public-mirrors
/
innernet
mirror of https://github.com/tonarino/innernet.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

README: add security recommendations for services

pull/67/head
Jake McGinty 2021-04-25 01:59:48 +09:00
parent c6bb8052fb
commit 733118a463
1 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@ -12,7 +12,7 @@ This has not received an independent security audit, and should be considered ex
### Server Creation ### Server Creation
Every `innernet` network needs a coordination server to manage peers and provide endpoint information so peers can contact each other. Create a new one with Every `innernet` network needs a coordination server to manage peers and provide endpoint information so peers can directly connect to each other. Create a new one with
```sh ```sh
sudo innernet-server new sudo innernet-server new
@ -144,6 +144,29 @@ or unset the port and use a randomized port with
sudo innernet set-listen-port -u <interface> sudo innernet set-listen-port -u <interface>
``` ```
## Security recommendations
If you're running a service on innernet, there are some important security considerations.
### Enable strict Reverse Path Filtering ([RFC 3704](https://tools.ietf.org/html/rfc3704))
Strict RPF prevents packets from *other* interfaces from having internal source IP addresses. This is *not* the default on Linux, even though it is the right choice for 99.99% of situations. You can enable it by adding the following to a `/etc/sysctl.d/60-network-security.conf`:
```
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
```
### Bind to the WireGuard device
If possible, to *ensure* that packets are only ever transmitted over the WireGuard interface, it's recommended that you use `SO_BINDTODEVICE` on Linux or `IP_BOUND_IF` on macOS/BSDs. If you have strict reverse path filtering, though, this is less of a concern.
### IP addresses alone often aren't enough authentication
Even following all the above precautions, rogue applications on a peer's machines could be able to make requests on their behalf unless you add extra layers of authentication to mitigate this CSRF-type vector.
It's recommended that you carefully consider this possibility before deciding that the source IP is sufficient for your authentication needs on a service.
## Installation ## Installation
innernet has only officially been tested on Linux and MacOS, but we hope to support as many platforms as is feasible! innernet has only officially been tested on Linux and MacOS, but we hope to support as many platforms as is feasible!