We recommend that publicly accessible Lighthouse instances are secured by an external firewall. This may be a software firewall or a firewall appliance.
If the firewall is performing NAT/masquerading, you must configure it to perform port forwarding (DNAT). Additionally, you must also set the External Network Address on Lighthouse, as per the section below.
Lighthouse's OpenVPN service must be allowed through the firewall, this service operates on UDP port 1194. Due to its high security (as detailed in the OpenVPN section of this article), allowing OpenVPN from untrusted networks is not generally considered a significant security risk – however consult with your security team.
We recommend other Lighthouse services such as SSH and web UI are not exposed to untrusted networks.
The enrollment API may be exposed to untrusted networks, after reviewing the considerations below.
Remote node enrollment considerations
To allow initial node registration and enrollment, Lighthouse's RESTful API service must be made available. By default, the full API service operates on TCP port 443. Note that the web UI service also operates on TCP port 443, so we do not recommend unnecessarily exposing this port to untrusted networks.
You may enable an additional enrollment-only API port which serves a subset of the RESTful API on TCP port 8443. To enable, check Settings -> Services -> Session Settings -> Enable additional enrollment-only REST API port.
We recommend utilizing the enrollment-only API port for enrollments from untrusted networks.
Node registration is authenticated by token and optional bundle name and a malicious party with stolen enrollment credentials could potentially spoof registration. Given a spoofed registration, the main security risks are:
- The malicious party has a vector to attack other Lighthouse services such as SSH
- If enrollment is approved and if Configuration Templating has been configured, the malicious party could be delivered sensitive node configuration
Therefore when allowing enrollment from an untrusted network, we recommend that enrollments are manually approved (this is the default) and enrollment tokens are regularly updated.
Otherwise, if the noted risks are considered unacceptable, perform node enrollment via a trusted network (e.g. corporate WAN, or staged on a central test bench) before deploying onto the untrusted network (e.g. remote branch office).
Setting the external network address
If communications from nodes to Lighthouse are via external port forward, the external forwarding address (e.g. the public address of the firewall) must be set in the Lighthouse web UI, under:
Settings -> System -> Administration -> External Network Addresses
Optionally, the external source port number may differ from the internal destination port, e.g. forwarding from a "non-standard" port of 8194 to 1194.
This is used to generate the VPN client configuration that is pushed to the node during registration, i.e. this is the address and port the node will use to establish a connection to Lighthouse.
Note: Changes to External Network Addresses affect future enrollments and will not be propagated to nodes that are already enrolled. The API port(s) set here are used by the USB enrollment method only.
Node failover between internal and external addresses
When multiple External Network Addresses are set, the node tries these in the order specified. This feature is particularly useful in combination with the node's failover feature.
In scenarios where the node normally reaches Lighthouse via its internal private address, but reaches Lighthouse via an external port forward during failover (e.g. to a public cellular network), set the first External Network Address to the Lighthouse's private LAN address, and the second External Network Address to the forwarding address.
Lighthouse has a built-in stateful firewall based on Linux netfilter/iptables. Inbound connections to the following protocols and ports are allowed:
- TCP 443 (Full RESTful API, Web UI)
- TCP 22 (SSH Console Gateway, CLI)
- UDP 1194 (Lighthouse VPN)
- ICMP type 8 (ping)
- Optional – TCP 8443 (enrollment-only RESTful API)
- Optional – TCP or UDP 161 (SNMP status MIB)
All remaining TCP and UDP connections are rejected, all other connections are silently dropped.
Advanced users may modify the default rules using the iptables command. To make rules persistent, create and add them to the following file:
As an example, the following custom rules restrict inbound SSH access to the trusted subnet 192.168.0.0/16:
iptables -I WanInput 2 -p tcp --dport 22 -j DROP
iptables -I WanInput 2 -p tcp --dport 22 --src 192.168.0.0/16 -j ACCEPT
To install the custom rules, rebuild the internal firewall with:
View the updated ruleset with:
iptables -t filter -L -v