VPN Routers

[orion242]

https://www.peplink.com/technology/firmware-8-1-1/

More improvements to the OpenVPN client mode.

[MaxBurn]

https://www.peplink.com/technology/firmware-8-1-1/

More improvements to the OpenVPN client mode.

Did you read they changed it somewhere? Way I read it this is just the release version of the beta firmware we tried already.

[orion242]

Looks like marketing may have got me. From the email they sent

Other new features such as Wi-Fi Mesh compatibility and OpenVPN support to enable network extension

Looking at the release notes, yea looks like the same crap from a few weeks back. This did catch my eye though.

23867 [OpenVPN WAN]​ Fixed an issue where the OpenVPN WAN accepted routes from the server. All Models(Except ​FusionHub)

[nocomply65]

We've used contemporary controls' EIPR paired with a Verizon USB dongle before...I hated it. The dongle had to be set up for "manual connect" and when the signal would bounce, sometimes it wouldn't be able to reconnect requiring a reboot. Contemporary Controls' support seemed either incompetent to support the product, or it is inherently flawed. It was also really clunky and burdensome to configure, as you have to push files into and out of both the router itself, then the cloud account...lots of opportunities to FUBAR the thing, which happened every time I tried to make changes. Again...not a fan.

For clients without a security concern, we now use a static IP assigned to a SIM card, and use a Pepwave. We also use these for temporary remote access on new projects. You can also keep the SIM card DHCP, then use a windows VPN if you prefer that. Easy peasy.

[MaxBurn]

Ubiquiti is having some stock shortages right now.

Just looked into this router and results look pretty positive, it just worked with the BMS VPN article I wrote up.
https://smile.amazon.com/dp/B073TSK26W

• $27.90
• OpenWRT
• Very easy to configure
• Not hard to flatten the ovpn file and keys to one file that can be uploaded to the web UI
• It even has it's own cloud manager at us.goodcloud.xyz
• Can get into GUI or SSH webshell through that cloud manager
• Physically very small
• Does not include power supply; USB

No idea what level of china is up in this thing.

[MaxBurn]

Also looked at MikroTik, RouterOS is next level complex. I had to search to find the config menu item to even add OpenVPN, only to find you can't just upload a file. You have to define the connection in the UI much the same as you do in pfSense.

https://support.safervpn.com/hc/en-u...ikrotik-Router

[orion242]

Ubiquiti is having some stock shortages right now.

Shoot Amazon doesn't even have this in stock.

It even has it's own cloud manager at us.goodcloud.xyz

goodcloud.zyx? That just sent shivers down my spine.

[FreezerGeezer]

We're using Cisco Meraki at the moment, fwiw. I don't know much about them I'm afraid, as they're set up by another dept. The guys do say that setting them up is pretty easy.

[Pascone10]

Shoot Amazon doesn't even have this in stock.



goodcloud.zyx? That just sent shivers down my spine.

I have been experimenting with the Slate WiFi router that GLinet makes. It is a really nice router and works well. The WiFi range is surprisingly long.

I have no idea on the security obviously. I did look into the Goodcloud and you need (1) router to be the “Master” with a port open to get it to work. Then Goodcloud will use that router to set up a s2s for the other routers you add in the group. It worked great in my testing. I have not used it other than playing around.

I can only hope (doubtful i know) that Goodcloud just pushes the settings needed for the routers to communicate and thats that. The company itself seems very well known and a popular product. Being based out of China I still have my reservations. The more I use their routers, for the price I am considering using them for temporary access to an isolated controller on a 4G router.

[MaxBurn]

We're using Cisco Meraki at the moment, fwiw. I don't know much about them I'm afraid, as they're set up by another dept. The guys do say that setting them up is pretty easy.

Cisco says computer chip shortage to last six months
https://www.bbc.com/news/technology-56847518

There has been a lot of news of cisco default passwords getting purged in years past. Haven't seen much on that lately though. Not a fan of their support policy, no paid support no firmware update files. Does that hold for Meraki?

[MaxBurn]

I have been experimenting with the Slate WiFi router that GLinet makes. It is a really nice router and works well. The WiFi range is surprisingly long.

I have no idea on the security obviously. I did look into the Goodcloud and you need (1) router to be the “Master” with a port open to get it to work. Then Goodcloud will use that router to set up a s2s for the other routers you add in the group. It worked great in my testing. I have not used it other than playing around.

I can only hope (doubtful i know) that Goodcloud just pushes the settings needed for the routers to communicate and thats that. The company itself seems very well known and a popular product. Being based out of China I still have my reservations. The more I use their routers, for the price I am considering using them for temporary access to an isolated controller on a 4G router.

I didn't have to open anything to get the cloud portion connected. They seem to be checking the boxes on the cloud portion, 2fa necessary and device access required to get it connected.

