doubling up vpn

content/posts/router/index.md

@@ -15,12 +15,14 @@ a4="router-a4.pdf"
 letter="router-letter.pdf"
 +++
 
-A "home network" is the network that connects your devices to the Internet and each other. The "networking devices" that create this home network are called a router (specialized in receiving network traffic from your devices via an "Access Point" and "routing" it onwards to the Internet) and a hardware firewall (specialized in enforcing "firewall rules" and compartmentalizing your home network), although their functions overlap. For instance, routers usually also have some basic firewall capabilities. Another way of thinking about it is that a home network is the *"intranet"* sealed off by your network devices into a *private* network, in contrast to the *Internet* which is a *public* network accessible to anyone. 
+The security of your home network matters because a malicious network device can be [used to attack any devices that connect to it](https://hak5.org/products/wifi-pineapple) and [State-sponsored malware campaigns are known to compromise network devices](https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/). 
+
+A "home network" is the network that connects your devices to the Internet and each other, and this home network is created by "networking devices". You have probably already set up a router — routers specialize in receiving network traffic from your laptop or phone via an "Access Point" and "routing" it onwards to the Internet. Perhaps you've even already encountered a hardware firewall — this networking device specializes in enforcing "firewall rules" and compartmentalizing your home network. That said, the functions of routers and hardware firewalls somewhat overlap. For instance, routers usually also have some basic firewall capabilities. 
+
+Another way of thinking about your home network is that its the *"intranet"* sealed off by your network devices into a *private* network, in contrast to the *Internet* which is a *public* network accessible to anyone. 
 
 We recommend setting up your home network with a hardware firewall that runs the [OPNsense](https://www.privacyguides.org/en/router/#opnsense) operating system, paired with a router that runs the [OpenWrt](https://www.privacyguides.org/en/router/#openwrt) operating system. Although you can get by with just a router, a hardware firewall will enable a more secure set up. In this configuration, the OPNsense firewall does all of the heavy lifting, and the OpenWrt router is limited to the role of a "Wi-Fi Access Point" for your devices to connect to. 
 
-The security of your home network matters because a malicious network device can be [used to attack any devices that connect to it](https://hak5.org/products/wifi-pineapple) and [State-sponsored malware campaigns are known to compromise network devices](https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/). 
-
 # VPN Kill Switch
 
 Your networking devices should be configured to force all network traffic through a reputable [VPN](/glossary/#vpn-virtual-private-network) — this puts your trust in your VPN instead of an inherently untrustworthy Internet Service Provider. As the [Security Lab](https://securitylab.amnesty.org/latest/2023/10/technical-deep-dive-into-intellexa-alliance-surveillance-products/) notes:
@@ -32,9 +34,8 @@ There are two ways you can run a VPN: from your laptop or phone with a Client ap
 * A "VPN Kill Switch", which blocks non-VPN traffic, is [more effective](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#global-options-of-vpn-client) when the VPN runs from a networking device.
 * An adversary that compromises your phone or laptop will need to also compromise the networking device in order to learn your public IP address — your phone or laptop will only know your VPN IP address.
 * If all of the network traffic coming from your home runs through the same VPN server, this makes it more challenging for an adversary to perform traffic analysis. 
+* VPN speeds will typically be faster because cryptographic operations are performed on dedicated hardware. 
  
-You don't want to "double up" a VPN, so any laptops or phones running a VPN should disable it before connecting to the "VPN Kill Switch" access point. Alternatively, they can connect to a non-VPN access point that we'll optionally configure. 
-
 ## VPNs and Tor
 
 We recommend connecting to a VPN *before* connecting to Tor (i.e. [You → VPN → Tor → Internet](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN#you-vpnssh-tor)) when you are using Tor from your home Internet connection. For more information on the rationale, see [Privacy Guides](https://privacyguides.org/en/advanced/tor-overview/#safely-connecting-to-tor). 
@@ -99,13 +100,14 @@ For your VPN provider, we recommend either [Mullvad](https://www.privacyguides.o
 * Use the Unsafe Browser to login to the web Admin Panel of your router. Navigate to the VPN Dashboard. 
 	* Under VPN Client, click **Set Up Now** beside WireGuard, then follow [the guide](https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_client/#setup-wireguard-client). 
 	* In [VPN Client Options](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#vpn-client-options) enable **IP Masquerading**.  
-	* Click "Global Proxy" and change the [proxy mode](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#proxy-mode) to **Policy Mode: Based on the VLAN**. Enable the VPN on "Private", disable the VPN on "Guest". This means that "Geologic-5G" forces all network traffic through the VPN, and "Symphony-5G" doesn't. This way, devices running a VPN can connect to the Guest Wi-Fi to avoid a "doubled up" VPN.
+	* Keep the [proxy mode](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#proxy-mode) set to **Global Proxy**. This means that all network traffic is forced through the VPN. 
 	* Click [Global Options](https://docs.gl-inet.com/router/en/4/interface_guide/vpn_dashboard/#global-options-of-vpn-client) and enable **Block Non-VPN Traffic**.  
-* Test that the VPN is configured properly with the [Mullvad connection check](https://mullvad.net/en/check) or [IVPN status](https://www.ivpn.net/) using the Unsafe Browser.
+* Test that the VPN is configured properly with the [Mullvad connection check](https://mullvad.net/en/check) or [IVPN status](https://www.ivpn.net/knowledgebase/privacy/how-do-i-know-when-iandsharp039m-protected-by-ivpn/) using the Unsafe Browser.
 	* If you will be connecting to the router via an ethernet cable to the LAN port (Local Area Network, i.e. your home network), also test that.  
 * Verify that the router [firmware is set to automatically update](https://docs.gl-inet.com/router/en/4/interface_guide/firmware_upgrade/).
 
 ## Using the router 
 
-* On Tails, connect to the router via Wi-Fi with "Geologic-5G" or via ethernet to a LAN port (this will also use the "Private" VLAN). The network traffic from your Tails laptop now connects to a VPN *before* connecting to Tor. 
-* On other devices, connect to "Geologic-5G" if there is no VPN client app running on the device, and "Symphony-5G" if there is. 
+* Connect to the router via Wi-Fi with "Geologic-5G" or via ethernet to a LAN port. The network traffic from your laptop or phone now connects to a VPN, even though there is no VPN running on your laptop or phone.  
+	* In the case of Tails or Qubes-Whonix, this means that you now connect to the VPN *before* connecting to Tor, which is what we want. 
+* It's unnecessary to "double up" a VPN — if its running on your networking device, it doesn't need to be running on your phone or laptop, and vice-versa. This means that a phone or laptop running a VPN should disable it before connecting to Wi-Fi configured with a "VPN Kill Switch".