Marco Moock <inv...@invalid.invalid> asked
>> 2. Kid is in a dorm apt with school Wi-Fi & Ethernet (2 ports).
> Use this net and only connect through a VPN or TOR.
> Restrict that by certain firewall rules.
> You can run a TOR client that provides a SOCKS proxy server. The
> computer the kid uses is directly connected to that computer (not
> Routing or NAT enabled, just connected via Ehernet) and only uses the
> SOCKS proxy on it.
Thanks Marco Mock for hazarding advice, as I am well aware how risky
that is, which I very much appreciate given your knowledge of networking
surpasses that of mine.
Two things were already done, one by his parents, the other by me.
1. The parents doubled his cellular hotspot from 5GB to 10GB for $10/month
2. I flashed the extra Netgear WNR834Bv2 with this "chk" file from dd-wrt
<
https://wiki.dd-wrt.com/wiki/index.php/Netgear_WNR834Bv2>
<
ftp://ftp.dd-wrt.com/betas/2015/08-25-2015-r27745/broadcom/dd-wrt.v24_mini-wnr834bv2.chk>
Regarding VPN or TOR, he is mostly gaming, I think, neither of which
really lends itself to TOR (at least not the Tor Browser Bundle anyway).
I'm sure there is a way to set up the entire system on TOR/Socks
but I've tried that about 10 or 15 years ago and it was miserable
(privoxy and all that) to do.
Therefore the only TOR he's using is the Tor Browser Bundle,
which isn't, he says, useful for gaming.
The VPN he's using are the free vpns, which, as you may know,
aren't all that reliable (and which don't have many locales
inside the USA usually).
If I understand your suggestion correctly, we can set up an entire
computer to run nothing but TOR/SOCKS, which is what the kid can
connect to directly from his desktop (but he also wants to use
his phone cellular, apparently).
There is a $90 T-Mobile mobile hotspot device which, for $55/month
gives him everything he's asking for (50GB/month of cellular data)
but of course, that's $600 per year which is a bit steep of a price
to pay when he _already_ has "free" Internet provided by the school.
I'm working on figuring out how adding "VPN" to a router works,
where I've figured out that Netgear uses "chk" files first.
<
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=776979>
and then once dd-wrt is on that router, it can take a further
dd-wrt "bin" file, but I don't know (yet) which bin to use.
<
https://dd-wrt.com/support/router-database/?model=WNR834B_v2>
And, I don't want to guess (as bricking is always around the corner).
At that location are seven dd-wrt "bin" files, but which one do I use?
1) DD-WRT: Broadcom Generic -= K2.4 - Mini dd-wrt.v24_std_generic.bin
<
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/11-03-2020-r44715/broadcom/dd-wrt.v24_std_generic.bin>
2) DD-WRT: Broadcom Generic -= K2.4 - Mini dd-wrt.v24_mini_generic.bin
<
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/11-03-2020-r44715/broadcom/dd-wrt.v24_mini_generic.bin>
3) DD-WRT: Broadcom Generic -= K2.4 - Micro dd-wrt.v24_micro_generic.bin
<
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/11-03-2020-r44715/broadcom/dd-wrt.v24_micro_generic.bin>
4) DD-WRT: Broadcom Generic -= K2.4 - Micro + OLSRD dd-wrt.v24_mini-wnr834bv2.chk
<
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/11-03-2020-r44715/broadcom/dd-wrt.v24_micro_olsrd_generic.bin>
5) DD-WRT: Broadcom Generic -= K2.4 - Mini dd-wrt.v24_nokaid_generic.bin
<
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/11-03-2020-r44715/broadcom/dd-wrt.v24_nokaid_generic.bin>
6) DD-WRT: Broadcom Generic -= K2.4 - Mini dd-wrt.v24_voip_generic.bin
<
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/11-03-2020-r44715/broadcom/dd-wrt.v24_voip_generic.bin>
7) DD-WRT: Broadcom Generic -= K2.4 - Mini dd-wrt.v24_vpn_generic.bin
<
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/11-03-2020-r44715/broadcom/dd-wrt.v24_vpn_generic.bin>
Notice the _last_ one has "vpn" in the name, so one might intuit
that it's the one to use, but knowing that bricking routers is a
distinct possibility, just guessing without any other data is usually
not a good idea when it comes to flashing firmware.
I think the VPN router "might" replace your "TOR/SOCKS computer" in
the suggested scenario (as I don't have an extra PC to give the kid).
If I understand VPN routers, we still need to pay for a reliable VPN
service but after that, the school will only see the (faked) MAC
address of the VPN router for _all_ his traffic (whether it's Wi-Fi
or Ethernet from his phone or from his desktop or from his laptop).
And, if I understand it correctly, _all_ that traffic will be
connected to a single IP address (of the VPN) and it will all
be encrypted.
The school will know he's using VPN, and they'll know all the
metadata of the size and timing of the packets, but that's it
(am I correct?)
If that's a good plan (lowest cost, best compromise on privacy),
then all I need to do now is find a tutorial for setting up
dd-wrt as a VPN router. I think I need to flash another "bin" file
(after the initial "chk" file though - but I don't know which one).
In theory, does this sound like a low-cost plan that "can" work?
1. I put VPN on the extra router & set the MAC to look like a PC
2. I set dd-wrt to always log into a (paid?) public VPN service
3. The kid connects _everything_ to that VPN router
Does _that_ approach give the kid the privacy he is asking for?