Second auth layer for HTTP control panel with IoT concept

[vidgeek897]

Hi guys, I have hdmi modulator with GUI web-based management panel and I need to organize secure and robust access from remote network, I don't want to use straight NAT because you can "brute force" the native auth panel. I need some kind of layer between remote user and NMS via gateway, which will manage logging and auth.I was thinking about 1 channel router(maybe raspberry pi based)... What to choose and from where to start? Thank you!

[Heath Raftery]

pfSense running on an old laptop is a popular way of securing NAT networks. If you want to run it on a RPi, don't bother trying to DIY, just use something like this: https://www.netgate.com/products/sg-1000.html

[David Ingram]

You could run a VPN server on an embedded PC, such as a Raspberry Pi or Beaglebone Black or a small x86 PC running linux or windows.

If you have a firewall/router then a single Ethernet port is all the Rpi/BBB needs. Forward the appropriate port for the VPN you select (e.g. 1194 for OpenVPN) to the Rpi/BBB, and it will then send back local LAN traffic to your modulator. If you don't have a router, you could add a USB Ethernet port or USB 3G dongle, and use the Rpi/BBB as the firewall too. I think this is a bit riskier since there is a single point of failure for a config muckup. 

I run option 1, where my firewall does the bulk of the internet filtering and only forwards the selected VPN ports to the Rpi/BBB. The only service running on the Rpi/BBB is the VPN server.

I use SoftEther, as it is really good and yet free + source code is available: www.softether.org. The config is straightforward once you have the software setup on the server (it has binaries for x86, MIPS, PowerPC and ARM). Management is done with a command line or a nice Windows GUI (which runs fine on Linux with WINE) or MacOS GUI. I connect with the built in VPN clients on Windows 10 and Android, but there is a dedicated client available for Windows, Mac and Linux.

The Netgate (thanks Heath) looks like a very nice turnkey product, and might be a better way to go if you don't want to play on the command line. Less chance of a catastrophic config error letting everything in too. If you have a spare Rpi or BBB lying around though, it won't cost you anything to have a go.