

or

the openwrt router with older firmware

Personally my architecture would be as follows:

Primary router (#1) <-> raspberry pi as hypervisor/container host (depends on what version of raspberry pi?) <-> virtualised/containerised vpn client <-> virtualised/containerised transmission server.

But if dedicated hardware only:
Primary router (#1) <-> vpn router (#2) <-> raspberry pi (transmission client).

Can put vpn and transmission on same server as long as you are confident they can't break out of their own user? (as in you need to trust kernel and your configuration?)

Then appropriate firewalling / security controls on everything.

yes, this would be ideal, isolated from the rest of the network, but will still need local access, which would give anyone that same local access if it is compromised, but yes, in a isolated system, the damage would be minimal, this would be ideal for an institution (if im understanding you correctly)

yup, current setup

the pi is updated daily, and putting a vpn will help if things go sideways, natural normal things, but there can always be a worst case for basic good practice, it works

100%

thanks for sharing, i think ill stick to this config for now, was hoping to hear from a openwrt expert as well but i guess they'll have similar views

thank you

I don't understand the local access statement?

hypervisor by ssh? then can connect to the "serial" or "tty" of container/virtual machine? You have veth interface between vpn container and transmission container?

IMO, if you're concerned at all about security...

Do not do this. Use only up-to-date and supported versions of OpenWrt. That means 23.05.5. right now.

If that means that you cannot run transmission smoothly because your hardware is limited, buy new hardware.

Next...

If you're concerned about security, don't run transmission. Seems that the whole point of this question is how you can run transmission smoothly and 'safely' -- well, the files you get through this method may or may not be safe. But, that not withstanding...

If you're going to run transmission, run it on an isolated VLAN so that at least the device itself is unlikely to be able to compromise your other devices. However, keep in mind that the files themselves could potentially be compromised, so when you transfer them to your computer, you are opening a potential threat vector.

Put your VPN on the primary router, and setup the isolated VLAN for the transmission client device on that router as well. From there, it's all about the firewall configuration (and possibly also policy based routing).

Local Area Network access to the files downloaded,

im lost, but ill try to read up on this