Hosting on public server

rigomate · December 11, 2024, 8:46pm

Hi Folks,

I would like to host my teddyloud instance on a public server.
The web interface (port 80,8443)will only be exposed via wireguard.

I plan however to expose port 443 to the public internet.
Now my understanding is, that the server has the Toniebox’s public key.
My question is: will the server only respond to Tonieboxes, which hold the correct private key?
Assuming I switched off the option: Allow new boxes

Is there an analogy to wireguard, where a server would basically drop all packets, which are not encrypted with a beforehand known key?

Or would I completely expose teddycloud and it would be an open house for everyone on the internet?

I already read through the forum: Access Boxine outside home network
But to be honest my knowledge about encryption and serverstacks is lacking. Hence the simplified question.

Cheers!

0xbadbee · December 12, 2024, 11:06am

We are currently unable to validate that the provided certificates of the connected client are under the Boxine CA, as we are missing the intermediate certificates.
We are only checking if the provided client certificate for its MAC in the CN + holding Boxine in its name.

If an attacked would guess the MAC of your Box, he may brute force for content.
In theory, he could also try to attack the server itself, but most overflow etc. attack should be mitigated due to libsana.

ks61625 · December 12, 2024, 12:40pm

Since we patch the own cert into the box (e.g. use altCA-patch), I thought the box is authing with that against teddycloud? Am I wrong with that?

0xbadbee · December 12, 2024, 1:31pm

The box checks if the server is under the CA (the box has). The server proves it by using it’s private key for that CA.

Then the same is done the other way round.
The server checks if the client certificate of the box is under the CA (the server has set for this client)

rigomate · December 13, 2024, 8:09am

Thanks for your inputs.

So this is the solution which I came up with.
I only sometimes want to access my Teddycloud from outside my Home LAN. For instance on vacation.
Generally the port 443 can only be accessed from my home LAN.

If I would travel to another LAN I would run the following script on my server:

gist.github.com

https://gist.github.com/rigomate/a7228b987a63372430b6f2afe72734fb

delete_non_ufw_443.sh

#!/bin/bash

# List all rules in the FORWARD chain with line numbers
iptables -L FORWARD -n --line-numbers | grep "dpt:443" | grep -v "ufw" > /tmp/forward_rules.txt

# Check if any rules were found
if [[ ! -s /tmp/forward_rules.txt ]]; then
    echo "No non-UFW rules with destination port 443 found in the FORWARD chain."
    exit 0
fi

This file has been truncated. show original

forward.sh

#!/bin/bash

# Check if the user provided an IP address as an argument
if [[ $# -ne 1 ]]; then
    echo "Usage: $0 <source-ip>"
    exit 1
fi

SOURCE_IP="$1"

This file has been truncated. show original

This checks from which IP I connected using SSH (most likely will be using my smartphone), it then makes a NAT port foward rule to the Teddycloud server port 443, but only allows the single IP it queried.

So assuming my smartphone is connected to the same Wlan as my Toniebox: the Toniebox now will be able to connect to the Teddycloud.
I use my custom domain, which is flashed to the Toniebox, so I have control over that.

The risk of rouge clients accessing my server from outside will be probably next to nothing, as there is always only a single IP which is allowed from the internet.

Cheers!