3 posts tagged with "microsegmentation"

Introducing SPR-TailScale​

We've released a new iteration of the TailScale integration for SPR! This plugin was put together with @willy_wong.

Under The Hood​

Getting this plugin to work in the first place required some thinking. The first was addressing a key missing feature for SPR: interface-based firewall rules and routing.

This capability lets SPR perform container microsegmentation. Any interface can be treated this way actually. It allows for connecting interfaces with policies and groups that SPR has not been explicitly programmed for, as well as providing them API access.

The TailScale plugin sets up its own policy based routing and firewall rules, so being able to run it inside of its own network namespace is ideal. SPR then uses the custom interface rule to route to the container's network and let it do the forwarding on its own.

Next, setting it up was awkward, painful. To fix this the SPR team added UX for plugins, and the ability to install a plugin via a URL with an OTP code verification. And today we've released this capability for spr-tailscale! It's supported from SPR version 0.3.7

What can it do ?​

This integration lets SPR devices selectively access TailScale peers. And similarly, TailScale peers can be joined to SPR groups to give them access to SPR devices.

The Plugin presents a React Based UI and simplifies the install. After the install, a user needs to present their Auth Key and they're good to go.

The container can run as an exit node as well.

Links​

You can check out the spr-tailscale integration here!

What a year it's been for the Secure Programmable Router (SPR) project! We've made great strides in empowering users to take control of their networks, prioritize privacy, and unlock network configurability. Let's dive right into the highlights of 2023 and peek at what's in store for the future.

Major Accomplishments:​

• iOS App Launch: We've extended network management to your fingertips with the release of our official iOS app on the App Store. We're thankful to our users from almost each and every region on the App Store.
• PLUS Membership: Our community now has the option to support the project with PLUS and unlock advanced features like:
  • Mesh networking for seamless coverage with multiple APs
  • Site VPN support for selectively routing traffic through a remote Wireguard VPN
  • Advanced firewall rules with scheduling, domain name, and regular expression support
• Shipping Dev Kits. After the global supply chain crunch, we're proud to be shipping dev kits to users
• Microsegmentation for Containers: We've taken SPR's container support to the next level with integrated container microsegmentation, enabling granular control over container and interface traffic.
• VLAN Trunk Support: SPR can work as a wired firewall as well. Connect devices to your SPR network securely through a managed switch, with SPR terminating a VLAN Trunk Port.
• Expanded Network Visibility: Our new event bus, database, and configurable alerting mechanism provide key insights into network activity, empowering users to detect and troubleshoot issues effectively and analyze IOT & device traffic.

Thank you to our users!​

• We Build For You: We're incredibly grateful for our active user base and their invaluable suggestions. Your feedback drives our development roadmap! Join the conversation on Discord or create a GitHub request to share your ideas. Many of SPR's capabilities come from requests. Some of the feature requests that have landed are wifi scanning from the UI, the lan_upstream tag for restricting and managing access to upstream local networks to enable secure router chaining, and load balancing support across multiple Uplink interfaces.

• Privacy and Ad Blocking Excellence: SPR continues to excel as a self-hosted WireGuard + DNS Ad block solution, offering unmatched configurability with per-device rules, easy exception management, and upstream DNS over HTTPS support for enhanced privacy. Users can get these capabilities by self hosting in the cloud as well as running SPR at home as a router.

• Network Debugging Made Easy: Users have been able to use SPR to successfully debug connectivity issues with devices like Ring cameras, pinpointing problems with Amazon's cloud services rather than home Wi-Fi although Ring may say otherwise.

• Uncovering Unauthorized Access: Event logs have helped users identify and address unauthorized access attempts, including scenarios like accidental connections from new neighbors moving in.

• Speedier WiFi: Even with our Raspberry Pi dev kits, users report impressive speeds between 500-700 Mbps over USB3, surpassing their previous routers. With MT7915/6 cards, SPR users today can enjoy actual WiFi 6 gigabit (1000+ Mbps) connectivity over 2 spatial streams as measured with iperf3.

