[xoa]

Personally I've essentially given up on depending on WiFi auth for anything important. For general access, segmenting various users, IOT etc for performance, monitoring and light privacy WPA-EAP and PPSKs with VLANs does some work as an initial first layer fine and in a simple reliable way that works with everything. It's a low pass filter.

But for all sensitive access I use internal Wireguard now. WiFi auth gets a client onto a restricted VLAN in the first place, but from there only a VPN will get to management webguis, sensitive services, or unrestricted internet access. Regrettably the design process for WPA3 was the same old mediocre industry affair. It's not worth trying to put many bandaids on vs just moving things to a higher level. As a practical matter WiFi also just isn't that fast vs high performance clients, it's not like WG has to handle tens of gigabits, so there isn't even any downside in performance.

WiFi auth at this point kinda feels like a polite lock on the screen door. Not useless at all, but anything really important should have other layers in front that are more secure by design from the ground up.

[callalex]

What is your threat model to warrant this effort at home? Are your work-related machines not networking through an encrypted tunnel in some other way (that would be a serious oversight!)? What government are you living under that is routinely compromising WPA3 from mobile vans? Are friends/guests so untrustworthy that you can allow them into your home but can’t trust the VLAN implementation of your network equipment to protect you from them accessing your network admin plane?

I’m asking incredulous and probing questions because I used to live life the way you are currently, and it’s frankly unhealthy for the human brain. If “home” feels like such an unsafe place to warrant your current measures, you need to either make serious changes to where home is, or your mental state. Neither is easy but at least one is necessary.

[staplers]

  What government are you living under that is routinely compromising WPA3 from mobile vans?

I imagine living in any decent sized downtown area would have your network being scanned by thousands of machines daily. Especially if near important infrastructure, law enforcement, etc.

[callalex]

That is not enough for a threat actor to modify the network control plane with WPA3. There are tight timings involved. It is only enough to be able to passively capture packets that can be retroactively decrypted and even then if there isn’t TLS working on those packets you already screwed up worse anyways.

[soraminazuki]

That's the wrong question to ask. Instead, we should be asking ourselves, why is it after all these years that we still don't have secure and easy to use multi-account WiFi networks with per-account configurable security policies in our homes? It's the current state of things that's unhealthy, not the people demanding better.

Security measures should be evaluated based on their own merits, not by appealing to friendship or any other relationships. We can lock our front doors and have a healthy relationship with our neighbors! These two things aren't mutually exclusive. Though I will add that trusting government authorities not to routinely abuse their powers is a hard ask given their track record all across the globe, even in democratic countries.

WiFi is ubiquitous and is used to exchange sensitive information 24/7. Its compromise can result in financial, reputational, or even physical risk. Considering that raw signals can be intercepted outside of our homes, devices on the network should at the very least be mutually authenticated and their connections encrypted.

Also, let's not forget about the devices too. Say you trust the people you let into your home. Can you also trust their devices and the software that runs on it? Do you trust your work laptop and its "security" software to respect your privacy? Do you even fully trust your own devices? Do you have faith in current commercial hardware and software to respect boundaries, or even comprehend the concept of user ownership? Because the answer to all these questions increasingly sounds like a "no."

[callalex]

> we should be asking ourselves, why is it after all these years that we still don't have secure and easy to use multi-account WiFi network

But that’s exactly what we do have! Any old router/AP combo you buy at the store or get from your ISP will let you set up a normal network and an isolated Guest network. All with a nice UI/UX that involves checking one box and choosing a password. Considering WPA3 to be insecure is just not rational or based in reality. Exploits against it are really complicated and just don’t happen all that much.

I don’t have to trust all the junk IOT devices that end up in my house because I just throw them on the guest network and call it a day. Nothing bad is going to happen to me as a result of this practice.

[soraminazuki]

When I wrote "multi-account WiFi networks with per-account configurable security policies," I meant WPA Enterprise style networks. Having 2 SSIDs and 2 passwords is a horribly insufficient setup which doesn't fit my description. That feels just as secure as running a Tor exit node right in my home, since there's no separation in the primary network and the password is bound to leak the more you share it to people.

[transpute]

> unhealthy for the human brain

Fortunately, wired networking continues to work reliably, unlike frequently "New and Improved" wireless increments.

[solatic]

Honestly, wired networking can be less secure, depending on your threat model. Not everyone lives in some kind of a physical fortress; breaking into someone's house is usually a simple matter of some lock picks that you can buy off the Internet, then compromising the wired network just requires installing an interceptor, not to mention stuff like hardware keyloggers. The truly paranoid user needs to check all their wired connections before each and every use, which few people do. They will need to seal the cases of each of their machines with some kind of tamper-evident seal, with transparent cases to ensure that nothing has been added internally with countermeasures taken against the tamper-evident seal, including the cases on the video cameras that they have set up to try and catch would-be intruders.

