Hi, noobie here, just getting into self hosting and stumbled onto boringproxy, which I think is just a phenomenal project and alternative to cloud flare tunnel. I just wanted to make sure, if I connect to my private home server from outside using boring proxy on a vps, will the vps owner be able to decrypt encrypted traffic? Lot of vps servers don’t provide root access to clients, so will the vps admin with root access to the server( on which boringproxy server is running) be able to decrypt traffic?
Hey @asish. As long as you use any of the “client” options for TLS Termination, the server can’t decrypt it. I personally prefer “Client Raw TLS”, since it works with things like WebSockets.
Thanks, can’t wait to try it out!
I was thinking about this more and technically what I said before isn’t completely accurate. If the VPS provider is determined to to intercept your traffic, they could still get their own cert (using Let’s Encrypt for example) because your DNS is pointed at an IP address they control. So requests would go to them, they would decrypt, then make a new (encrypted) request to your boringproxy server.
I don’t know of any way to prevent this, but you could detect it by randomly making requests to your services and verifying the certs used match the certs on the device running boringproxy client.
I’d like to build this functionality into boringproxy but it’s pretty low on the priority list since the risk of a reputable VPS provider doing that is extremely low. It’s too easy to catch and would demolish their credibility for little to no gain.
Thanks for the heads up. While it does seem like low risk scenario, it’s still good to know it exists. Will keep an eye out. It would be nice if you could let us know when you get around to fixing this issue.
I wouldn’t call it an issue per se. I’m not aware of any way to guarantee TLS end-to-end encryption for an IP address you don’t control.
At some point you have to trust somebody. At the very least you’re trusting DNS.
I see… but that is still a concern for privacy, albeit a really small one. You mentioned making random requests to our home server and checking the certificates, I guess automating that would be the closest thing we can have to make sure it’s fully private and secure.
Also, I can’t wrap my head around how TLS works with tunneling. How does the handshake take place with my home server when there’s no direct connection between it and the client? I’m no software engineer, so it’s difficult to fully understand this.
There is a ssh tunnel running
@hlolve is correct. Connections from the public internet (typically HTTPS) run over TLS, but connections from the boringproxy server to the client are over SSH.
So regarding the “client” option for terminating TLS, if I understand this correctly, the boringproxy server uses the private client’s SSH keys, and the public client’s TLS keys to generate a symmetric key between them? So as the public client and private client can decrypt the messages but not the server with boringproxy running on it.
Basically there are two pieces of encryption happening, TLS and SSH. SSH encryption only exists between the boringproxy client and server. TLS encryption has multiple options. If it’s terminated at the server, then the TLS is decrypted and sent over the encrypted SSH tunnel. This is the most efficient, but also requires you to store the TLS certificates on the server (they are managed automatically by boringproxy, using Let’s Encrypt). If you terminate TLS at the client, then the TLS certificates are stored on the client and the server cannot decrypt the data. It can only peek at the SNI to determine the host name (domain) and figure out which SSH tunnel to send the encrypted data over. In this case the data is actually double encrypted, TLS+SSH. This is a waste of processing power, because one layer is sufficient, but I’m not currently aware of an easy and secure way to achieve that.
Ah I see. Thanks a lot for clarifying. One last question, do you have any recommendations for cheap and reliable VPS to host the tunnel on? I’ve been looking around, but I am not sure if I’m missing some cheaper services.
I’ve had a good experience with DigitalOcean. Also AWS but it’s expensive. Racknerd looks cheap. Hetzner offers tons of bandwidth for cheap.
Thanks, I’ll take a look