Offtopic :: reasonable secure routers?

[799]

Hello,

having a reasonable secure OS and maybe some additional freedom by using Coreboot is great, but might not be enough.

At least in Germany most home routers are not owned by the users but the internet providers, even worse it ia often not possible to upgrade the software as a user.

If I want to improve this situation, what do you think about librecmc (https://librecmc.org/faq.html), I have come across by accident?

Sorry if this is non-qubes question, but I don't know that much people carrying about privacy and would like to hear your opinion about it.

"(...)  In the light of recent events, it is more important now more than ever to fight for the freedom to control the software that runs on a given device. Users should have the freedom to control their devices, not the OEMs who originally made the device. Since libreCMC is free software, users have total control over what the software on their device is doing. This is important because it means that the community can add new features, review what the software is doing and make improvements that benefit the community as a whole. (...)"

Regards

[799]

[Giulio]

In my opinion the best affordable option is using a PC Engines APU2 with OpenBSD https://www.pcengines.ch/apu2.htm (but of couse you can use linux/FreeBSD too).

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[799]

Hello Giulio,

Giulio <giu...@anche.no> schrieb am Do., 12. Apr. 2018, 08:04:

In my opinion the best affordable option is using a PC Engines APU2 with OpenBSD https://www.pcengines.ch/apu2.htm (but of couse you can use linux/FreeBSD too).

Actually this is something I am running already as 2nd device behind the default router given by my provider.

An Alix Board running pfSense.

[799]

[Zrubi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/12/2018 08:01 AM, 799 wrote:

> having a reasonable secure OS and maybe some additional freedom by
> using Coreboot is great, but might not be enough.
>
> At least in Germany most home routers are not owned by the users
> but the internet providers, even worse it ia often not possible to
> upgrade the software as a user.

If the ISP provided router is a combined modem + router device: You
may able to setup it as a modem only (bridge mode) and use your own
router.

If the ISP providing a separate (cable) modem and router: You may be
able to simply replace the router with your own one.

If your connection is some legacy PPPoE one, line ISDN, ADSL, etc Your
private router can handle that for sure.

As a last resort: just put your router between the ISP provided device
and your real LAN.

> If I want to improve this situation, what do you think about
> librecmc (https://librecmc.org/faq.html), I have come across by
> accident?

In my case the ISP router is working as a cable modem only, and I'm
using LEDE/OpenWRT on my routers and WiFi ACs.


AFAIR the librecmc is just jet another fork of LEDE/OpenWRT.
and they promise to removing non-free parts.

In my opinion non-free is a legal definition, and there is no direct
relation to security and/or privacy.


If you really care, you may build your own firmware, and then you can
decide what to include...


- --
Zrubi
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEw39Thm3rBIO+xeXXGjNaC1SPN2QFAlrPDgoACgkQGjNaC1SP
N2St8A//e42LzXeUgBu8p66NIqLKef7QzJyFh8AWLcEaLV6Y3nzxvsQtlT9OT2ch
KDqA79cYym9U0MxcCMwL0ZRFn8Y68Tn6gjhr5ihTXvX8CoBiKskgRifL2cnUyNA/
P7KQOZVebELUG2sAJXw90wFqrBsordlHwAoqfCZGmW0FSgUO8pohLJF6+GKXFw+1
MZxngVvjiBPxy1O9fayrbk3ZPYAgQLLGvEQjoQ0JEQQ4c22NjagFLSrL7KaDXdY2
3MHVZVWRSUDLZPoWwsy8Z50Su6zZMSo/UWfo6mo17Osi/P/l3JEyRpqVH9zLzwgC
U9uhvHO8P/C+/E20Iq6jhKNYqScqn2gPkKCbliKoQwo2230VGCcO2W26QrIMQa4A
5Lw0veP4pAmhTKZsgNhtZl+2jfhQaSTPeJhvCMRdhiJyT1wYsTmwi6DnJVlb/BdA
NcTs1XlKXoxoTkNxHQaZegP/36SlkKQA5r6B0BhbL2ebWmiI1CMSiVdSWaJtEJyT
XRZmGnZT0un5Dd/GmDP1trffnRdXpo1iL1atmQ+sx7EOzjO3lj1fejr309tzHZPL
LuDAMmIusvlQvhVJHKhtjmlKYmZb+jvk16eBD9QpJST2HZcYIUxoKPOkKPp+Wsgg
c32yVvctsrsS5/1j/T7wGFyb6EIdNQRuN47YYb6Mac5iDFInY/w=
=ffYb
-----END PGP SIGNATURE-----

[Jo]

My suggestion would be the Turris Omnia. Im using it myself in various cases and im very happy with it.

cheers

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2svo8YYKaOUyvUEqCQCcy%2B_ORWxk-P%3Dk9HbHHLi-rm-Bw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Franz]

On Thu, Apr 12, 2018 at 6:32 AM, Jo <adver...@seefelder-web.de> wrote:

My suggestion would be the Turris Omnia. Im using it myself in various cases and im very happy with it.

