We recommend that publicly accessible Lighthouse 5 instances are secured by an external firewall. This may be a software firewall or a firewall appliance.
If the firewall is performing NAT/masquerading, you must configure it to perform port forwarding (DNAT). Additionally, you must also set the External Network Address on Lighthouse 5, as per the section below.
Lighthouse's OpenVPN service must be allowed through the firewall, this service operates on UDP port 1194. Due to its high security, allowing OpenVPN from untrusted networks is not generally considered a significant security risk – however consult with your security team.
To allow initial registration and node enrollment, Lighthouse 5's RESTful API service must be available. This service operates on TCP port 443. Note that the web UI service also operates on this port.
Unlike OpenVPN, we recommend that connections to the API service from untrusted networks are not allowed from untrusted networks. Therefore there are two options for deploying a node on an untrusted network:
- (Recommended) Perform node enrollment via a trusted network (e.g. a central test bench) before deploying onto the untrusted network (e.g. remote branch office)
- Use the external firewall to limit the source addresses allowed to access the API service
Similarly, we recommend other Lighthouse 5 services such as SSH, are not exposed to untrusted networks.
Setting the external network address
If communications from nodes to Lighthouse are via external port forward, the external forwarding address (e.g. the public address of the firewall) must be set in the Lighthouse web UI, under:
Settings -> System -> Administration -> External Network Addresses
Optionally, the external source port number may differ from the internal destination port, e.g. forwarding from a "non-standard" port of 8194 to 1194.
This is used to generate the VPN client configuration that is pushed to the node during registration, i.e. this is the address and port the node will use to establish a connection to Lighthouse 5.
Note: Changes to External Network Addresses affect future enrollments and will not be propagated to nodes that are already enrolled. The API port(s) set here are used by the USB enrollment method only.
Node failover between internal and external addresses
When multiple External Network Addresses are set, the node tries these in the order specified. This feature is particularly useful in combination with the node's failover feature.
In scenarios where the node normally reaches Lighthouse 5 via its internal private address, but reaches Lighthouse 5 via an external port forward during failover (e.g. to a public cellular network), set the first External Network Address to the Lighthouse 5's private LAN address, and the second External Network Address to the forwarding address.
Lighthouse 5 has a built-in stateful firewall based on Linux netfilter/iptables. Inbound connections to the following protocols and ports are allowed:
- TCP 443 (RESTful API, Web UI)
- TCP 22 (SSH Console Gateway, CLI)
- UDP 1194 (Lighthouse VPN)
- ICMP type 8 (ping)
All remaining TCP and UDP connections are rejected, all other connections are silently dropped.
Advanced users may modify the default rules using the iptables command. To make rules persistent, create and add them to the following file:
As an example, the following custom rules restrict inbound SSH access to the trusted subnet 192.168.0.0/16:
iptables -I WanInput 2 -p tcp --dport 22 -j DROP
iptables -I WanInput 2 -p tcp --dport 22 --src 192.168.0.0/16 -j ACCEPT
To install the custom rules, rebuild the internal firewall with:
View the updated ruleset with:
iptables -t filter -L -v