130 replies to this topic

[kermith]

OH, ok. Thanks. The problem was that I never got in to the box through telnet. I reinstalled everything and now closed all ports

Will install SSH from you tip or OpenVPN before I open a the stream interface again. FTP, Telnet and WBIf I'll have closed all the time

[WanWizard]

For those still in doubt: your box may already be listed: http://iptvsatlinks....p-accounts.html and if you want to find a lot more: https://www.exploit-db.com/ghdb/4343/

 

DO NOT OPEN UP YOUR BOX TO THE INTERNET. NEVER!

[kermith]

Super thanks! Will check these links. Damn low lifes. Have closed my ports.

WOW, the second link says it all...

Edited by kermith, 9 December 2016 - 16:59.

[kermith]

Haha, never knew this stuff existed. Have been checking through IPTV links. Most are really non viewable with so many freezes. Does anyone use that at all.

[kermith]

Throwing in another question. Have been looking around of Enigma2 has support for Firewall/IPTables. 

Am I correct that it's not supported? 

[WanWizard]

Correct. But OE in itself supports it, so you might be able to create your own build with the required modules.

 

We believe that an STB is not a security device, and therefore doesn't need a network layer firewall. And that is problem number two. A network layer firewall doesn't protect you against the threats, they just open or close a port. The threats however are not on layer 3, they are on higher layers, so you would need an L4-7 application firewall to do something useful.

 

For the same reason it is not wise to use port forwarding on a security device such as a home router and/or firewall, as it suffers from the same problem.

 

In layman's terms: it is not a discussion of whether a door is open or closed, it is a discussion of what comes through that door. And if you can't check that, you shouldn't open the door at all.

[Pippin]

Some related info:

http://hardwear.io/w...-by-Sofiane.pdf
https://www.ekoparty...V_Receivers.pdf

[kermith]

@WanWizard, can't stress the factor of how much I appreciate the help as well as the juicy explanations and information you guys take your time to post here. I learn something every day. You are correct that I should keep the door (router/firewall) closed and sealed, and then throw away the key

 

I could of course use my TV providers service by streaming it from my tablet at my country house. I have all the channels available I have at home so I could definitely skip the streaming to my box altogether. BUT all this new stuff to stream is a hassle for a guy like me as well as my wife since we want ONE box for watching TV, and we are TV savvy people J

 

I have looked at using google cast to stream my channels which works very well, I stream my HBO Nordic that way. Also, some other Android boxes that could work with some tweaking and KODI.

 

But NOTHING comes close to the easiness and flexibility of an Enigma2 box, really NOTHING. It’s basically Plug and Play, no tweaking or whatnot. That’s why I will be stuck with my Enigma2 box for a good while J , and preferably OpenPli image, which to me is far the best image out there (my opinion, so don’t get in to that discussion). And I just bought an UNO 4K, works great with my CI+ card and I can even now stream HD channels J Now just a big “long” wait for an OpenPli image for that box now!

 

Regarding the main question. Well, why I asked about the IPTables is that I read a little bit about it and there’s a possibility to only allow connections from a specific country, to the box. From what I have seen and noticed, 100% of the intrusions have come from countries outside of Sweden, mainly Turkey, Morocco, Greece, Spain, Italy and even Iran, in that order.

 

Being able to only allow connections from my country, Sweden, would in this case solve all my problems for now.

 

I have found some information on Firewall/IPTables on different forums. But my knowledge to compile it myself is next to none. Is there anyone that could help me out for my new UNO 4K, bus as well for my 2 months old VU+ Solo SE Version 2 and if it’s ok for my ancient DM800SE.

 

If not, please point me to some information where I could study how to do it J

[daveraver]

could anyone guide to a manual link to configure openvpn? SpaceRat made an explanation/guide to configure ssh tunel to streaming. I have several guides and no have idea where to start on.

[SpaceRat]

I suspended writing the tutorial because it would contain a lot of steps to perform.
I hoped that I could get assistance with writing a plugin instead, which would do the dirty work ... menu guided.

However, there is an absolute lack of interest in making things easier for the users:
https://forums.openp...openvpn-needed/
http://www.world-of-...gin-Development
plus threads inside internal forum sections (OpenATV).

So effectively I have given up.

[littlesat]

A plug-in will not really work as the most difficult part is generating the keys an lysences files

[SpaceRat]

As said in the linked thread: Let that be my problem.

Of course the E2 box is capable of generating all the necessary files (Diffie-Hellman parameters, CA cert, server key, server cert, client key, client cert) on its own.
It could even spit out ready-to-use profiles for OpenVPN Connect, Tunnelblick, whatever.

All I asked for was some help with the E2 GUI part which isn't my world/strength, but that seems to be asked too much ...

[littlesat]

Do you have a link to usable sources to create a Keyset?

[SpaceRat]

Basically you could just use easy-rsa.

[WanWizard]

Generating self signed keys is a few lines of openssl commands, I think that's the least of the problems.

