Introduction:
In this paper we will examine a new Zero Trust tactic that you can use to access your home private assets remotely in a secure fashion with added granular access. What that means is if you want to give access to one of your family members, it will be possible for them to come onto your home’s private network from the Internet, from anywhere in the world, securely. The set goal of this paper from get go is that even a non-technical individual must be able to accomplish this configuration within 15 to 20 minutes and fully deploy this tactic on their own for free.
Just for discussion purpose let us list a few specific tasks that you may want your family member to accomplish when they come into your private home network. This paper also lists each configuration step-by-step to make you successful in accomplishing this tactic in the “Configuration” section below. Once you master this tactic/strategy/configuration of remote access, you may make it more relevant by adding or removing the tasks in accordance with your own personal needs. Here are a few use cases/tasks you will be able to achieve, after you successfully complete the configuration discussed here. In this paper we will create a configuration where your family member from the Internet wanted to…:
1. Watch a video on Plex hosted in your home network computer or your private SAN/NAS storage or PC.
2. Access a file from your home storage (computer or network NAS) for editing or reading.
3. Back-up your mobile device onto your home storage hard disk.
4. Print from the Internet onto your home printer connected to a PC or directly on to your network via wired or wirelessly.
Upon configuration of this tactic/strategy/configuration, you will not allow the user to come into your home digitally, do anything else beyond those above listed tasks. If you are a technical person, you may be thinking now, we can accomplish this use case using VPN technology. Certainly, we can! However, when a user comes in via VPN, (s)he will have access to all the resources on your home network, unless you put some additional security controls to stop that. Plus, VPN inherently has the following challenges associated with it:
1. To use VPN, you must maintain both a Server and a Client yourself to accomplish this or go and purchase VPN service from a VPN provider.
2. It is complex to configure a VPN server and a client to make it work if you are not a technical person.
3. If there happens to be malware on the connection endpoint (client), it will be blasted to your entire home network.
4. If your home ISP router has a private / dynamic IP address, we must go through a workaround to address it, which will be difficult for non-technical crowd.
5. All the endpoint traffic is going via your VPN server, which could become a choke point, unless you do split tunneling at the VPN client side. This is again an additional configuration effort and out of reach of non-technical users. There are a few more.
We will be using “TLS tunnel” a.k.a. “NAT Traversal” technology to address our use case, which does not have any one of the above listed VPN limitations. Plus, we will do this use case configuration for free and in less than 20 minutes, irrespective of whether you are a technical person or a busy doctor or just an eight-year-old kid with a computer at home.
If you are a technical person and understand TLS tunneling, then go directly to the “Use Case” section below to save time. If you are a non-technical person also do the same, as in the next section we will be discussing the TLS Tunnel in detail, which will not be required for you to perform this configuration.
TLS tunneling / NAT Traversal Background:
TLS tunnel is a method of encapsulating one type of network traffic from Point-A (in our example, your family member’s endpoint on the Internet) to Point-B (your home network and digital resources on it) securely utilizing end2end encryption.
As the name suggests TLS Tunneling gives you secure encrypted tunnel access between Point-A and B. When this concept is added with a granular access on top of it, the solution now becomes a Zero Trust one between Point-A and B. In our example granular access will be added by the TLS Tunnel Service Provider, for free at no cost to you, if you are using this tactics/strategy/solution for your home.
Should you need to understand Zero Trust concept in detail, you may refer to my paper titled “Zero Trust Demystified” from here.
TLS Tunnel Components:
A TLS Tunnel requires the following components:
1️⃣ A TLS Tunnel Service Provider (SP).
2️⃣ A Client on endpoint “A” (laptop or mobile phone on Internet) to initiate the TLS Tunnel call.
3️⃣ A Server a.k.a. Controller that facilitates the client to reach its desired endpoint “B” (your home network resources) via the established tunnel. A controller may have other sub-components (software parts) like:
4️⃣ 🔌Connector, software provided by the TLS Tunnel SP, which is installed on a resource in the confines of your home network.
