Advice on Privacy and Security Options in OpenWrt

I'm interested in hardening my home network from a privacy and security standpoint. I recently added stubby for DNS over TLS to a low end mt7620a 8/64MB device and am under the impression that DNS over HTTPS was another option. If I understand correctly, if I add a VPN, encrypted DNS would be superfluous because all traffic would be encrypted. Would a VPN work transparently on my low end router and if not, what hardware would be recommended?

It also occurred to me that a FAQ on Privacy and Security Options would be helpful and that this thread could serve as a starting point. Any other privacy/security features to look at? How capable should the hardware be?

I don't understand meaning 'transparently'. If you configure VPN-client on router correctly, all traffic will go via it.

I should have been more specific. By transparent I mean no increase in latency (example requesting DNS resolution) or rate of processing content (system load with full encryption).

It will likely not be transparent. VPN providers and ISPs can vary wildly with the addition (or lack thereof) of latency when using a VPN.

But you will likely see an increase in latency and a reduction in download speed of your connection. For instance, if you had a 100mb connection, now the router has to encrypt all of that traffic on the VPN at wire speed. This will have a penalty of latency and reduced bandwidth on lower end routers.

Wireguard allows for full transparency, since the VPN is from the Interface level rather than Application level.

It depends on how crazy you want to be and who you are hiding your activities from. If it's just your ISP, then the VPN out and a third-part DNS is enough and putting it on your router will cover the entire network.

Have a look at bcp38 http://bcp38.info/
You can install bcp38 and the luci-app-bcp38 package in openwrt.Bcp38 configuration

Additional encryption and abstraction layers always increase latency.
Whether it is significant or not, depends on your use case, hardware, VPN type, ISP and VPN provider.

1 Like

This is a good point, by using a vpn your ISP does not really see your traffic anymore, but now your VPN provider sees it all. Not all VPN providers appear equally trustworthy to me, but then, the same applies to ISPs.
Also note that often using your ISP's DNS servers gives you access to closer by (lower latency, higher speed) CDN nodes, at the cost of revealing all DNS queries....

3 Likes

Again, it's who do you trust.. Google maintains public DNS (8.8.8.8/8.8.4.4), but they are going to mine the data.. As long as you know, understand, and agree to this, they are about as fast as you are going to get..

Cloudflare (1.1.1.1) has a history of adhering to privacy practices.

They aren't :slight_smile: You also get what you pay for. If you don't pay for the VPN service, they are making their money somehow. Internet isn't any cheaper for a business than a residential (usually far more expensive). Some VPN services state a no-logging policy, others have proved it by not being able to produce said logs under court compulsion.

If you are hiding from your significant other, that's one thing. If you are dodging court monitoring, that's something else.

2 Likes

That is what one hopes, but there are believable reports, that for example for Deutsche Telekom the ISP's DNS servers resolve google addresses to better connected paths/servers, than 8.8.8.8 or 1.1.1.1, probably because those DNS servers are setup with intimate knowledge about the involved differential routing and can avoid accessing Google via transit paths (access to DT's network via transit is notoriously choppy, like with similar eye-ball networks, they accept choppy links with the other T1-ISPs to incentivize content providers to buy direct peering/transit from DT, but I digress).

Well, yes, but I would naively assume that in both cases TOR might be the better answer... VPN IMHO is really just a solution if the ISP is suspicious or as a way to implement one's own network engineering to avoid one's ISP overloaded links to other important networks...

2 Likes

Initially, I used the DNS resolver at my ISP and decreased the latency of DNS resolution by setting Cloudflare and Google in my WAN. I pinged each server to test and 1.1.1.1 and 8.8.4.4 were about 55msec and 8.8.8.8 was, in my area, was a little slower. My ISP DNS resolver was about 80% slower.

Thinking about it, the ISP's actually have a financial incentive to slow down your dns resolution. A speed test will show the ISP is meeting the promised connection speed but in practice, content with html links to graphics (instagram, twitter, facebook) will slow down. That slow down translates to more bandwidth to other subscribers in oversold areas while an intact speed test keeps you from complaining.

As mentioned, I added stubby with cloudflare's DNS over TLS and in spite of the end-to-end encryption, my sense is the DNS resolution is faster than my ISP. I was thinking about a VPN but was looking at my meager hardware.

I'm not sure a slightly slower DNS resolution time, especially when results are subsequently cached locally, would have a significant impact on the overall bandwidth availability within an ISP. The slower time is probably more down to Cloudflare and Google investing in better hardware for their resolvers.

What are your upload/download speeds?

1 Like

3.55Mbps/0.66Mbps just now. I'm in the Pacifc Northwest with all the smoke/fires. On a good day I can get 4.9/ 0.9.

I know this is relatively poor, some of my neighbors on the same ISP get 2.6 down. I put some effort into pulling CAT5E for a home run connection. I also think that slower DNS resolution has an increased impact the slower the overall bandwidth.

Your current hardware should be sufficient to run a VPN at your current up/down speeds.

It looks like OpenVPN is Free for up to 3 connections:
https://openvpn.net/cloud-vpn/pricing/

I'm taking that my "hardware should be sufficient ..." to mean that my connection is so slow that end-to-end encryption will not be a bottleneck. :thinking:

My Trendnet TEW-810DR has not been backported and I have a Debian 10 Build environment. Looks like it is time to fire it up and build with the OpenVPN packages. Unless there is advice to the contrary, I'm going to follow this guide:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

I might be wrong, but I think the 'Cloud VPN' option is to assist in creating private networks between remote sites and/or sites and devices. It's not for connecting to the internet. Googling 'VPN providers' should get you plenty of results but there's generally a cost element.

Pretty much.

I, personally, use PIA, but I believe that Mozilla is now offering a VPN service, and they are usually good about privacy.

I think a VPN is overrated when SSL is practically in use everywhere. The only reasons you should need it are 1) corporate networks while working from home, 2) using Netflix or similar from another country to get different shows, 3) escaping the great firewall of a country. 2 and 3 may be unethical, but people do use them for that reason.

Cloud flare for DNS probably is an ok bet. Mozilla partnered with them and they both have a great privacy record.

Make sure uPnP is off, WAN access for management, etc., use a good hard password for the login.

It depends on the ISP/country.
Generally, the less they know about your traffic, the better for you.
You cannot bypass DPI with just SSL.
VPN is now one of the basic needs for internet access in some places.
It can also help access remote home network or escape traffic shaping.

Where do you live to think that censorship and government propaganda are ethical?

2 Likes

Pardon, unethical? As far as I can see these might be illegal, but I see no ethical issue with either trying to avoid the great firewall, or ignoring the fact that content providers assume that they can optimize their profits by sub-licensing their content for different areas for different prices (this is a way to circumvent the "free market" as mechanism for optimal resource allocation that should make the blood boil of all free-market proponents, but typically such shenanigans are simply silently accepted, but I digress).

EDIT: Please note, that I do not claim that all uses of VPNs are ethical either (just as not all uses are illegal), so like many other things/methods VPN's can be used to do unethical things, my point really is that legal and ethical are not identical sets...

2 Likes