Secure access to home network

[TerryE]

This subject has many layers, like how can I use HTTPS inside my home network, but the one that I am facing at the moment is that I would like to open up some limited access to my home network:

• Public key, no password SSH to a non-standard port
• HTTPS to a web small  hierarchy on one web-service provided by the same server.

The first part of this was easy for me.  My ISP allows my home router  to have a fixed IP and I have full control of my personal domain's DNS records, so I can (and have) set up one of my sub-domains to point to this IP.  This gives me the SSH functionality and HTTP to a gateway server using my router's NAT configuration.  Job done -- apart from the fact that I don't want to allow inbound HTTP, just HTTPS.

 

I also used certbot to validate a free Let's encrypt certificate for this, so I thought that this would now just be connect the dots -- except that my test session barfed on Chrome and Firefox with a certification error (certificate is unsigned and not valid for the name ph.ellisons.org.uk).  After lots of head scratching I also tried a wget and this was more specific: certificate common name ‘ZyXELcert’ doesn't match requested host name ‘my.subdomain.org.uk’.  The ZyXELcert was the give-away as my ISP provided an ZyXEL VDSL router. My router is not just passing the HTTPS through; it is actually doing an inbound HTTPS proxy and substituting its own unsigned certificate.  Uaaarrgg!!  The certification check was throwing up a valid man-in-middle attack from my Chinese router!

 

Time for a new VDSL router, I think.

 

Has anyone else has similar fun?

 

Can anyone recommend a good specialist forum where I can research / bounce options?

 

(My son-in-law says just to set up my own VPN service and have done with it.)

[Jeremy Harris]

What about an off-the-shelf solution, like setting up an Own Cloud server?

 

https://owncloud.com/security/

Edited December 29, 2017 by JSHarris

[TerryE]

Well, I just realised the answer to my problem as I was posting this.  My router can't be monitoring all ports for a putative HTTPS proxy. It mist have been filtering the NAT tables for use of a 443 port on either side of the translation, so I've just switched to another port using the same none-standard port for inbound and outbound address translation:  http://subdomain.ellisons.org.uk:4444/test.php.  (This isn't a valid link BTW, as the port and subdomain name are changed to prevent a scraper finding a target).  So all is working!!

 

9 minutes ago, JSHarris said:

What about an off-the-shelf solution, like setting up an Own Cloud server?

 

Jeremy, the issue wasn't configuring a secure service on a webserver; it was stopping my bloody router snooping on the inbound HTTPS sessions.