5️⃣ A Relay, as the name suggests, is also a sub-component of Controller at the tunnel provider side that facilitates additional tasks in the tunnel communication establishment process.
For a pictorial view of the above stated TLS Tunnel components refer to the diagram in the “Use Case” section below.
The TLS Tunnel solution we will be talking about will work on QUIC transport instead of TCP that also brings some additional advantages apart from TLS Tunneling. QUIC is a valuable Google initiative for an alternative to TCP Transport with reduced latency / increased efficiency by optimization and redesign of the transport handshake. In short, QUIC is a marriage between TCP and TLS utilizing UDP (not TCP) at the transport layer. Let us quickly look at the cumulative advantages that both concepts (TLS Tunnel + QUIC Protocol) get to the table:
QUIC Protocol Benefits:
⁑1⁑ Seamless client roaming becomes possible, when moving from Wi-Fi to 5G without re-negotiation of the session. Leading to reduced impact of handover between different networks. Example, imagine you are watching a movie on your mobile utilizing your home Wi-Fi and now moving to your car to travel, and switching your Mobile Device from your home Wi-Fi to your mobile 5G provider. With QUIC you will not see a blip of disconnect and reconnect.
⁑2⁑ QUIC is faster than TCP as it does not make multiple rounds to establish a connection between a client and the server.
⁑3⁑ QUIC allows multiplexing, meaning it supports multiple streams of data to be transmitted concurrently within a single connection.
TLS Tunneling Benefits:
⁑1⁑ The configuration of the TLS Tunnel does not require you to deal with NAT, firewalls, private IP addresses, as these are automatically taken care of, by design for you in the architecture. This magic is transparently played by the 🔌Connector component installed in your environment and utilizing the Relay that is already there in the TLS Tunnel provider side. A.K.A. no firewall changes required at your home end.
⁑2⁑ Effortless granular configuration of your tunnel to provide Zero Trust strategy. In short, what this means is you zero trust the endpoint, with the only exception is what you have configured for the incoming device to do on your network.
⁑3⁑ No port forwarding is required at your home ISP router end.
⁑4⁑ At your endpoint “A” a.k.a. client-side, you can selectively decide which traffic from your client device can pass through your home network. The remaining traffic will directly reach the Internet from your endpoint A without touching your home network. This will avoid traffic bottlenecks and network congestion.
⁑5⁑ As endpoint A, client-side device does not have full direct access to all assets in your home network, it will protect your home network from infected endpoints and associated malicious activities. For example, if you say an endpoint A can only print, which means that endpoint A will only see your printer and on a specific port. It will be blind to other assets on your home network.
TLS Tunneling Technology:
There are many service providers and/or technologies for TLS Tunneling and I will name two commercial names here. The first one is Twingate [1] and the second is Cloudflare [2]. The same could also be deployed utilizing open source, but then you must do lots of magic that is provided to you by the TLS Tunnel service providers, by yourself at your own dime and risk.
Twingate is still not a publicly traded company. Their motto is “It’s time to ditch your VPN”. They provide TLS Tunneling service for up to five (5) home users for free.
Cloudflare Inc NYSE symbol is NET, and its stock is trading upwards of $100 as of drafting of this paper. It has 34B market cap. In short it is a massive company providing tons of security services, including free TLS Tunneling. This company is immensely popular in its CDN (Content Delivery Network) arena. I have experience in using Cloudflare in the past.
However, what I have seen is that technical and non-technical users have no idea that this tactic / strategy / solution could be utilized to remote access our home network resources for free and without much of a hassle. That is the primary objective of this paper, and hopefully this write-up and people reading it will address that.
You may use any of the above two TLS Tunneling remote service providers or others. In this paper we will use Twingate, as it makes configuration a little easier and a breeze for our non-technical users. Also note that this is not a sponsored write-up from any of the vendors and the views expressed here are purely mine.