The point remains, people either generally feel safe in their homes, or they don't. If you do, then honestly a lot of these security measures are just overkill. If you don't, then you should deal with the root cause instead of its symptoms.

[transpute]

> generally feel safe in their homes

The human occupants of homes and businesses may be surprised by IEEE 802.11bf through-wall imaging of human activity by WiFi 7 Sensing, including keystrokes, breathing, motion and location in rooms.

Should the sale of new wireless imaging powers come with vendor responsibility and liability to secure those powers, or should that be delegated to the feelings of customers?

Will an enterprise VPN be sufficient to protect corporate assets which rely on the integrity of devices located in WFH employee homes, with walls transparent to WiFi 7 Sensing?

[unethical_ban]

You might be right, but this person might just be really intuitively good at network config and this is their hobby.

[cm2187]

Thanks god for shitty wifi ranges!

[xoa]

>What is your threat model to warrant this effort at home?

Same normal one as everyone else in a connected world? I find this interesting and do the same stuff for both home and work. You make a lot of mistakes and wrong assumptions, but a big one is failing at all to consider cost amortization. You're assuming this is a burden, but that's backwards. I need/want a decent network anyway. I want to use open source for core areas to avoid actual problems I've had (not theoretical) with lock-in going wrong anyway. There is absolutely real work and cost in setting that up, same as a good NAS, virtualization (or home k8s clusters some people do or whatever else), etc. But once you do, the marginal cost of doing more stuff with it is tiny, which of course is some part of the whole value in doing it in the first place. It's absolutely wise to pick where one spends their time and resources with care, and I have zero issues with leaning on COTS and other professional in plenty of areas. Self-hosting is both something I enjoy, something I think is important/valuable, and of professional interest.

>I’m asking incredulous and probing questions because I used to live life the way you are currently, and it’s frankly unhealthy for the human brain. If “home” feels like such an unsafe place to warrant your current measures, you need to either make serious changes to where home is, or your mental state. Neither is easy but at least one is necessary.

This is a lot of projection and confusion on your part I'm afraid. None of this has anything to do with "feeling unsafe" beyond the basic ways perhaps we should given the state of smart home devices, cloud service dependencies etc, and how valuable our digital lives and monitoring of them now are. As far as security you've literally got it backwards though: moving to an open less complex higher layer is simpler, more practical, more reliable, and thus it reduces vs adds mental burden. I don't need to think as much about whether some new aggressive smart home thing is trying to scan my network and what issues it might have (they are, they do, and no I do not get total veto on what comes in vs family desires/needs), about making use of still good but now old and never updated kit, about issues in the network hardware itself (like when some UniFi gear was leaking traffic between VLANs [0]), about new surprises in WPA, ever more automated attacks, and on and on. A minute to setup a tunnel once and a lot of that evaporates for years at a time. It significantly reduces the surface area of stuff that is critical to stay on top of vs "eh, check on updates once in awhile".

None of this comes from the strange state you describe yourself as in, but from curiosity, interest, and reasonable respect for the amount of risk against both my own limitations and positive features that I want to take advantage of in my life. Indeed if I didn't consider my home, office, and other work spaces fundamentally physically safe that would undermine the foundation of self-hosting! But physically safe with great neighbors and so on is separate from the connection to the entire rest of the planet, and the various black box objects we bring into said safe home made by profit seeking multinationals capable of communicating without our approval over said connection to the entire rest of the planet right? I hope you're making progress though!

----

0: https://community.ui.com/questions/BUG-NanoHDor-broadcast-an...

[ghostpepper]

Would love to hear more about how you provision wireguard. I have a simple VLAN setup where I can open a tunnel from my "guest/home" network to my "lab" network (ie. docker hosts, desktop PCs that I use for development, etc) and a second tunnel from the lab network to the network that can access mgmt interfaces, however it's all mostly manual (ie. sudo wg-quick up in a terminal)

[spr-alex]

Somewhat related -- with the project I work on, https://github.com/spr-networks/super, we do support wireguard peers (and also support combining that wireguard identity with a wifi peer identity as well).

Devices are provisioned by assigning or generating a wireguard keypair in the API.

Next the peers are routed together by policy and by default can't access one another. There's support for bidirectional network groups or one-way firewall rules with NAT.

One area of improvement is multicast support with wireguard, it's doable, just not ready yet.

[fragmede]

Tailscale. It's Wireguard under the hood but with a company doing got UX on top.

[whatindaheck]

I’m familiar with Tailscale but could you provide more detail on how to use it as an authentication method?

The two ways I see:

On my home server, only allow incoming connections from the Tailnet. However, this seems lockout prone.

Or I could create a VLAN and put all hardwired devices in it. All running Tailscale. But this wouldn’t cover securing my laptop (has to be on WiFi in my situation). This still seems lockout prone?