Interesting, the automatic update feature is unique. I never have time for updating the routers and OpenWRT is not so easy to update. Without updates the security may be compromised.

[Jo]

That is one of the main reasons im using it so often indeed.Also, it really has a great range and potential to modify.

cheers

[Steve Coleman]

On 04/12/18 05:32, Jo wrote:
> My suggestion would be the Turris Omnia. Im using it myself in various
> cases and im very happy with it.

I second this opinion. Its Open Source (OpenWrt), downloads its own
patches to keep up with any security issues or exploits in the wild.
Unless of course you choose to be paranoid enough to do your own
builds/patches.


https://en.wikipedia.org/wiki/Turris_Omnia
https://www.turris.cz/doc/en/start
https://www.turris.cz/en/

[Tai...@gmx.com]

On 04/12/2018 09:21 AM, Steve Coleman wrote:

> On 04/12/18 05:32, Jo wrote:
>> My suggestion would be the Turris Omnia. Im using it myself in
>> various cases and im very happy with it.
>
> I second this opinion. Its Open Source (OpenWrt), downloads its own
> patches to keep up with any security issues or exploits in the wild.
> Unless of course you choose to be paranoid enough to do your own
> builds/patches.

It is not open source because it does not have libre firmware nor actual
schematics.

I can't believe peoples standards have fallen so far down that simply
letting you run linux and publishing the board diagram is considered
"open source hardware"

On 04/12/2018 02:04 AM, Giulio wrote:

> In my opinion the best affordable option is using a PC Engines APU2 with OpenBSD https://www.pcengines.ch/apu2.htm (but of couse you can use linux/FreeBSD too).

The APU2 has AMD PSP so I would not get it, whereas the APU1 doesn't.

On 04/12/2018 02:01 AM, 799 wrote:

> having a reasonable secure OS and maybe some additional freedom by using
> Coreboot is great, but might not be enough.

I would use a KCMA-D8 running a libre version of coreboot and OPNSense.
It has two quality onboard nics and various pci-e slots.

pfsense is now controlled by an evil corporation that is forcing
undesired changes and privacy violations on people such as:
* Mandating AES-NI to arbitrary make older computers not work with it,
to try and encourage people to buy their pre-built routers.
* Adding a phone home function that sends your serial numbers and
various data to rubicon communications - this setting is on by default
and for some reason turns back on randomly.
* Ignoring basic security concepts such as signed updates and .isos
because "we have a hash hosted on two separate servers" and insulting me
when I protested.
* Insulting their competitors by making a website full of lies, nazi
images and porn clipart.

https://en.wikipedia.org/wiki/OPNsense
https://opnsense.org/opnsense-com/
"In November 2017, a World Intellectual Property Organization panel
found that Netgate, the copyright owner of pfSense, had been using the
domain opnsense.com in bad faith to discredit OPNsense, and obligated
Netgate to transfer the domain to Deciso. The Netgate party tried to
invoke the fair use clause and claimed that the domain name "has been
used for a parody website"; it was rejected on the basis that free
speech does not cover registration of domain names.[6]"

Does that sound like a trustworthy company lead by mature individuals?

I suggest the use of OPNSense instead of pfsense - the founder of
pfsense has not been in control of the project for a long time.

[john]

I have some ddwrt flashed to mine, and haven't updated the firmware
since post heart bleed, and AFAIK, there is no reason to update, I
probably have it misconfigured as routers are like some other Greek
language to myself ...

anyway, this is way off topic, and your not "top posting" :P

[Andrew B]

What's everyone's opinion of the Thinkpenguin router: https://thinkpenguin.com/gnu-linux/free-software-wireless-n-mini-vpn-router-tpe-r1100

Has FSF approval and uses LibreCMC.

[Steve Coleman]

On 04/12/18 19:56, Tai...@gmx.com wrote:

>
> I can't believe peoples standards have fallen so far down that simply
> letting you run linux and publishing the board diagram is considered
> "open source hardware"

https://doc.turris.cz/doc/_media/rtrom01-schema.pdf
https://doc.turris.cz/doc/_media/rtrom01-step3d.zip
https://doc.turris.cz/doc/en/howto/turris_software?s[]=firmware
https://gitlab.labs.nic.cz/turris
https://git.freescale.com/git/cgit.cgi/ppc/sdk/boot-format.git/