Use Case:
The use case is simple and as stated in the introduction, is depicted by the drawing below. Our family member / user is trying to access a service running in our protected private home network 4️⃣ from any untrusted network 2️⃣.
In the below diagram we are required to configure component no 2️⃣, 3️⃣, & 4️⃣ only. Details of which are in the “Actual Configuration” section below.
Actual Configuration:
The main menu of Twingate configuration portal options is as below:
| Network | Team | Devices | Policies | Internet Security | Settings |.
For each one of the above “main menu” items, there is a sub-menu. The sub-menu for “Network” is…
| Overview | Resources | Remote Networks | 🔌Connectors |.
To complete our agreed configuration, we will use the main menu “Network” and its corresponding four sub-menus. With a desire to make it simple, we will accomplish this entire process in a few steps. Each step is divided into multiple tasks depicted by ⁂. All of those are listed below including which component you must perform each step and its associated tasks. SP on their web and documentation also uses the word steps and those will be different from the ones we will be using here, and it is worth remembering that.
⁑ Step-1 ⁑ at Component 1️⃣: TLS Tunnel Service Provider (SP). We will use Twingate in our example and you can log into them from here.
⁂ Go to the above TLS Provider Web site [1] and create your own free account. Use Google AuthN for logging in, just a suggestion. Couple of things to remember here are:
⁑1⁑ Use the button “Try Twingate for Free.” The free account for 5 users will continue to exist even if you do not upgrade as a paying customer. This will be more than enough for your home usage or even for a small business. However, there are some paid plans that are also very affordable.
⁑2⁑ There will be a screen where it will ask you if you can run commands at the terminal. Select that option.
⁑ Step-2 ⁑ at Component 3️⃣ named Controller a.k.a. TLS Tunneling Server:
After completing step 1, now is the time to do a few listed tasks below to complete step 2.
⁂ Task 1) Task one is to create a remote network by providing a name for your home network. You may use “1720” as an example, or whatever name you want. As a guide give the house number where this network resides. Once you get comfortable, you may be doing this for your parents and friends. You need to have a way to clearly track where this network resides. This is not public info and only you or the person accessing your private network need to know this network name for use later for network Authentication purpose as https://1720.twingate.com from your clients or when you log into the SP Portal for configuration.
Note, within the controller, a “resource” means (i) either an asset / host on your network or (ii) your remote network itself is also an asset/resource. There is a way to uniquely identify your asset with an IP address with different notations for both a host and for a network, which I will not go into details, to make this accomplished easily by our non-technical users. Technical users already know what I mean by that.
⁂ Task 2) Now we will add a few resources.
First, let us first add our home network that we named above. It may be 192.168.100.255 but you can find it by running the command “ipconfig” at Windows prompt and using the Ipv4 Address and changing the last number (after third period) with 255. Or execute below two commands:
C:> Windows PowerShell
PS C:\> Get-NetIPAddress | Where-Object {$_.AddressState -eq "Preferred" -and $_.ValidLifetime -lt "24:00:00"}Second, let us add a PC/computer/host on your private network 4️⃣ into your TCP Tunnel network configuration. This resource will be remotely accessed. Run the same command above to your host and copy all the four numbers separated by period in between and add them to the SP portal resource page. You can add more resources now or later. The two we added are more than enough for our use case to work.
One thing to remember is that when you configure any asset you must select the remote network name from the top left (important) of that screen. If you do not select the “network name” during the port assigning screen, the create Resource button at the bottom right of the pop-up will NOT be enabled.
This is because every resource must go into a network. Remember, in the SP connector configuration, one can have hundreds of networks. So, it is mandatory to provide the associated network name for each asset belongs to.
Continuing with task 2, we will put some Port Restrictions now. This is where you will restrict the traffic and you may go extremely narrow and make your users only talk to one application over a protocol and a port. Technical readers can have fun here as per their imagination and needs. We will make it a little simple for others:
To make this easy we will on TCP, select “All Ports” and use “*”, which means all ports are open. For UDP do the same. For ICMP select “Block” as we do not need this protocol for our use cases.
