Hi, so been working on this for a week but not really happy with the solutions I find as they seem to be done by induviduals who rely heavily on ai. I got wireguard easy going and can remotly connect which is great but id love to be able to route any internet traffic to and from the wireguard clients to go though another server while filtering my local onsite services. Felt that if i can crack this i dont need to rely on tailscale. The end goal is to have no reliance on tailscale as i am preparing for the eventual enshitification.
Come on, this is not true and you know it. Finding a counterexample was easy:
https://www.anavem.com/en/news/cybersecurity/tp-link-patches-critical-router-flaws-enabling-rce
Auth bypass + auth rce flaw. Literal remote code execution, instant own.
The problem with network appliances/routers is that they all have web ui’s, and management api’s or something of the sort. Web UI’s are extremely complex services, with lots of difficult to secure attack surface. In a router, that attack surface is now running as root (because it has to be, to manage linux (or freebsd, routers are usually based on one of the two) kernel routing and networking.
So literally every single network appliance and router has had it’s own critical vulnerabilities, even open source ones like openwrt.
The real solution here is to recognize that web interfaces are a security nightmare, and to either disable them or lock them behind ssh.
(Open)ssh, is known for having extremely few vulnerabilities, only 2.5 critical ones over it’s 25+ years of existence. That’s a big difference compared to some of these network appliances/routers which have 2+ critical vulns every quarter.
Yeah only if you enable their cloud api and dont randomise your web interface port. Both of which i do. I have also pen tested my router remotley. Also i have a router not a router wifi combo. Its not an isp or consumer router. Router splits to poe switcher and a wifi ap puck.
Randomized interface ports change nothing except for stopping automated scanners. They don’t really help. Just lock it behind ssh, physical access or similar, and then never worry about it again.
No, all of the local web interfaces have had problems too. Literally every router or network appliance has had similar issues.
ISP, consumer, and enterprise routers have all the same issues due to the same architecture. All of them.
Me too. But it’s just not about my router being secure today, it’s about it being secure tomorrow. I want to be able to rest easy knowing that if a new vulnerability appears in xyz component then I don’t have to worry about it.
Without knowing my infrastructure your making some really impreasive assumptions buddy. If this is your day job i recommend a career change
Im very much aware of the cves out on tplink and the one you showed i patched months ago and hardened to recommendation to the rest. Nothings perfect but when you look at security flaws beyween cisco ubiquity and tplink ill go for tp link even tho they are missing some useful features. Im not corperate fan girl but how dead set some ubiquity users are it makes me a bit weary. If i was doing it all again and not buying on a budget id setup my own pfsense.