Hector Martin

I already have some level of MFA: if you are not physically on the wired lab network (wifi is firewalled off) you can't even touch the SSH port on any of my machines without *also* being VPN'd in.

Ah, I tend not to totally rely on network security except for really dumb devices (*cough* IoT *cough*), so my home stuff all has public IPv6 addresses and you can SSH in from anywhere. The subset of really sensitive traffic currently on my home network uses IPsec.

I prefer defense-in-depth. I have a rather complex network segmentation at home with about a dozen different subnets because I have so much SCADA/test equipment (e.g. oscilloscopes with plaintext SCPI interfaces) that doesn't support anything else.

But I also don't trust the Chinese IP cams not to phone home, and I want my wife's laptop or our game consoles to have no access to any of that... the list goes on. The VPN also allows IPv4 access to non-ipv6-supporting gear from the outside w/o port forwards.

The VPN also provides a single point of entry. If I have dozens of SSH endpoints reachable from outside, forgetting to patch or misconfiguring any of them provides a potential entry point. With this setup, you need either a VPN pre-auth RCE or a client cert.

Yeah, I have a ton of VLANs mostly for testing purposes and stuff like that. The core is mostly 4 though, 1) networking equipment (management), 2) "private" network, 3) public/guest network, 4) IoT. Only 2 and 3 are openly routed to the internet, rest of routing is finer grained

My firewall domains (not all vlans, some physical interfaces) * internet * networking equipment * lab SCADA * family/guest wifi+wired * lab workstations/servers * DMZ for internet-facing servers * DMZ for internet-facing clients (browsers, irc) * sandbox for development

* security cameras * VPN clients * non-lab SCADA (sump pump monitor etc) All are fully routed. Additionally, VPN IPs are bound to specific certificates to provide a (somewhat weak) additional layer of policy between different clients.