⁂ Task 3) is to add users. We have already added you as the user, in step 1, where you created the SP account and logged. Now is the time to add a second user if you so desire. For a free account, a max of five users can be added. Put their Gmail email address and they will get an email invitation from the SP, with instructions on how to log in.
⁂ Task 4) The last task for us and most important one in the Controller is the configuration of your 🔌connector. The 🔌connector is the one who will be doing the magic and provides all the benefits that I have listed above. We will configure 🔌connector in two separate ways. One in Linux Docker container and other in a normal Windows host, as I understand many of our readers may not have Dockers installed at their home:
⁂ Task 4.1) Configuring Docker 🔌connector (on Linux | do not attempt on Windows, it will not work): For Dockers, it will take less than 5 minutes to create the connection configuration. Plus, another 2 to 3 minutes to copy the commands from Controller and paste them onto your docker to install the connector.
From Resource -> Select “Deploy Connector”
Then Select a Deployment Method. In our case Docker
Press “Generate token button.”
Then scroll down on the web page and from the “Step 4” section on the web page Run Docker Command” press “Copy Command.”
Paste this command into your Linux machine command prompt where docker is installed but start it with “sudo”.
If you have a Linux machine but docker is not installed, then install Docker by using the following two commands.
$ sudo apt update
$ sudo apt update docker.io -y
Docker is installed and you can now paste the instructions (commands) from the Controller and “copy” those here on your Linux command prompt.
After a few seconds of execution of the magic, it will be done. On the controller you will see under Resources a green dot has come highlighting your 🔌connector configuration was a success, and it is talking to the Controller in the SP Cloud with an established connection.
⁂ Task 4.2) Configuring Windows 🔌connector: Done at Componetn x on your non-mobile workstation.
Simply select “Select a Deployment Method” And press the button to “Generate Tokens”. Download and install your Windows connector from here. Only thing to remember is deployment method will be Manual for Windows or Linux or macOS.
Windows 🔌Connector installation is a two-part process. In the first part, Microsoft Windows Desktop Runtime will get installed. Once done successfully close that window and the second part of Twingate Setup will start. Accept the terms in License Agreement and click Install. Once the Twingate setup wizard completes, reboot your PC. Once you reboot and login into your Windows PC, open your browser and use the URL we decided on in step 2 task 1 and that way log into SP portal.
Couple of points to note:
First, you can create a 🔌connector in less than 3 minutes in any end host OS including Synology OS, which is the one for your home NAS devices. For technical knowhow on 🔌connector deployment click here.
Second, a 🔌connector could also be configured in HA (high availability) purpose, where you will deploy two 🔌connectors. That becomes advance configuration, and we will leave it for advance technical users to do, should they wish.
Third point to remember is, the 🔌connector must be installed on an asset that will permanently be inside of your home network. Not like on a laptop or your mobile phone that at times could be out of your private home network. Best to do on a desktop host or a Synology OS if you are using NAS within your home.
Fourth point to remember is, if using Docker, the 🔌connector configuration is done at component 3️⃣, which is service provider end, but is deployed in component 4️⃣, which will be our home network. Refer to our deployment diagram and digest this for a few seconds.
Now with the completion of the above steps we have successfully established the connection. Next step is to install the SP client application on one of your laptops or mobile devices from here. If you installed windows 🔌connector, you have already downloaded and installed the client application on the Windows PC.
For clients on your mobile devices, go to the respective AppStore or Play Store and download the Twingate client.
With this all the required components of your TLS Tunnel were configured, and you are ready to access them from your clients now! Try it out from an untrusted network via any of the clients, only requirement is download and install the client and then AuthN using the link https://<yourNetworkName>.Twingate.com URL.
I am sure the past 15 to 20 minutes of your time gave you a high-level idea of the basic configuration of a TLS Tunnel. Now you can enhance this raw use case configuration and further polish to make it a stronger one, meeting your exact requirements.