Technical Research:​

• Unscathed by MacStealer: SPR's design was further validated by the MacStealer (CVE-2022-47522) flaws. MacStealer bypassed most Client Isolation approaches due to state errors in low level firmware with MAC address handling. SPR's per-device VLAN and per-device password approach is totally immune to this category of protocol flaws.

• Research AP in Scapy: We've developed functional WPA2 AP research scripts in Scapy for working with Wi-Fi frames, compatible with mac80211_hwsim and real wireless cards. (https://github.com/spr-networks/barely-ap).

• Turtles WiFi Hacking While waiting for the supply chain to unlock at the start of the year, we put together some wifi security training focused on protocol. We actually let people boot a kernel for a self hosted wireless lab, in the browser. Or people can play offline in containers. This is a bit different than other labs which teach people to run prebuilt software as we guide people towards working at the packet level. Check it out here

2023's Hardware In Pictures​

Pi4 with a Mediatek MT76-based USB3 Adapter

Solidrun Clearfog Dev Kit

The Road Ahead:​

• Empowering Plugins: Our next major focus is facilitating community-built plugins. We've already created prototypes for Tailscale support and mitmproxy, and we're working on UI integration and streamlined installation to make plugin usage as seamless as possible without sacrificing security.
• PI5 Router with WiFi-6: Our next hardware device will be a a PI5-based router packaged with wifi-6 support.
• Eliminating firmware risk We're also developing software to eliminate firmware attack surfaces with WiFi.

Join the Movement:

We invite you to be part of the SPR journey! Contribute to development, share your feedback, and help us shape the future of open-source networking. Together, we can build a more secure, private, and customizable internet experience for everyone.

Visit our website and GitHub repository to learn more and get involved

Update​

This post has become a guide which is being kept up to date, check it out!

Overview​

In this post we'll show how PLUS members can add a mitmproxy plugin to their SPR setup, and then use the Programmable Firewall (PFW) plugin to redirect traffic through mitmproxy with DNAT forwarding.

We do not need to configure our clients with proxy settings to point to mitmproxy, or rewrite DNS responses, since we are using the PFW feature to do the redirection.

This plugin is available on github.

Prepare the plugin​

from the SPR directory, typically /home/spr/super

cd plugins
git clone https://github.com/spr-networks/spr-mitmproxy
echo [\"plugins/spr-mitmproxy/docker-compose.yml\"] > ../configs/base/custom_compose_paths.json
cd spr-mitmproxy
docker compose build

Configure SPR​

1. Navigate to the SPR UI. Add mitmproxy under the Plugins page

• be sure its been added to configs/base/custom_compose_paths.json as above
• Enable it by toggling the slider

2. Add mitmweb0 to the custom interface rules. You can verify your container's network address in the Container tab -> Under Firewall-> Custom Interface Access Add a new rule, make sure mitmproxy has wan at least to access the internet.

3. Create a forwarding rule to the container web interface :8081. Pick an arbitrary IP in the subnet -- although not the same one as the container as that confuses dnat.

4. Create a site forward rule with PFW for traffic to intercept

Using mitmproxy​

Then make a curl request from any of the LAN devices, and it should populate on the mitmweb host. This was the :8081 host that was earlier defined

Leveraging Transparent Sockets​

Behind the scenes, mitmproxy is using transparent sockets with DNAT. Inside the container network, we establish dnat rules to mitmproxy from incoming ports 80, 443.

#!/bin/bash

nft -f - << EOF
table inet nat {
        chain prerouting {
                type nat hook prerouting priority filter; policy accept;
                tcp dport { 80, 443 } dnat ip to 127.0.0.1:9999
        }
}
EOF

mitmweb -p 9999 -m transparent --web-host 0.0.0.0

We'd love to hear from you​

We're always thrilled to get feedback on plugins people would like to see, and we're excited to hear about what people will be able to do with mitmproxy running alongside SPR. Drop a line at outreach[at]supernetworks.org or join us on discord