Privacy by-Default/Failsafe Configuration - Especially Concerning ISP Tracking

Installing and Using OpenWrt
1

I think I am getting close to finally pulling the trigger on switching my router to OpenWRT, but before I do, I want to make sure I know how to have it set up first and foremost for maximum privacy; after all, it is not as though privacy can be put back in the bottle after the fact.

My "threat" model (assuming I am using the terminology correctly) is I think best summarised by the scenario of taking my router to my neighbours' house (if he uses the same ISP), plugging it in as his router, and the ISP having no possible way of identifying that any hardware (router, or ideally devices as well) on his connexion was previously on mine.

From what I have read, I think I mainly need to have the hardware and OS image set up to randomise all unique identifiers on boot; things like:

  • MAC
  • DUID
  • /var/lib/dbus/machine-id
  • /etc/machine-id
  • hostname? (is this visible on WAN interface?)

These seem to be the main sources of persistent identification across reboots.

If I am missing anything similar to these or otherwise a concern please tell me.
For an example of how serious I am about this:, I plan to null out the external facing MAC in the NAND factory config area, so that in case I somehow break/rename/delete the config file or it gets accidentally reset during an update, my router will always be forced to default to privacy (MAC randomisation at boot).

Likewise, I may just leave IPv6 off at first until I get a better sense of the privacy implications of IPv6, and how to prevent downstream devices from leaking unique information—frankly, from what I have read about IPv6: from the use of MAC addresses in certain IPv6 address modes, the addition of more unique IDs (DUID) than there were before (MAC), the frequent utter dismissal of any benefits of NAT in many discussions surrounding IPv6, to the lack of privacy options in its initial design, I am skeptical of how I could ever trust IPv6.

Less serious, but still a privacy/security consideration; I want to have the DNS server on the router force all DNS traffic into a DNS-over-TLS tunnel. Basically, my ISP should never see an unencrypted DNS request, except if a request is needed to bootstrap the TLS handshake for DoT.

Also, if there are any suggestions on how the router could ban downstream devices from using IPv6 anti-privacy address generation methods, like those which keep the same suffix between networks or literally include the device's own MAC in the suffix, that too would be appreciated.

Some additional plans that are less privacy related, maybe best answered in a future thread

  • Store config changes, etc on USB flash drive to avoid NAND wear, especially if keeping logs

  • 802.1x and WPA-Enterprise, maybe I could test this on a separate SSID?

  • Packet inspection; being able to temporarily send a copy of traffic to another device for analysis in wireshark

    • Ex: Logging all local IPv6 addresses included in external traffic, to get a sense of what the ISP sees

  • DNSCrypt, in case I want to resolve via OpenNIC; fewer servers there support DoT

1 Like
2

ISP tracking? I bet ISP can use your login/password to track you even if you buy a new router every day. I think you have a lot of misconceptions about Internet privacy.

3

Not all ISPs use login/password (that is PPoE, right?); as far as I can tell, ISPs in my area are just issuing IP addresses via DHCP; a different MAC results in a new IP.

My point is that the only identifying information I want the ISP to have from my devices is which physical interface the last switch/router before mine sent the packets down. To give out the least amount of identifiable information about my hardware possible.

1 Like
4

Please post output of

ubus call system board

Does not sound serious to assume dbus is soehow default.

5

Well, humor me and list the benefits of NAT and then ask yourself why you assume that ypu could not use NAT66 if you truly are convinced that NAT really solves a real securith issue...
For what it is worth here are my 2 cents:
a) you need an externally visible identifier of sufficient stability for the intefnet to work, so your network is already identified.
b) the real security in traditional NAPT setups is the statefull firewall, not the IP address and port remappings.
c) IPv6 privacy extensions solve quite a number of your implied concerns in a principled fashion.

Next, look at device fingerprinting and then ask yourself how you can pass your "silently replace the neighbour's router" test given your neighbour might have an arbitrary router...

6

What prevents someone to use your cable (even by mistake)?

7

Typically the fact that they would need to physically tap someone else's line... (note this only works for link layers that are non-shared, so DSL will work, so will AON, but Docsis/cable or the PONs will not, in these cases the ISP needs an identifiable CPE).
That said, over here some ISPs actually allow PPPoE connections without use name and password by having the edge router inject the line-ID and matching the user based on the known line-ID.

8

Why not? It's not that hard. My neighbor is on vacations and I just tap to his wire...

9

Because taping someone else's line is a) effort, b) prohibited by law. Quite a lot of things that are frowned upon/prohibited are not "technically hard".

10

How is that different from:

?

11

Careful, these are two different things, if he carries his router around to his neighbour to fool the ISP having the password/username is not the issue, after all he does not aim to steal his neighbour's service. If he also clones the neighbor's modem MAC address the next level will be to recreate the same externally observable fingerprint of the router. And then he needs to make sure that none of the machines behind that router are identifiable.