All these devices ( a GNU/Linux system, a Windows machine and an Android phone) are connected to Internet through a router with in-build firewall and support for openvpn.
I ran the test with the following three configurations:
connecting with the net with firewall enabled no VPN
connecting to the net with firewall enabled and VPN configured in the router.
connecting to the net with firewall enabled and using the dedicated VPN app in Windows and Android and using NetworkManager in Linux.
Only in the first case I got green light for all the ports in all the platforms. The ports were shown as stealth and thus invisible from the outside.
In the second and third test, three ports (and always the same three on all devices), though being marked as closed, were visible from the outside and responding to the port scanning.
I am afraid I am not in a proper position to interpret the result of these tests but I wonder if the use of VPN make my connected devices potentially more exposed. I would appreciate your comments and insights. If you need more info, please let me know.
I block all traffic in and out of all connections, then only open ports required to make a vpn connection externally (ie udp 1195/1197/1198). I then allow access to and from any local network devices inside my network via the ethernet connection using specific local ip addresses.
Once connected to a vpn server you have a tun virtual adapter. I block all access internally for this tun adapter (using local ip address range) and allow (ie force) all other traffic through it.
This setup means internet access is only available through a vpn, which also acts as a bullet proof killswitch.
Assume nothing, use a firewall to block access to everything initially, then only open up what you need access to.
To be honest, I am not sure what this all means in practice. But only the fact that those three ports were visible using VPN, triggered me to ask if this could “potentially” make the network more exposed.
For example, if your main priority is to hide from local government - using Whonix / TOR without VPN is a must, in my opinion. Putting additional trust in VPN is not good idea for that.
If it’s for general privacy and close access to all unwanted stuff - @otherbarry recommendation is good
Thanks @otherbarry for the reply!
Frankly, I need to read up and learn more on making use of the firewall. As of now I only switched on the firewall in the router with no further modification. And I have ufw enabled in the Linux system.
Something like this is a decent starting template for ufw …
#!/bin/bash
# Clear firewall settings back to default
sudo ufw --force reset
#Enable UFW
sudo ufw enable
#Allow access to/from local network devices locally (repeat for each device)
sudo ufw allow out on net to 192.168. ...
sudo ufw allow in on net from 192.168. ...
#Deny access to local network from vpn (use ip address range)
sudo ufw deny out on tun0 to 192.168.0.1/24
sudo ufw deny in on tun0 from 192.168.0.1/24
#Allow VPN to connect at startup
sudo ufw allow out 1198/udp
sudo ufw allow out 1197/udp
#Allow all traffic over tun0
sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any
#Deny all traffic otherwise
sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw reload
sudo ufw status verbose
net is your local network adapter, substitute either your ethernet or wireless adapter name (ie lo / enp3s0 / etc).
** Double check syntax first, this is off the top of my head.
A local firewall is a great idea and something I strongly recommend. That being said, a local firewall probably won’t help very much with test #3. The VPN in theory will be tunneling through the firewall.
I think the fundamental problem here is understanding what shieldsup is telling you. It is letting you know which ports are open on whatever it is scanning. It is not true that no ports open makes you secure and ports open makes you insecure. As @jonathon points out, anything which offers a service will have open ports. What should be doing with that information is making sure you understand what is actually being scanned and if those open ports represent a risk to you.
Thank you both for your input and sharing your insights. Now I know a bit more what to look for and hopefully will find where. Feels like I am back to square one and it’s time to start reading up on the subject.