 

You first have the question whether you're setting up a server or a client. Both need a different config.

 

If it's a server, you need to deal with certificate generation, and give the user an option to download a config and the certificates so they can be installed in the client. If it is a client, it may need a username/password, it may need the option to upload certificates, or both (because it is the server that dictates that). Then you may have problems with some server setups that only deliver pkcs12 certificates, and/or deliver password prototected certificates.

 

In short, it isn't that simple to make a one-size-fits-all, it requires quite a bit of thinking, and quite complicated plugin code...

[SpaceRat]

For a plugin, there would be a Pythonic alternative.

OWIF already issues and self-signs certificates for https, the same methods should be usable to sign them using an existing CA.

[SpaceRat]

In short, it isn't that simple to make a one-size-fits-all, it requires quite a bit of thinking, and quite complicated plugin code...

I somehow like this OpenPLi'ish approach to things:
Just talk about how complicated it is, that saves the hassle to really do the work.

I got the finished plugin right in front of my eyes, the user simply has to answer some guided questions and ends up with some QR code for profile download.
That profile might not fit 120% of all use cases, but 99.5% (For box = server scenarios).

The current OpenVPN plugin for Open* covers ZERO % of all use cases.

[WanWizard]

I'm afraid you misunderstood me.

 

I'm not saying it shouldn't be done, I'm saying that because it is a complicated business with lots of options, you need to think before you code. So that you end up with a solid product instead of a bunch of spaghetti code because you forgot half which needed to be bolted on later.

 

For example: for now all the talking has been about certificate generation, which is only relevant for OpenVPN-server, and not for OpenVPN-client. While the client functionality is the most used/requested option for an STB. I understand that you focus on this because you have other use-cases as well that are not related to OpenVPN.

 

That only makes it more important to think the requirements and the approach through before you start coding. That has nothing to do with OpenPLi, but all with common sense application development.

 

All you have to do is to look at the majority of the plugins and most of the Enigma code to see what happens if you don't do that.

[SpaceRat]

For example: for now all the talking has been about certificate generation, which is only relevant for OpenVPN-server, and not for OpenVPN-client.

For some simple reasons:
1. When we aren't talking about the box as a server, setting up OpenVPN is as easy as dropping the .ovpn file into /etc/openvpn

I'm intentionally talking about an .ovpn file rather than a .conf file, as I've planned to use
ln -s blah.ovpn blah.conf
to enable or
rm blah.conf
to disable a profile (Until we finally get systemd and can use systemctl enable|disable openvpn@profile)

Besides that, there isn't much to do to simplify client setups ... scanning all removable media for profiles and offering to import them.

 

While the client functionality is the most used/requested option for an STB.

Looking through the threads of the last weeks, the opposite is true.
It might be caused by taking the rifle out of the users hands and forcing VPN usage for OWIF access from outside or just because setting up OpenVPN as a server in E2 is that freaking hard for normal users while clients setups are rather easy (See above).

 

That only makes it more important to think the requirements and the approach through before you start coding. That has nothing to do with OpenPLi, but all with common sense application development.
 
All you have to do is to look at the majority of the plugins and most of the Enigma code to see what happens if you don't do that.

Alle sagten: Das geht nicht. Dann kam einer, der wusste das nicht und hat's gemacht.
Everybody said: That's not going to work. Then someone came who didn't know this and just did it.

The starting point is quite clear:
We need a plugin which shows all existing profiles in /etc/openvpn and offers to enable/disable each one of them seperately.

Edited by SpaceRat, 12 January 2017 - 16:45.

[WanWizard]

1. When we aren't talking about the box as a server, setting up OpenVPN is as easy as dropping the .ovpn file into /etc/openvpn

 

Eh, no.

 

That is only the case when you have a server that uses username/password (which will be hardcoded in the config file). That will not be the case when certificates are involved (which is with every OpenVPN server admin that is worth his salt). So you need certificate setups into account, and you have quite a few posibilities (with/without intermediate certs, pem of pcks12 format, password protected or not, etc) that you all have to deal with.

 

Besides that, most people don't have a clue how to create an openvpn configuration, so if they are in a situation where a ready one isn't provided, they are out of luck and your plugin isn't going to help them.

 

So don't assume your use case is the only valid use-case.

 

The OpenPLi team is of the opinion that converting the STB into a security device is a bad idea, as the box is inherently insecure. It is like giving the user a gun and tell them to shout in their own foot. But if they want that, be our guest, we're not babysitters.

 

For your last quote: you still need to learn to read before your reply. Nor I, nor anyone else of our team has said it is not going to work, and you should not do it. All I said was "think before you start". Your approach is a bit like wanting to build a house, deciding you don't need an architect, and just start stacking bricks and see where you will end up. Which is a very bad idea.

 

If you don't take clients into account, we'll either end up with no solution for people needing a VPN client, or two different solutions, or someone forking your plugin and bolting it on. What good does that serve?

 

And if you want to use quotes, I've got one too: "There is never time to do it right, but there is always time to do it over and over again".