There are now a plethora of products on the market for home automation from wireless power outlets to intelligent thermostats. The typical user experience is to plug the device in, hook it up and connect it to either your local WLAN/LAN.
Many of the commercial products also allow you to access the device remotely and configure it over the Internet. In addition to this they may provide a site you can log into to view stats, live camera feeds etc.
This is all well and good, but there are some serious security and privacy concerns here. Not least of which is the sharing of data with 3rd party services that can be then re-sold to advertisers.
In addition to this privacy concerns around allowing your ISP to view internal cameras, or the risk of devices being hacked either at the ISP or home level have added more variables to the mix.
In this series of articles we will look at how you can configure your home to use a VPN for remote access, setup a firewall and use VLANs for segmenting your home network. This combination of technologies will give you the ability to then build out your home automation services without relying on 3rd party websites to control and monitor them from afar.
In addition to this, with the right choice of commercial or home brewed devices you can protect against data being shared beyond your own home network.
Over the course of this series of articles we will look at:
- Setting up a firewall and disabling your ISPs firewall service/replacing their router/modem combo with an off the shelf one.
- Installing a VLAN compatible switch and configuring a VLAN
- Setting up multiple AP’s for your VLAN
- Configuring OpenVPN to access your home network remotely.
Throughout the articles we will cover a variety of topics related to each of the above. This will include the Diffie-Hellamn key exchange, IPSEC, Tunnel and Transport mode, VLAN tagging and Certificate generation.
For those interested in following along with these articles, the following hardware and software is used. The hardware can be switched out for any other equipment that meets the same needs.
- Netgate SG-2440 or similar appliance
- Dell PowerConnect 2800 managed switch with VLAN support
- Cable provider modem/switch combo – third party cable modem is optional if you wish to purchase your own
- Ubiquiti UniFi WAP(s)
In Part 1 we will start our adventure by setting up the pfsense firewall and disabling the cable company/ISP’s offering.