External Access to LAN via Privoxy with Freedombox in DMZ

My FreedomBox is plugged into a home router
Purchased May 2019
FreedomBox version 22.8

Hello!

Away from home, I can configure my browser to use the Freedombox’s Privoxy service and then access all of the devices on my home LAN. For example I can navigate to the router’s admin page and to the freedombox directly at https://192.168.0.xx/plinth/. Is this to be expected?

What I did: At a coffee shop, I configured Firefox proxy settings to use the Freedombox domain name (from Gnudip) with port 8118. To verify privoxy is enabled I navigate to http://config.privoxy.org/ and I get back the confirmatory message: “This is Privoxy 3.0.32 on unknown (::ffff:192.168.0.xx), port 8118, enabled.”

Next, I removed Freedombox from the DMZ and just forwarded port 8118 and got the same results.

I do have wireguard installed, but it is not active on my laptop and I disabled the WireGuard-Server-wg0 network on Freedombox for these tests.

But perhaps I have something misconfigured…

Any ideas?

I see the following message on my Privoxy page in Plinth (in Apps): “Privoxy is available only on internal networks or when the client is connected to FreedomBox through VPN. Currently the following network interfaces are configured as internal: wlxb8b7f1d4d8fe”. Is your Ethernet WAN interface configured as internal or external? Check your Apps/Privoxy page. You can also see all your network interface(s) under System/Networks.

Thanks for your reply!

Ethernet WAN interface is internal and the ethernet cable is connected to my home router. My WireGuard-Server-wg0 network connection is also internal. Both of these show up on my Privoxy configuration page as internal as well.

As mentioned, I’ve disabled the WireGuard-Server-wg0 network ever since I noticed this behavior. Even so, I can still reach my LAN devices from outside.

In the Networks page of the manual I see that the default setup for a machine with one ethernet interface is to connect it to the internal firewall zone This allows other machines on the local network to use all services (internal/external), but it sounds like by having your router forward port 8118 you may be opening up access to Privoxy from the wider Internet. I’d think you’d want to remove the forwarding from your router and use Wireguard from coffee shops or wherever, but there may be a caveat. A section of the OpenVPN page of the manual (“Browsing Internet after connecting to VPN”) warns that you need to have “at least one Internet connected network interface which is part of the ‘External’ firewall zone”. I don’t see a similar warning on the Wireguard manual page, but I haven’t used Wireguard and don’t know if that’s a gap in the manual or the limitation actually doesn’t exist. Changing the firewall zone from internal to external would presumably prevent machines on your local network from accessing internal services.

This is definitely what I’m experiencing. Of course I get this same behavior with the Freedombox in the router’'s DMZ… which I thought was an allowable configuration.

I did a quick check in System>Firewall and it confirms that Privoxy is internal only:
“privoxy: 8118/tcp Permitted (internal only)”

On the topic of wireguard, I don’t know how it is supposed to work with Privoxy. For example, when connected via wireguard, should a browser proxy setting of freedombox.local:8118 be recognized? I think that did not work for me even though the WireGuard-Server-wg0 network is “internal.”

Yes, this is expected behavior.

That is an external IP address for your network. Since you have allowed traffic from 8118 to be forwarded, you are proxying into your home network and you should be able to access any resource that isn’t explicitly denying a connection like this through its own firewall rule.

Some of us know this as the “poor man’s VPN”. :joy:

Thanks for this confirmation!

So, it seems anyone with freedombox in the DMZ (and Privoxy installed) are allowing this kind of external access. I had no idea!

I mean, I’m not surprised to have access to the Freedombox since I have put it in the DMZ and given it a public domain name. But it was a shock to see all my other devices sitting behind my router.

It has more to do with the proxy settings you can enable in Firefox than Freedombox or anything else. You don’t need a Freedombox at all, in fact–you can set it up with just a regular home router if you know the IP address or have a DDNS service set up.

Fascinating. I guess this is another reason devices behind your router’s firewall, ought to still have a strong password. And, I guess, never post your IP address online…

I’m now slightly more educated. :slight_smile:

1 Like

An easy way to get hacked is to not change the default admin credentials on your home router. A lot of common routers have admin credentials that can be found easily online. From there they can change your router’s firewall settings and give themselves any access they like. :flushed:

Ah, good point. I believe my default router password was 8 characters…

Well that’s not great, but a lot of them ship with the old admin/admin combo which is even worse! :grimacing:

Going back over what I learned here, I wonder what the Internal vs External Firewall zones (in Freedombox) are doing here. I guess any traffic coming in via proxy configuration will be seen as Internal by the Freedombox firewall…?

Keep in mind the external IP address you are targeting from the coffee shop is not the Freedombox, it is your router. The Freedombox does not have an externally facing IP address in your case. So the firewall rules established by your router determine if your cafe traffic gets through or not.

Once the traffic is permitted, it is forwarded to the DMZ you set up. Here, you can apply additional network hardening or otherwise as you see fit, but as for this:

Technically the traffic is coming from the gateway (your router), so it is on your internal network.

Thanks, BluishHumility

Not that I fully understand this, but it seems that if I put my freedombox in the router DMZ, then traffic on any port may be treated as Internal so far as the the freedombox firewall is concerned.

I don’t think I’ll go back to using the DMZ – I don’t feel like I can predict the results. And perhaps there’s something to be said about keeping the freedombox behind the router – and carefully deciding about port forwarding, case by case.

Running the Freedombox in the DMZ is the easiest way to configure it. It is actually set up to automatically open firewall ports for the programs you install, so you don’t have to think about it too much.

As for your gateway, if you are feeling nervous about the security of your home network then log in to your router admin portal and close off any ports you aren’t going to be using for your stuff.

If you want a more secure way to proxy home, you can set up a SOCKS5 proxy over an SSH tunnel as described here, then the proxy would be relying on a tunnel established with password authentication or exchange of SSH keys that you have set up.

Anyway, I didn’t mean to scare you off of running your Freedombox in the DMZ. I hope I didn’t say something wrongly.

Yes, I really like the way this works. But I’ll probably refrain from the DMZ since I’m confused about what the internal vs. external firewall zones provide. And there’s still the possibility that I have something misconfigured – another reason for me to leave DMZ placement for some future moment. :disguised_face:

I’ll just keep at it!