Answers that we need to complete the setup

[wmtprojectsforum]

Viewing the video mentioned in the opening Topic throws up some questions that we will need answers to before we can complete the setup. These include:

1. We now have the Office Router admin password, but we will need someone inside the Office to reconfigure the Router. Penri; I'm assuming that you will be able to do that given adequate information?
2. Does the WMT have a static IP Address?
3. If the answer to the previous question is no; does the Office Router support Dynamic DNS setups? Most modern Routers do, but the Office Router is a design that goes back to 2012.

There will be more, but they will emerge as I develop the prototype here at home. I will post them as they arise.

There is one other question that has emerged since I viewed the video. The VPN Server will be attached to the Office Network, so all of the computers connected to the WiFi in the Office will become accessible to someone logging in to the VPN. This can be considered a benefit rather than a problem, but some of the staff may not be so sure. Penri: Was this raised with the Board?

[TerryJC]

I just noticed that I accidentally created this thread while still logged in as Admin.

[Penri]

Hello

Please find attached a quick user guide for the router, it was the only "documentation" on file for the router.

I also found a user manual for the router on-line, it's attached, does this help?

Penri; I'm assuming that you will be able to do that given adequate information?

Yes, of course, with adequate information, but please bear in mind you my standard of adequacy will be a lot more onerous than yours, I use Apple products for a reason!

Does the WMT have a static IP Address?

No idea, I'm afraid.

The VPN Server will be attached to the Office Network, so all of the computers connected to the WiFi in the Office will become accessible to someone logging in to the VPN. This can be considered a benefit rather than a problem, but some of the staff may not be so sure. Penri: Was this raised with the Board?

I was not aware of this, I thought the VPN link would be associated with the River System network, so it was not raised with the board. Can anything be done to partition things so the rest of the office network and any other router user is "separated".

When you say "become accessible" what do you mean and what sort of a risk does that pose to WMT?

Not directly related but worth saying, there is a lot of sensitivity surrounding the WMT's EPOS system, which also uses the router, impacting that in any way would loose us a lot of friends and brownie points.


Hwyl

Penri

Note from Hamish: removed attachments for security reasons.

[TerryJC]

Please find attached a quick user guide for the router, it was the only "documentation" on file for the router.

I also found a user manual for the router on-line, it's attached, does this help?

That has answered all of my Router questions:

1. With the Manual and some guidance we should be able to give you detailed instructions on what to do.
2. There is no Static IP Address.
3. The Router does support DDNS.

The VPN Server will be attached to the Office Network, so all of the computers connected to the WiFi in the Office will become accessible to someone logging in to the VPN. This can be considered a benefit rather than a problem, but some of the staff may not be so sure. Penri: Was this raised with the Board?

I was not aware of this, I thought the VPN link would be associated with the River System network, so it was not raised with the board. Can anything be done to partition things so the rest of the office network and any other router user is "separated".

When you say "become accessible" what do you mean and what sort of a risk does that pose to WMT?

Not directly related but worth saying, there is a lot of sensitivity surrounding the WMT's EPOS system, which also uses the router, impacting that in any way would loose us a lot of friends and brownie points.

Having viewed the video again, I'm not so sure that the Office computers will become accessible at the moment. The guy is very long on software and network admin and very short on hardware configuration, which is what threw me in the first place. I'm trying to find a decent VPN architecture diagram on the Internet to improve my understanding of what does what, where and when. I'm coming round to thinking that the VPN Server is also a Gateway and therefore isolates the Office from the River System.

I've emailed my latest architecture diagram to Paul for his comments.

[hamishmb]

NOTE: Having the manual for the router on here publicly is probably a security risk if it's that old! We probably don't want anyone else knowing what make and model it is so I suggest we remove the manual.