It just checks all the suspicious boxes, works well, price is very low. We never saw anything positive on Huawei that I saw, other than the pattern very low price for something that works well to drive adoption. Some DFARS papers crossed my desk recently and they do call out a bunch of china vendors like that.


More shortages;
Apple Expecting iPad and Mac Supply Shortages in Second Half of 2021
https://www.macrumors.com/2021/04/28...ply-shortages/

[s2sam]

<snip>

More shortages;
Apple Expecting iPad and Mac Supply Shortages in Second Half of 2021
https://www.macrumors.com/2021/04/28...ply-shortages/

Good day All,

Chip shortages are wide spread and will affect a ton of industries and products. In fact if there are electronic devices/products that you need for yourself or for your projects, I would buy them ASAP as the availability of these items are going to be pushed back big time. Just In Time (JIT) inventory is not working well these days... As an example a number of microprocessors that I use that are/were typically stock or with a 2- week lead time are now being quoted with 52 week lead times... so delivery is not expected until Q2 of 2022. I was hearing rumblings of component shortages late last year and so I started to stock up on parts that I regularly used... This is one time that being a semi controlled hoarder came in handy.

Cheers,

Sam

[amigo]

I didn't have to open anything to get the cloud portion connected. They seem to be checking the boxes on the cloud portion, 2fa necessary and device access required to get it connected.

It just checks all the suspicious boxes, works well, price is very low. We never saw anything positive on Huawei that I saw, other than the pattern very low price for something that works well to drive adoption. Some DFARS papers crossed my desk recently and they do call out a bunch of china vendors like that.

I tried the goodcloud in the past and it works pretty slick, but like you say it is impossible to know what they are sniffing in the background, so i opted out for now.

[orion242]

Sniffing? Hell its probably backing up your openvpn keys for you as well. Its a two'fer!

Whois privacy on the domain, nice touch. That thing is bound to raise some eyebrows just about anywhere that has an IT guy with heartbeat.

At some point the cost of the device really makes me wonder. <$30 on Amazon? So after they take there cut, boy... "non-traditional" profit model maybe? Kinda like ad supported web, but with a twist.

Do they ever even bother to update the firmware on these?

Have to tap out on playing with this one.

[MaxBurn]

Given it’s based on WRT I was wondering if there is an alternate image out there for it? They also give you root login. If there’s something shady with it something will come to light eventually.

Meh, we got a line on 20 edgerouters so I think I’m good for a while at least. If we get owned through these my nobody get fired for buying IBM defense gets a test.

[orion242]

If we get owned through these my nobody get fired for buying IBM defense gets a test.

Lol

Would think if you can get the kind of PR Fazio did over the Wally world fiasco, you'll be trying to scrub your employment history at that outfit everywhere. Not that it had anything to do with BMS, but these days its going to be pretty easy to get attention if just about anything cyber happens in the automation space.

[MaxBurn]

Ubiquiti stock is trickling back in now, got 20 more. Bonus; these finally have the new firmware that doesn't require bootloader updates, 1.10.11 I think it is.

[MaxBurn]

Do they ever even bother to update the firmware on these?

Actually, yes they do. Forums are active too, so there's people that have caught on to these out there.

https://forum.gl-inet.com/t/firmware...rade-q-a/15620


And then there's this banner on top of the forum;

:mega:We have just released the BETA test of our new remote access tool #AstroRelay!

Supporting different services like HTTP to HTTPS, remote SSH, remote desktop with the highest encryption, especially for 4G LTE networks.

TRY NOW :arrow_right: https://astrorelay.com/

[BetterDuck]

The chip shortage someone brought up is real. However some companies play conservative in their business and maintain significant stock of components.

All Loytec controllers have OpenVPN server/client. The LTE adapters can be added. I see customers setting things up on their own, using open VPN cloud or significantly more scalable solutions with Palo Alto that cost much less than a currently popular box with hard keys that seem like a security risk to me.

It's a good idea whatever is implemented gives thought to scalability.

[MaxBurn]

Supply chain sucks and now need to seriously consider something other than Ubiquit. Or at least delay until we can get them again.

Picked up some random but supported by OpenWRT TPlink. Little difficulty with Tftpd, but got through it. Loaded the OpenVPN apps in GUI, converted my client config to inline and uploaded in GUI, just plain worked with no errors. I’m impressed so far, the GUI support for OpenVPN alone is something our current Ubiquiti doesn’t do. I can even assign a LED for the VPN tunnel and blink it on activity. On a major down side there is no nice remote management solution like UISP.

To do;
LAN facing firewall; block everything except BMS protocols.
Roll my own management/monitoring server. Thinking non routed OpenVPN for connectivity and basic ping via Zabbix agent UserParameter. Might even get fancy and add a Zabbix proxy to the management server and reach out to the routers and collect stats, I see people talking about OpenWRT Zabbix data collection.