ELK M1 - Can't connect from Outside of LAN using M1toGo or Elk RP2

On simple home routers, when you open a port, it is open for everyone.  There are plenty of people who do port scans and they scan every port on every IP that is Internet accessible.  So someone somewhere in the world has probably already seen that the port you used is open and have already tried to access it.  Depending on how you authenticate and how complex it is, they may already have accessed it.  A VPN would allow you to access it but not others since a port is not readily open like how you have it now.
 
At my place, while I have port forwarding, it is locked down.  Either from certain networks on the Internet or just a geo-location basis; like USA only.  I also have logging and alerting, so i know when someone tries to get in along with an IPS and too many tries will trigger the IPS to start dropping that traffic.  Someone that stumbles across the port being opened sometimes are not to sneaky and just try the brute force attempt at a high rate.  I have my home automation on the Internet, it sits behind an IPS and a WAF.  I also use geo-location blocking.  I also have 2FA setup and you get two tries before that IP gets banned.  I also don't allow things like TOR exit points or open proxies to access it either.
 
So it is all up to you how secure you want to make something.
 
As a side note, you also have people that port scan the Internet for research purposes.  They collect the data and then make money off of it.  Here is an example:
https://www.shodan.io
Some of this research also can cause issues since someone looking to infiltrate whatever they can, can use those research results and just use it to find their targets since the port scanning was already done.  I block these research scans and some will even allow you to request your address to be in their do not scan list.  I have contacted and have been removed from about two dozen "research" scanning projects.
 
First, it is important to understand that there are two common ways VPNs are used.  First, people use VPNs in an effort to obscure their internet traffic and/or hide their location (perhaps in a effort to use services like Netflix in a country that doesn't support it, etc).  This is NOT the use case we are speaking of.  However if you google "VPN", this first type of VPN use is probably what is going to come up in the search results.  This first use case requires that you sign up and (generally) pay for a VPN service that you connect to.  Connecting to this service then obscures your internet traffic.
 
The second type of VPN service is what we are suggesting.  This is when you create a VPN host on your local network.  This is generally done on your router/firewall.  Again, not every router supports this functionality, but many do.  The service runs 24/7 on the router and is set up to accept outside connections.  This VPN service is the only thing that your router should be exposing to the internet. The major advantage to this system is that with this service you create an encryption key that must be used by devices trying to access the network.  Without a valid encryption key, devices are denied access to the network.  For devices that have the correct encryption key, their connections are allowed and those devices will actually appear on the network as local devices with a local IP address instead of devices connecting from an outside network with a outside IP address.
 
These self-hosted VPN connections are free.  Of course it takes a little work to set it up initially, but then the system works silently behind the scenes and there really isn't any ongoing maintenance that needs to be done.  You just have to provide the encryption key to each device you want to allow to connect to the network while remote.  It is simple to download the encryption key on devices when they are at your home on the local network.  (You don't want to email it to yourself, at least not without encrypting the email, because that would be insecure and could expose your key).  You will then use client VPN software which will use the key and have all the other connection details saved in it.  You simply open that piece of software on your device, and use it to connect to your network.  It creates the VPN connection to your home network and then all data is routed through your home network.  So if you connect to your home via the VPN, your data is going to your home first, and then out to the internet as needed.  Therefore you aren't going to use the connection all the time (because that would be wasteful and add latency), but only when you need to connect to your home network for some reason (like trying to access the ELK software).
 
Again, this second type of VPN connection does not obscure your data on the internet.  If you are accessing your local network from a phone on the AT&T network from across the country, AT&T can still monitor your network traffic as will your home internet provider (because the data goes through their system as well).  But this does allow you a secure method of accessing your home network while providing the best method to prevent other people from accessing your home network.
 
Hopefully that help explain things.  I know when I was first looking into VPN, I had to wrap my mind around the two different VPN use cases and learn to focus my efforts on the second use case.  Personally I have no need for the first use case as I don't need to obscure my internet traffic or hide my location.
 
As far as where to start, I would probably recommend that you do a Google search using your router's name and model number and VPN.  So "Netgear ASB5454 VPN" for example.  It will likely bring up a bunch of results that should tell you if you device supports hosting a VPN service and how to set it up if it does.
 
Thorough explanation by sic0048. Believe VPN is the way to go no open/forwarded ports. Allows access to all of your network devices as if you were connected locally. There is also an additional advantage if you use public access points when out and about, if you turn on the vpn and route thru your house I believe your protected from any lurkers snooping at the public access point. Depending on your home internet service this may or may not slow your traffic a bit.
 
Thanks sbwright and sic0048 for taking the time to explain this.
 
I have done a search for VPN for the Bell Home Hub 3000 which is supplied by my ISP (Bell).
 
So far the only discussions I can see are users wanting to access a VPN server that is behind the Home Hub 3000 and in the local network.
 
As yet I haven't found any blogs or communities that discuss having a VPN host.
 
I don't see anything for Windows Firewall that looks to be what I need.
 
I will keep looking and let you know what I find.
 
Thanks again!!
 
Yah you will have to use your own router that supports a vpn server and get the bell hub changed to bridge mode or use something like pfsense or opensense as a router running on a PC. Router is likely the most cost effective route. For security reasons alone I wouldn't be allowing my ISP to own/operate the firewall to my home.
 
sbwright said:
Yah you will have to use your own router that supports a vpn server and get the bell hub changed to bridge mode or use something like pfsense or opensense as a router running on a PC. Router is likely the most cost effective route. For security reasons alone I wouldn't be allowing my ISP to own/operate the firewall to my home.
Thanks again sbwright.
I have an old D-Link DIR-615 router that I was going to flash with DD-WRT but, the B2 version of the router is not supported.
Now looking for a new router.
 
Appreciate everyone's input and suggestions.
 
Back
Top