[TerryJC]

Having viewed the video again, I'm not so sure that the Office computers will become accessible at the moment. The guy is very long on software and network admin and very short on hardware configuration, which is what threw me in the first place. I'm trying to find a decent VPN architecture diagram on the Internet to improve my understanding of what does what, where and when. I'm coming round to thinking that the VPN Server is also a Gateway and therefore isolates the Office from the River System.

I've emailed my latest architecture diagram to Paul for his comments.

I've just had a long conversation with Paul. The bottom line is that it is possible to set up a VPN Server in the way that I describe it above, but that's not what we would do at WMT. In the simple setup, the VPN Server sits on a company's internal network and the Internet Router routes all (externally initiated) incoming traffic to it. The VPN Server decrypts the packets and puts them back out onto the internal network and they are therefore readable by the computers on that network.

In our system, the River System devices are the other side of the firewall in the Webserver. The Internet Router routes all (externally initiated) incoming traffic over the Office network to the Firewall in the Webserver and the VPN Server decrypts the packets and puts them out onto the River System network. So the River System devices are accessible and the Office devices are not.

Paul has suggested some minor updates to my diagram which I will do later today or tomorrow.

[Penri]

Terry

That all sounds good, thank you.

Can I delete the router info. as Hamish suggests?


Penri

[Penri]

... by the way, I was asked whether WMT's current connection is "good enough" for our needs.

I commented that it was only 8Mb, which is slow by today's standards, but was probably adequate for WMT's, needs as I know them, but added that WiFi technology has moved on considerably since the router was manufactured and we aren't currently able to take advantage of that because of the router.

When I talked to the ISP I did ask them to quote me for uprating the connection to ~40Mb or ~80Mb so I have the figures as hand.

Do you have any views?

BTW there is currently no interest in providing the public with WiFi connectivity so improvement in bandwidth would have to be justified against WMT's own needs.

If you do think there's a justification for improving the connection bandwidth please jot it down in your reply.

[hamishmb]

Here are my thoughts:

This seems like a very comprehensive video - good find. I am somewhat concerned about the complexity of the steps involved though, given Terry and I are unlikely to come in to help. We will also need to get the webserver pi (or whatever we use for the VPN server) fully up to date before connecting it to the internet.

Having said that, as long as WMT remains shut and social distancing is observed, I would be willing to come in to help set this up, but I don't want to be there for long if at all possible - the longer I'm out, the higher the chance of infection. I think for some of these steps (eg updating the webserver pi and copying OpenVPN profiles), I will need to come in

NOTE: We probably don't want to use the standard OpenVPN port on the router - changing it to some random port that we don't share on here is probably also better for security.

I have removed the router attachments. They can always be emailed if people need them.

[TerryJC]

I only spotted this today as I was speaking to Penri; hence the tardy reply.

This seems like a very comprehensive video - good find. I am somewhat concerned about the complexity of the steps involved though, given Terry and I are unlikely to come in to help. We will also need to get the webserver pi (or whatever we use for the VPN server) fully up to date before connecting it to the internet.

I am currently upgrading a copy of the Webserver Pi's SD Card to Buster.

Having said that, as long as WMT remains shut and social distancing is observed, I would be willing to come in to help set this up, but I don't want to be there for long if at all possible - the longer I'm out, the higher the chance of infection. I think for some of these steps (eg updating the webserver pi and copying OpenVPN profiles), I will need to come in

NOTE: We probably don't want to use the standard OpenVPN port on the router - changing it to some random port that we don't share on here is probably also better for security.

I intend to fully configure the VPN link using my home Internet connection and the River System physical hardware that I have here. I will choose a different port for the VPN, but the main defence will be the encryption anyway. Also, don't forget that modern attack vectors use a portscan so using a different port number shouldn't be relied on. Security through obscurity hasn't worked for certain large software companies!

Hopefully, once the VPN link has been fully tested here at home, then all that should be necessary is to change the IP Address of the Model Town's Router in the VPN config file to allow us to roll-out the new installation; Pop in a new SD Card, set up the Router, distribute the VPN Config and we should be good to go.

Famous last words...