Virtualizing firewall/router?

TrustExecutor

What are the security implications of virtualizing a router like OpenWrt in a VM, with a dedicated NIC passed through. Would this be justified in comparison with a standalone x86 computer for that in terms of increased security? I'm thinking of the L1TF bug/Spectre/Meltdown and the likes that may expose memory from the host. In one way you can mitigate those bugs on the hypervisor with a performance penalty which I am not worried about. I use an older Intel xeon platform with SMT turned off. Please give me your thoughts about this.

23Sha-ger

OpenWrt is not a multi-user designed OS, some packages run as root (some are sandboxed via ujail) but there is no or very little point in mitigating such attack vector as privilege escalation on OpenWrt - even some closed source packages already assume you run them as root. The ones that are sandboxed are httpd, ntpd, hostapd, dnsmasq or stuff that can be potentially exploited remotely.

TrustExecutor

23Sha-ger thanks for the valuable input! Would you recommend VyOS be a better option regarding sandboxing of internal processes? I am not very inclined to the BSD *Sense due to driver issues, no kernel wireguard, limited application support etc.

23Sha-ger

I just say that a simple OpenWrt router is not much of an initial attack vector. Unless you open SSH to the public with weak passwords or do some generally bad practices like running outdated Docker/LXC containers on it, there is no need to worry about Spectre/Meltdown class of attacks. There are much lower hanging fruits, like all those insecure routers/cameras and IoT junk that typical botnets and malware tend to attack. I haven't seen a remote vector against OpenWrt, because it doesn't open anything to the public by default and whatever it runs is something you installed yourself. Regarding VyOS I never looked at it deep enough, they mostly focus on commercial customers even if the base product is open source. This might make them more vulnerable, simply because their customer base is more valuable so adversaries will be interested to spend more resources targeting it. But that's pure speculation.

P.S. PF/OpnSense do have kernel wireguard since long time ago.
Quite an extensive list of software for it as well: https://github.com/opnsense/plugins

TrustExecutor

23Sha-ger
Thanks for the answer and heads up about OPNsense. I will consider it as it actually ticks most boxes. I will have to find a way to migrate my configs from OpenWrt to OPNsense if I switch. VyOS is based on Debian which is a much larger codebase than OpenWrt and not highly regarded in terms of security (at least not on this forum 😅). I would like to see something similar to OpenWrt, a lean small system with musl libc and init system like OpenRC, but with a more incremental upgrade process aimed for real computers not small embedded flash based home routers. But OpenWrt seems like it is small enough attack vector and can probably be additionally hardened by switching to hardened_malloc.

For hypervisor I consider switching from Proxmox to Incus on top of Alpine or Chimera Linux as a more lean alternative as I hardly use most of the features Proxmox offer and it is of course also a somewhat large attack vector.