But the paper is right, a lot of network hardware is backdoored. Especially the cisco stuff. And im suspicious of the Chinese stuff too.
We should endeavor to run open source routers. But im not aware of any open source modems? Im actually surprised someone hasnt cracked the proprietary DSL code and leaked an open source modem.
I bet we would not like what we found in their proprietary code :/
Having a VPN-Proxy-VM offers the flexibility to chose what VMs directly connect to the internet, and which VMs are routed through the VPN which is nice.
I've set my VPN-Proxy-VM using a minimal template, to future reduce the attack surface.
You can also run the whonix-gw over the vpn, or vise versa.
I imagine since snowden said to the world he uses Qubes OS, the NSA have had their team looking for ways in. I think qubes can be hardened much more than it currently is.
An always-on VPN connection on the router works well but can be a bit slow since the processing power of router CPUs is generally quite limited. If choosing a router, I'd suggest a dual-core ARM-based device. Although openvpn is only single-threaded you can usually configure cpu-affinity to place it on one core and the other routing tasks on the other core.
For those who want to go beyond around 20-25 Mb/s, which is where an ARM router will start to reach its limits, a fine alternative is a small fanless PC, such as the Intel NUC or Gigabyte Brix, and run an open source firewall on it, instead of a router. I'm using IPFire. If the processor supports AES-NI, the limiting factor will be your network speed, not the firewall's CPU.
Finally, I've always felt that running a vpn on Qubes and having an always-on vpn running on a router/PC complement each other.
Am 13.11.2016 um 14:22 schrieb hed...@tutanota.com:
13. Nov 2016 08:48 by ama...@riseup.net:
We see much correspondence in these forums about installing a VPN within Qubes. Surely, the most secure place for VPN is to install on a Router?
The solution they say is to isolate these rogue routers in the Militarized Zone by creating a DMZ [demilitarized zone]. Achieved by installing a 2nd router [flashed with open source firmware such as OPenWRT]. It is here, on the router, that we should enable and run OpenVPN.
Thoughts on this paper and it's conclusions are welcomed
An always-on VPN connection on the router works well but can be a bit slow since the processing power of router CPUs is generally quite limited. If choosing a router, I'd suggest a dual-core ARM-based device. Although openvpn is only single-threaded you can usually configure cpu-affinity to place it on one core and the other routing tasks on the other core.
For those who want to go beyond around 20-25 Mb/s, which is where an ARM router will start to reach its limits
, a fine alternative is a small fanless PC, such as the Intel NUC or Gigabyte Brix, and run an open source firewall on it, instead of a router.
Finally, I've always felt that running a vpn on Qubes and having an always-on vpn running on a router/PC complement each other.
Am 13.11.2016 um 14:22 schrieb hed...@tutanota.com:
13. Nov 2016 08:48 by ama...@riseup.net:
Thoughts on this paper and it's conclusions are welcomed
There is a point where additional components won't give you defense-in-depth but only additional complexity that will in the end make you less secure.
Allowing a backdoored router into your network will, complexity or no complexity, compromise your security. The only conclusion to reach is not to use them wherever possible, or isolate them if their use is mandatory.
An always-on VPN connection on the router works well but can be a bit slow since the processing power of router CPUs is generally quite limited. If choosing a router, I'd suggest a dual-core ARM-based device. Although openvpn is only single-threaded you can usually configure cpu-affinity to place it on one core and the other routing tasks on the other core.
One of the GL-Inet small arm(s 8-) ) routers is sufficient for 80 MBit/s (see https://www.gl-inet.com/). I'm using one of their "Mifi" devices (https://www.gl-inet.com/mifi/) to write this and right now it is holding up quite well with 150 MBit/s LTE plus an OpenVPN on top of it. The only problem is the about 1MBit/s I'm getting from their uplink.
I've never come across these devices. They look like good value for money.
For those who want to go beyond around 20-25 Mb/s, which is where an ARM router will start to reach its limits
Seriously? I doubt that. Right now I'm using an ASUS RT-AC5300 (ARM, dual core) router on a 400/20 MBit link (residential cable) and even if I'm sturating it using an OpenVPN process running on the router its cores seem quite unimpressed. But maybe DD-WRT is magical.
Yeah, maybe my 25 Mb/sec generalisation is a bit out-of date but it still depends on what you're prepared to spend. Let's see: ASUS RT-AC5300. It has 8 antennas and is a beast of a router that sells for 439 euros on amazon.de. At that price it really ought to be fast. Back in more reasonably-priced territory, I did some real-world tests 18 months ago on my ASUS RT-AC56U (97 euros on amazon.de, ARM x 2) and never exceeded 25 Mb/s with 80% cpu load. Even had it achieved 100% cpu, that would still only equate to 30 Mb/s. Flippant comments about magic aside, if you throw big mony at the hardware, you'll get more speed. I'm still betting that a small i3 with AES-NI would outperform it on openvpn, and for a fraction of the price.
Sorry, I took your thread for a bit of a detour. Going back to your original post:
> Surely, the most secure place for VPN is to install on a Router?
Joanna might disagree with that for the same reason she posits that VMs connected via Qubes networking may be more secure than physical machines separated by a potentially vulnerable TCP/IP stack. (http://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf)
Generally speaking, it seems to be a good idea to isolate your public-facing network adapter from your firewall and proxies (vpn). Whether it's best to use Qubes, other hypervisor, physical devices, or driver domains as taiidan suggested; I don't know.
As with all things security-related, the solution that works for you will depend on your threat model, which you haven't described. Certainly, I would question the credibility of a blog that claims to have a setup that is "NSA-proof". Most of the changes recommended in the blog are simply shifting trust from your ISP to other 3rd-parties: OpenDNS, VPN provider, etc. Make sure that's what you want since everyone involved is only guaranteeing "privacy by policy."
* Using OpenDNS does not protect your kids from inappropriate content. That's just bizarre.
* If you distrust your ISP enough to require a VPN, why allow the ISP to see any unencrypted traffic at all? Blogger only uses VPN for some "sensitive" traffic because he doesn't want the rest subjected to geographic blocking. Why not just use a VPN that exits in the country where it's needed? If your activity is so sensitive that you can't exit, for example, in a 5-Eyes country, then you should be using Tor - because again, a VPN is just "privacy by policy".
* You may want to confirm that the VPN is set to fail-closed (ie not allow traffic when VPN goes down.)