First Setup - doubts about connection

Hello, I am new to freedombox, tried installing on a rpi4, but I am confused about he connection aspect, is there a way to avoid opening ports on the router and these kind of things that I don’t have full knowledge about?
Can it be solved with the use or VPN, privoxy or something similar?

Hello Marco,

Without doing anything on your routeur, you could:

  • access any service from your local network
  • access some services externally using Tor

The manual says the following services can be accessed using Tor (but the list is not exhaustive):

  • Calendar and Addressbook (Radicale)
  • File Synchronization (Syncthing)
  • Feed reader (TinyTinyRSS)
  • Web Search (Searx)
  • Wiki (MediaWiki)
  • Wiki and Blog (Ikiwiki)

To use Tor, you need to activate it on the Freedombox and have a Tor client on the computer/mobile phone that you are using. Access via Tor is generally slow but it is ok for a number of use cases.

An advantage of using Tor is you need nothing else to access your Freedombox externally, i.e. your Freedombox is accessible with a Tor host name (impossible to remember but you can bookmark it).

Otherwise, supposing your network uses IPv4 (I have nearly zero experience with IPv6), you need to:

  1. configure your routeur so that it fowards to your Freedombox any external request to the port(s) used by the services that you want to access from outside your local network (this is called NAT for Network Address Translation); AND
  2. if your routeur has a fixed public IPv4 address, you could simply use it, if not or it you would prefer to use a name one can remember easily, you need some name service (usually DNS) to translate that name to your routeur public IPv4 address

1 is usually easy to do and the only effect is that packets going to these ports will be forwarded to your Freedombox, instead of being dropped by the routeur. If there is any risk, it is that someone without an account tries to access your Freedombox by trying login names and passwords randomly, but that can happen whatever method you use to allow access your Freedombox from outside your network (Tor or anything else), so you should use random long-enough passwords, and possibly unusual login names.

Ideally, there should be some rule on the Freedombox so that repeated access attempts from a certain source address are dropped, or you could check access logs regularly to see if there is anything unexpected.

That said, if your Freedombox address is not made public in some way, the chances that anyone ever targets your Freedombox are rather low (unless you are a possible target of the NSA, the Mossad or some kind of powerful organization like that, in which case my advice would be to keep your home network not connected to internet at all, possibly using only an isolated computer with no writable disk to access internet via Tor).

1 Like

That’s a great solution for my usage, the only thing remaining is if postfix and ejabberd can be used over tor, is it possible?

This is largely beyond my knowledge, but since I am running ejabberd and I tried Tor in the past, I decided to give it a try.

In the Freedombox interface for Tor, it is said to redirect 3 ports but I am surprised since I don’t recall that being the case last time I tried, so I did not redirect anything more than I have now and I still can now access the Freedombox with the onion address from Tor browser or from my phone browser when Orbot it activated.

I tried connecting to an account with Conversations on the phone configured to use Orbot, it says it cannot find the server.

On the Freedombox Tor page, it says that “all web apps and ssh” will work. If “web app” means HTTP, I saw there is something like XEP-0206: XMPP Over BOSH that seems to say XMPP could go over HTTP but I don’t know whether this is feasible with ejabberd as configured on the Freedombox.

For postfix, I guess it uses SMTP, so this is not over HTTP.

In my guess, if you want ejabberd and postfix, you will need redirections on your routeur.

Thank you for your answer, I wonder if activating DMZ for the FB may solve this problem.

If you mean configuring your routeur so that the FB is considered as a DMZ, this is like redirecting all ports to your Freedombox, so yes, it would work.

However, every piece of software is likely to have bugs and is subject to configuration errors, so there is always some risk that this is used for someone to access someone else’s computer on the internet. By redirecting to your FB more ports than useful for what you want to use, you would unnecessarily increase the chances that it happens.

If you can configure your routeur so that the FB is considered as a DMZ, I suppose you can also redirect to it only the required ports for the services you want. Redirecting everything saves you the hassle of adding the required ports one by one, but this is a one time operation when you add a service and there aren’t that many, so that hassle is rather low.

So my suggestion would to just do the port redirections for the services you activate.

2 Likes

The Tor app serves two purposes: Setting up an onion service is meant to circumvent NAT, while port forwarding is for helping others to do the same by turning your FreedomBox into a Tor Relay.