diff --git a/content/posts/grapheneos/index.md b/content/posts/grapheneos/index.md index 73666fe..0cb95b4 100644 --- a/content/posts/grapheneos/index.md +++ b/content/posts/grapheneos/index.md @@ -171,9 +171,9 @@ It is best to force all of GrapheneOS's network traffic through a [VPN](/glossar There are two ways you can run a VPN: from your phone or from your networking device (either a router or a hardware firewall). When using your phone from home, we recommend the latter. -You don't want to "double up" a VPN — if its running on your networking device, it shouldn't be running on your phone, and vice-versa. This means that a phone running a VPN should disable it before connecting to Wi-Fi configured with a "VPN Kill Switch", or alternatively, connect to a non-VPN Wi-Fi. +It's unnecessary to "double up" a VPN — if its running on your networking device, it doesn't need to be running on your phone, and vice-versa. This means that a phone running a VPN should disable it before connecting to Wi-Fi configured with a "VPN Kill Switch". -If you ever use the phone away from home, you should configure GrapheneOS to force all network traffic through a VPN — install the VPN app in every user profile. All standard GrapheneOS connections will be forced through the VPN (except for [connectivity checks](https://grapheneos.org/faq#default-connections), which can be optionally [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)). Note that **Always-on VPN** and **Block connections without VPN** are enabled by default on GrapheneOS. Keep in mind that you will have to disable the VPN app before connecting to your home's "VPN Kill Switch" Wi-Fi. +If you ever use the phone away from home, you should configure GrapheneOS to force all network traffic through a VPN — install the VPN app in every user profile. All standard GrapheneOS connections will be forced through the VPN (except for [connectivity checks](https://grapheneos.org/faq#default-connections), which can be optionally [disabled](https://privsec.dev/posts/android/android-tips/#connectivity-check)). Note that **Always-on VPN** and **Block connections without VPN** are enabled by default on GrapheneOS. Keep in mind that you'll want to disable the VPN app before connecting to your home's "VPN Kill Switch" Wi-Fi. If you can afford to pay for a VPN, we recommend both [Mullvad](https://www.privacyguides.org/en/vpn/#mullvad) and [IVPN](https://www.privacyguides.org/en/vpn/#ivpn). Otherwise, you can use RiseupVPN, although it has far fewer users to blend in with, and it doesn't meet several important [security criteria for VPN providers](https://www.privacyguides.org/en/vpn/#criteria), such as published security audits of its code and infrastructure. A VPN subscription should be purchased anonymously — vouchers are available from [Mullvad](https://mullvad.net/en/blog/2022/9/16/mullvads-physical-voucher-cards-are-now-available-in-11-countries-on-amazon/) and [IVPN](https://www.ivpn.net/knowledgebase/billing/voucher-cards-faq/) to purchase the subscription anonymously without [Monero](https://www.privacyguides.org/en/cryptocurrency/#monero). diff --git a/content/posts/qubes/index.md b/content/posts/qubes/index.md index c3929ef..b1f3207 100644 --- a/content/posts/qubes/index.md +++ b/content/posts/qubes/index.md @@ -306,9 +306,9 @@ When using the Internet from home, it is best to use a [VPN](/glossary/#vpn-virt There are two ways you can run a VPN: from your laptop or from your networking device (either a router or a hardware firewall). When using your laptop from home, we recommend the latter. -You don't want to "double up" a VPN — if its running on your networking device, it shouldn't be running on your laptop, and vice-versa. This means that a laptop running a VPN should disable it before connecting to an access point (whether Wi-Fi or ethernet) configured with a "VPN Kill Switch", or alternatively, connect to a non-VPN access point. +It's unnecessary to "double up" a VPN — if its running on your networking device, it doesn't need to be running on your laptop, and vice-versa. This means that a laptop running a VPN should disable it before connecting to an access point (whether Wi-Fi or ethernet) configured with a "VPN Kill Switch". -However, it's still valuable to know how to configure Qubes OS to force all network traffic through a VPN, for when you are using the laptop away from home. This involves creating a VPN qube. If you never use Qubes OS away from home, you can [skip ahead to the next topic](/posts/qubes/#how-to-use-devices-like-usbs). Keep in mind that you will have to revert these changes before connecting to your home's "VPN Kill Switch" access point. +However, it's still valuable to know how to configure Qubes OS to force all network traffic through a VPN, for when you are using the laptop away from home. This involves creating a VPN qube. If you never use Qubes OS away from home, you can [skip ahead to the next topic](/posts/qubes/#how-to-use-devices-like-usbs). Keep in mind that you'll want to revert these changes before connecting to your home's "VPN Kill Switch" access point. ## Creating a VPN qube diff --git a/content/posts/router/index.md b/content/posts/router/index.md index 568a77f..6447543 100644 --- a/content/posts/router/index.md +++ b/content/posts/router/index.md @@ -15,12 +15,14 @@ a4="router-a4.pdf" letter="router-letter.pdf" +++ -A "home network" is the network that connects your devices to the Internet and each other. The "networking devices" that create this home network are called a router (specialized in receiving network traffic from your devices via an "Access Point" and "routing" it onwards to the Internet) and a hardware firewall (specialized in enforcing "firewall rules" and compartmentalizing your home network), although their functions overlap. For instance, routers usually also have some basic firewall capabilities. Another way of thinking about it is that a home network is the *"intranet"* sealed off by your network devices into a *private* network, in contrast to the *Internet* which is a *public* network accessible to anyone. +The security of your home network matters because a malicious network device can be [used to attack any devices that connect to it](https://hak5.org/products/wifi-pineapple) and [State-sponsored malware campaigns are known to compromise network