Summary & Conclusion:
Once you have understood this tactic and configured it successfully by yourself, you will never turn back to VPN again. You will be so happy that you will be sharing this method of secure remote asset access with all your family, friends & colleagues.
This tactic becomes a de facto method for you to give your loved one’s necessary access to them in the true spirit of Zero Trust when they are on untrusted networks. Some of the magnificent use cases that you may rollout are:
⁑1⁑ If you have a home NAS or spare hard disk space in your PC, you can use it as shared backup for your mobile photos and not pay google or Apple or other cloud providers the monthly recurring fee for your mobile data/photo’s storage, ever going forward. If you use Synology NAS, then they have a mobile “Synology Photo Application” to back up your photos from your mobile devices to your home NAS platform, even when you are outside of home utilizing the tactics listed in this paper.
⁑2⁑ You will now be able to access files from your home PC’s shared folder from another laptop when you are out on the untrusted networks. Provided that laptop is configured as the client for TLS tunnel. This will even become true on your mobile phones or tablets. You just must install additional apps like “RD Client” for windows remote access and “Terminal#” for Linux host remote access and add your mobile device as a client to your TLS Tunnel. If you run a small business, you will have granular control on what each person can do when they come in via this strategy/solution in your private network. You can even say on the remote Windows client, they should have AV (Anti-Virus software) installed and/or firewall configured at their client device to get access to your private secure network. Or completely block a category of devices like Android based mobile phones from coming in. These and many other fine grain access policies can easily be enabled from the SP TLS Tunnel portal and of course all these for free!
⁑3⁑ If you are running Linux or Dockers or Kubernetes at home then utilizing TLS Tunnel you can easily access any of the Applications on these platforms from anywhere in the world.
⁑4⁑ If you use VPN to RDP on to your Windows host, you must poke a hole in your firewall for a particular Port that outside hackers can easily see the open port and try to break-in via that hole. In TLS Tunnel we have not opened any port. All traffic is passing on 443/TCP & UDP. These ports and protocols are always open in all firewalls in the world! This is the best benefit this tactics/solution gets to your table. The second best one is Zero Trust.
⁑5⁑ If you have an old Linux PC, you can host your own web site from your home for free via that PC, provided you have a decent up and down Internet bandwidth. You can open that PC’s IP address and TCP & UDP/80,8080,443. Many more ideas like this become possible.
Before we conclude, I must emphasize the most crucial precaution/configuration item for establishing a secure TLS Tunnel: enabling 2-Factor Authentication on all your clients. This ensures there is no oversight where an uninvited guest could infiltrate your private network, potentially leading to a breach of your valuable data or the security of your home’s private devices. This can be easily and freely accomplished from the Service Provider’s main menu by selecting “Policies,” then “Default Policy,” and clicking the button on the right-hand side labeled “MFA not required.” A pop-up window will appear with two options:
(i) Do not require MFA or
(ii) “Require MFA.”
Choose “Require MFA.” You’ll be glad you did. Download Google Authenticator App on your mobile phone and start using MFA for your TLS Tunnel and enabled it for your Google email.
I hope you found the configuration of TLS Tunneling for secure remote access enjoyable. Please share in the comments the specific use case you’ve set up and the time it took to complete the configuration. Remember, security is a shared responsibility that includes end-users like yourself!”
About The Author:
Asad Syed is a graduate of Mathematics, Applied Mathematics and Statistics. His experience spans in Security Architecture, Security Operation Management, Digital Investigations & Forensics, Crisis & Threat Simulation, GRC Management, Threat Hunting, Cybersecurity Emerging Trends & Threat Mitigation, Database Security, Identity & Access Management, and Identity Federation. His interests are in the application of newer technologies, to enhance the output performance of technologies with which he is working. He is a writer, teacher, and cybersecurity evangelist, who has worked for multiple fortune five hundred companies and currently providing cybersecurity consulting to the upstream operations of the oil and gas industry. Reach him via Asad at ASyed dot com. ■
