Things That Make Pat Nervous: Running Your Firewall in a Virtual Machine
Brian and I often blog about server and network related topics, so our social media following tends to skew in that direction. If you’re reading our blogs, there is a good chance you don’t know what you’re doing. Don’t worry. Brian and I will both be happy to tell you where the limits of our knowledge and abilities lie!
I mostly pay attention to Twitter, and people say things there that make me nervous. I know that 280 characters usually isn’t enough to express a complete thought, so I tend to give people the benefit of the doubt, but they still make me worry! I thought it would be a good idea to write about some of the things people are saying that make me nervous.
- Building a Low-Power, High-Performance Ryzen Homelab Server to Host Virtual Machines at patshead.com
- DIY NAS: 2019 Edition at briancmoses.com
I want to run pfSense and/or a VPN server in a virtual machine
In theory, there’s nothing wrong with using a virtual machine as your firewall for your home network. In practice, you had better not screw anything up! There are a lot of things that can go wrong. I start to worry even more when people want to run pfSense in a VM on their FreeNAS server.
These folks are only tweeting. I’m not getting the whole story. Maybe they don’t want to use pfSense in a VM on their FreeNAS box as a firewall for their network. Maybe they’re setting up a lab for educational purposes. I still worry that they’re doing something scary.
When simple things go wrong, you could be exposing yourself to a lot of risk. Maybe you’ve tied your pfSense VM to one physical network adapter, and you’ve tied all your other virtual machines to another. Maybe you’re careful with your host operating system, and you’ve made sure it hasn’t set up any IP networking on that external interface. Maybe you’ve added appropriate firewall rules to keep any traffic on that interface away from the host operating system.
Maybe you’ve done a pretty good job. I am going to be saying maybe a lot.
Maybe something will go wrong on your host. Maybe what should be a minor kernel update for a security fix will goof something up, and the next time you reboot, your network interfaces get swapped. Now your host and your supposedly private virtual machines are connected directly to your ISP, and your firewall is doing absolute nothing useful on what you believed was the safe side of your network!
- Building a Low-Power, High-Performance Ryzen Homelab Server to Host Virtual Machines at patshead.com
- DIY NAS: 2019 Edition at briancmoses.com
I’m a little old school when it comes to firewalls
On my home network, I use a little $30 D-Link 802.11ac router with OpenWRT. Everyone’s pfSense boxes are fancier. I have no need for fancy firewall rules. Mine mostly just routes packets, does NAT, and blocks what you’d expect. It can run WireGuard at around 170 megabits per second–plenty of speed for my 150/150 FiOS link!
NOTE: Don’t buy my D-Link router. Only revision B1 is supported by OpenWRT, and they’re difficult to find. The other revision of the hardware is unsupported and inferior! I’ve had it in my possession for quite a while.
If someone manages to get a shell on my OpenWRT router, it would be a real bummer. They’d have their beachhead, and they can start attacking more machines on my network. If someone manages to crack into your pfSense VM on your FreeNAS server, they’re also on the same hardware as your storage.
Sure, there’s all sorts of virtual machine magic the attacker’s way. That’s another wall they can attempt to knock down, though. Virtual machines are pretty well isolated from each other and the host, but they have their own long list of security bugs.
Running WireGuard on my OpenWRT box means attackers have another service to bang on when they’re attempting to gain access to my router. I’d still prefer that they gain access to the little ARM or MIPS machine at the edge of my network than a virtual machine that shares hardware with my NAS server!
I’m going to stick with my $30 OpenWRT router. It sips a few watts, lives in my cupboard, and it’ll run all day on a tiny UPS.
Is it safe to run an OpenVPN or WireGuard server on your firewall/router?
It isn’t ideal. Your VPN should be on a server in your DMZ. That way, if someone unauthorized connects to your VPN, or they manage to gain access to your VPN server in another way, they are don’t have free reign of your entire network immediately.
This sounds great, except you’re doing this at home. Why do you need a VPN at home? You want access to all your stuff! You want to connect to the shares on your NAS server. You want to pull down a file that you left on your laptop. You want to transcode your GoPro footage on your desktop computer.
You don’t want to be stuck in the DMZ when you’re connected to the VPN. You would need to set up firewall rules to let your VPN connection out of the DMZ to access the machines and services you need. You’re going to wind up punching so many holes that the firewall at the DMZ isn’t even a wall anymore.
Setting up usable firewall rules for terminating a useful home VPN in the DMZ feels an awful lot like terminating it right on the router, but with extra steps.
Do you want your network to come down every time you reboot or power down your homelab server?
Keeping my $30 D-Link router up and running is easy. The tiny UPS that he’s plugged into can probably power it for days. Keeping a spare on hand is easy; I don’t do this, but it would be cheap and easy!
I reboot my virtual machine host more often than I’d like. There are Linux kernel updates quite regularly. I’ll admit that I don’t get around to rebooting for each and every one of those updates. If this box was sitting at the edge of my network, I’d be rebooting it way more often.
- Building a Low-Power, High-Performance Ryzen Homelab Server to Host Virtual Machines at patshead.com
- DIY NAS: 2019 Edition at briancmoses.com
- [Building a Homelab Server][bh] at briancmoses.com
Conclusion
Don’t run the firewall for your home network in a virtual machine unless you know what you’re doing, understand the risks, and know how to avoid all the potential pitfalls. If you understand the risks, and you think this seems like a fun project, you should absolutely give it a try. I’m almost always a fan of doing things in a different or unique way!
There are plenty of nice routers you can buy that will do the job. You don’t have to load OpenWRT on a random piece of hardware like I did. There are plenty of choices. I prefer ARM and MIPS routers over loading something like OpenBSD on Intel hardware. I don’t need something that expensive or power hungry sitting in my cupboard just to route packets at around 200 megabits per second. That’s just overkill.
What do you think? Am I worried over nothing? Do you think the folks tweeting about running pfSense in a VM have thought things through? Do you think they’re just setting up a pfSense machine for educational purposes? Did I leave anything important out in my attempt to keep this down to around 1,000 words? Let me know in the comments, or stop by the Butter, What?! Discord server to chat with me about it!
- Building a Low-Power, High-Performance Ryzen Homelab Server to Host Virtual Machines at patshead.com
- DIY NAS: 2019 Edition at briancmoses.com
- [Building a Homelab Server][bh] at briancmoses.com