devices](https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/). + +A "home network" is the network that connects your devices to the Internet and each other, and this home network is created by "networking devices". You have probably already set up a router — routers specialize in receiving network traffic from your laptop or phone via an "Access Point" and "routing" it onwards to the Internet. Perhaps you've even already encountered a hardware firewall — this networking device specializes in enforcing "firewall rules" and compartmentalizing your home network. That said, the functions of routers and hardware firewalls somewhat overlap. For instance, routers usually also have some basic firewall capabilities. + +Another way of thinking about your home network is that its the *"intranet"* sealed off by your network devices into a *private* network, in contrast to the *Internet* which is a *public* network accessible to anyone. We recommend setting up your home network with a hardware firewall that runs the [OPNsense](https://www.privacyguides.org/en/router/#opnsense) operating system, paired with a router that runs the [OpenWrt](https://www.privacyguides.org/en/router/#openwrt) operating system. Although you can get by with just a router, a hardware firewall will enable a more secure set up. In this configuration, the OPNsense firewall does all of the heavy lifting, and the OpenWrt router is limited to the role of a "Wi-Fi Access Point" for your devices to connect to. -The security of your home network matters because a malicious network device can be [used to attack any devices that connect to it](https://hak5.org/products/wifi-pineapple) and [State-sponsored malware campaigns are known to compromise network devices](https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/). - # VPN Kill Switch Your networking devices should be configured to force all network traffic through a reputable [VPN](/glossary/#vpn-virtual-private-network) — this puts your trust in your VPN instead of an inherently untrustworthy Internet Service Provider. As the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/) notes: @@ -32,9 +34,8 @@ There are two ways you can run a VPN: from your laptop or phone with a Client ap * A "VPN Kill Switch", which blocks non-VPN traffic, is [more effective](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#global-options-of-vpn-client) when the VPN runs from a networking device. * An adversary that compromises your phone or laptop will need to also compromise the networking device in order to learn your public IP address — your phone or laptop will only know your VPN IP address. * If all of the network traffic coming from your home runs through the same VPN server, this makes it more challenging for an adversary to perform traffic analysis. +* VPN speeds will typically be faster because cryptographic operations are performed on dedicated hardware. -You don't want to "double up" a VPN, so any laptops or phones running a VPN should disable it before connecting to the "VPN Kill Switch" access point. Alternatively, they can connect to a non-VPN access point that we'll optionally configure. - ## VPNs and Tor We recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)) when you are using Tor from your home Internet connection. For more information on the rationale, see [Privacy Guides](https://privacyguides.org/en/advanced/tor-overview/#safely-connecting-to-tor). @@ -99,13 +100,14 @@ For your VPN provider, we recommend either [Mullvad](https://www.privacyguides.o * Use the Unsafe Browser to login to the web Admin Panel of your router. Navigate to the VPN Dashboard. * Under VPN Client, click **Set Up Now** beside WireGuard, then follow [the guide](https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_client/#setup-wireguard-client). * In [VPN Client Options](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#vpn-client-options) enable **IP Masquerading**. - * Click "Global Proxy" and change the [proxy mode](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#proxy-mode) to **Policy Mode: Based on the VLAN**. Enable the VPN on "Private", disable the VPN on "Guest". This means that "Geologic-5G" forces all network traffic through the VPN, and "Symphony-5G" doesn't. This way, devices running a VPN can connect to the Guest Wi-Fi to avoid a "doubled up" VPN. + * Keep the [proxy mode](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#proxy-mode) set to **Global Proxy**. This means that all network traffic is forced through the VPN. * Click [Global Options](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#global-options-of-vpn-client) and enable **Block Non-VPN Traffic**. -* Test that the VPN is configured properly with the [Mullvad connection check](https://mullvad.net/en/check) or [IVPN status](https://www.ivpn.net/) using the Unsafe Browser. +* Test that the VPN is configured properly with the [Mullvad connection check](https://mullvad.net/en/check) or [IVPN status](https://www.ivpn.net/knowledgebase/privacy/how-do-i-know-when-iandsharp039m-protected-by-ivpn/) using the Unsafe Browser. * If you will be connecting to the router via an ethernet cable to the LAN port (Local Area Network, i.e. your home network), also test that. * Verify that the router [firmware is set to automatically update](https://docs.gl-inet.com/router/en/4/interface_guide/firmware_upgrade/). ## Using the router -* On Tails, connect to the router via Wi-Fi with "Geologic-5G" or via ethernet to a LAN port (this will also use the "Private" VLAN). The network traffic from your Tails laptop now connects to a VPN *before* connecting to Tor. -* On other devices, connect to "Geologic-5G" if there is no VPN client app running on the device, and "Symphony-5G" if there is. +* Connect to the router via Wi-Fi with "Geologic-5G" or via ethernet to a LAN port. The network traffic from your laptop or phone now connects to a VPN, even though there is no VPN running on your laptop or phone. + * In the case of Tails or Qubes-Whonix, this means that you now connect to the VPN *before* connecting to Tor, which is what we want. +* It's unnecessary to "double up" a VPN — if its running on your networking device, it doesn't need to be running on your phone or laptop, and vice-versa. This means that a phone or laptop running a VPN should disable it before connecting to Wi-Fi configured with a "VPN Kill Switch".