0

This has taken me about a year to understand and get to, but I am the limit of my capability so reaching out to a StackOverflow guru please...

I would like to, if possible, secure my network model. The model is as shown in the diagram. To explain:-

  • All the aspects I have control of, is within the green shaded area. I cannot change anything outside this.
  • I run a simple application web server which is the VPN IPsec/L2tpd client. Static IP.
  • My router is ISP provided. It receives a DHCP Dynamic IP from the ISP.
  • My Digital Ocean Virtual Private Server has a static IP. It runs an NGINX reverse proxy that channels traffic through the VPN tunnel. It also runs the IPsec/L2tpd server.
  • A IPsec/L2TPD VPN tunnel is established and working.
  • A working VPN tunnel.
  • A cellphone that runs an app that communicates with my application server app. My cellphone receives a dynamic IP from my Network Operator.
  • I have three IP camera feeds served by my application server. Not a great speed but watchable in real-time.
  • I cannot change my ISP, or bandwidth/download/upload speed.
  • I cannot install VPN clients on the cellphone and I may want to access my app server through another cellphone provided by work so cannot install apps on it but does have unfettered web access through a browser.

Everything is now working, can't believe I've done it !

Anyway, my question is:- Is there any way to secure the network so that only traffic from my mobile reaches - or rather is accepted - by my application server.

I accept IPsec/L2tpd is not great, but it is fast and I use this because I have tried OpenVPN, SoftEther and key based OpenSwan. These are waaaay to slow. The camera feeds are unwatchable and update one frame about every 5 seconds.

So with the limitations above, what can I do, what is possible? Please may I respectfully ask that you refrain from suggestions and concerns requiring a change to that which I cannot control, i accept all critique but that is not what I need here. I am asking for advice on how to secure , that which I can influence. Thank you

enter image description here

keratos
  • 15
  • 8

1 Answers1

0

I cannot install VPN clients on the cellphone and I may want to access my app server through another cellphone provided by work so cannot install apps on it but does have unfettered web access through a browser.

Due to the limitation that at the end, even a phone where you are not allowed to change anything but use the web, i suggest to configure proxy authentication on the nginx reverse proxy. I don't have experience with setting this up with nginx in particular but that's what should do the trick according to the network architecture and description you provided.

An example configuration on how to configure nginx for basic / client certificate auth can be found at: https://www.cloudsavvyit.com/1355/how-to-setup-basic-http-authentication-on-nginx/

mottek
  • 929
  • 5
  • 12
  • I agree. What would be great is if the nginx auth could remember real client IP , not sure what this is called in networking, but it would reduce the number of times the phone user would need to authenticate. as in it would only be required when the MVNO changed the IP – keratos Nov 16 '20 at 23:36
  • The basic auth header is not related to the client IP, a browser sends it with each request and will work independently of the clients IP, see https://tools.ietf.org/html/rfc7617#section-2. The client IP is not referenced and is not relevant. The URI is the relevant criteria of reusing the credentials: https://tools.ietf.org/html/rfc7617#section-2.2 – mottek Nov 17 '20 at 20:00