Additionally, the router is still exposed “normally” and can be compromised without requiring VPN access

Sorry if this post is a bit of A mess. Thanks.

[batch12]

Maybe they expose the wiregard port through the firewall and VPN into a flat management network

[xoa]

For most stuff I've been comfortable with having my OPNsense gateways be trusted points, which has struck a reasonable balance for me between convenience, security, and compatibility. So I Wireguard into that, and from there it's normal firewall and routing in one place, with the ability to lean on hardwired subnets or VLANs so that the universe of old sensitive appliance things (like UPS interfaces) can still be reached. I have site to site wg tunnels between gateways as well. For LAN usage going through a central point has generally not been a significant performance burden, the only thing I have personally that is both very demanding and secure is iSCSI and there I've gone to the trouble of just physically isolating it. Going through a point also means there isn't much in the way of provisioning to do, each client just needs the single WG to the gateway for all (or most) traffic and that's it. Most stuff can be provisioned with ansible, a few mobile clients though I just use QR codes for manually. I should really try to figure out if Wireguard can be provisioned on iOS/Android with MDM but that's been a backburner so far.

I've started to play around with having some things go exclusively into a Nebula mesh with OPNsense only running a lighthouse, but it's more work and rougher. And unlike WG to the gateway and leaning on VLANs for some older kit, really putting everything behind a virtual network they don't natively support requires sticking a translator between them and the rest of the network. Fun to play with a little and the potential is cool, but I don't think there are any prebaked options as smooth and cheap as would be ideal for that, and I suspect the ROI there at my level is getting pretty dang low. IPMI access is the main place I think might be worth it since that's just so sensitive yet simultaneously so useful in resolving issues all while having extremely mediocre security on its own.

Whereas WG to the gateway does leave the gateway as a point of failure, but I'm depending on that to a significant degree for now anyway. And it is fast, simple, reliable, easy to manage/reason about, and eliminates layer 2 auth from the picture entirely. Don't have to worry about someone plugging into some open ethernet port either for example and any necessary effort to secure those, not just WiFi. Threats may evolve but hopefully the options we have to combat them evolve in concert to some degree. Lots of other HNers are vastly more experienced in this then me, and I'm not unaware of some of the potential failure points, but it's hard sometimes to figure out how to balance risk vs resources we have to spend on them (not just money but time).

Also there are other good gateway/firewall options like VyOS, or just working directly off your favorite flavor of Linux or OpenBSD or whatever, that might fit your needs/preferences/tooling better than OPNsense. I don't mean to suggest that it is the best choice, it's just what I've settled in on as a good balance of other values.

[doubleg72]

And here I just deployed 802.1X wireless and wired across our four hospitals. Maybe you’re not doing something right.

[jillesvangurp]

That's a good attitude. All the essential stuff should be end to end encrypted at this point. For example, if you use the web. All your connections are over SSL. Depending on how that is set up, your connections might leak some information about domains you are talking to. But beyond that it's just unreadable garbage for any man in the middle. So, how much does it matter if you use a public wifi in a hotel, airport, or some mobile phone network, etc. Answer: it mostly doesn't matter. Unless you are a network security expert; you should treat your home network with the same level of distrust as you would treat any other public network. You can't assume it to be 100% secure. No matter how many acronyms your router supports.

If you feel strongly about it use a vpn. Wireguard is nice for this indeed. And indeed some IOT has pretty shit network security so you might want to care about securing that in your home or office network. But beyond that, your exposure should be pretty minimal even if you don't use a VPN.

And reality check: most people aren't network security experts. I'm certainly not one even though I've been active as a developer for a few decades and kind of know what I'm doing.

So, IMHO WPA3 is a waste of time. I don't care about it. It might be more secure by some unknowable degree. But since it is unknowable (for me), I can't be bothered to care. I'd on principle treat it as just as insecure as WPA 1 & 2. Or no network security at all. Which is good enough for me to run my SSL connections over them. And even if it is super duper secure, I don't necessarily trust the Chinese manufacturers supplying the router chips and firmware to do the right thing. In my experience, the vast majority of routers run years out of date firmware supplied via a very shady chain of suppliers for chips and software that I definitely don't trust.

So, WPA 3 is a security blanket. A false sense of security. If you have reasons to be paranoid, go for it. It probably helps. Just like tin foil hats, Faraday cages, and all the rest. I don't use those either. But for the rest of us who aren't network security experts with operator supplied routers at home and working in office environments as well as on the go with random third parties maybe taking care about network security a little bit in the networks we connect to, I treat all networks equally: 100% untrusted. I don't care about what acronym soup applies to the network or how shit-hot the graybeard that manages it is. I just blindly assume network security is mediocre at best and connect anyway. For me network security is about being able to use my laptop safely in a completely untrusted network. Because that's where I use it all of the time.

[bogantech]

We already have .1x which supports various auth methods such as certificate auth and can use policies to assign clients to VLANs