Risks accessing internet via public hotspot

Greetings,

I consider using OpenWRT to access internet via a public hotspot and would like to know if there are risks of getting compromised and how to mitigate it?

With public hotspot I mean a more or less public Wi-Fi network like in a hotel, maybe without encryption. My guess is that I need a VPN and I found two articles in the OpenWRT user guide which may be helpful in this context...

Connect to client Wi-Fi network

OpenVPN client with LuCi web GUI

Are these two articles enough or do I need additional hardening when using public hotspots?

Most VPN providers seem to offer .ovpn configuration files, do I have to consider anything special regarding the content of the configuration file?

My goal is that there is no traffic outside the encrypted VPN tunnel so that no attacker can reach my computer through the unencrypted Wi-Fi. There may be exceptions when I trigger a firmware upgrade from CLI, but does OpenWRT do something like "calling home" without my knowledge?

Best regards
Don

Welcome.

Using VPN is certainly good, but I must add that even if you don't use a VPN, using your own router to connect to a public WiFi is still better than not using a router at all.

Nothing is 100% is risk-free. Though, with up-to-date software and proper setup, including a kill switch, you should be reasonably safe.

You might want to look into WireGuard.

You make sure that in your firewall zone, nothing goes from LAN to WAN. It goes through VPN instead.

Only to the time server, as far as I know.

4 Likes

Having your own router for untrusted networks is actually a good idea to protect your other devices. By default, any current version of OpenWrt (18.06.8, 19.07.3) should be up-to-date with security patches and the default firewall will protect the device itself as well as your 'downstream' clients. Being on a public network (hotel, cafe, etc.) is no different than being on a normal public IP address on the internet (say at your home). The protection offered by a firewall (and the slight obscurity offered by NAT for IPv4) is generally recommended when it is an option and practical. Having your own travel router also has the benefit of a consistent, private, and secure network to which your devices connect and share resources. For example, you can have a laptop, tablet and phone connected without having to configure individually every time you go to a new location -- just update the connection to the internet on your travel router and you're good to go (check out TravelMate).

You can optionally add VPN connectivity to your OpenWrt travel router so that all traffic from your router is encrypted between your network and the other VPN endpoint (commercial or your own VPN somewhere).

4 Likes

Hello,

Thank you for your help, with kill switch I associate an application developed by the VPN provider to detect and prevent leaks. I guess that the firewall settings in the VPN user guide achive the same by just dropping all invalid packets?

Ok, I have to do some research since I never heard from most of the encryption, authentication and hashing standards. :slightly_smiling_face: But WireGuard seems to be the better protocol at all, even when not all VPN provider support it.

I guess the implemented NTP uses no security at all. The default NTP config (*.openwrt.pool.ntp.org) may reveal an attacker that I use OpenWRT. Would it help to use other time servers?

Thank you for your help, I checked the OpenWrt Security Advisories and it seems that there was a big vulnerability in Opkg that allowed infection of .ipk files by MITM for a long time. Of course an attacker needs excellent hacking skills and it's not clear how many people did know that vulnerability at all, but arbitrary MITM attacks in a unencrypted Wi-Fi should be rather easy compared with arbitrary MITM attacks behind a wired WAN interface. At least when the packages are downloaded without SSL via HTTP.

Thank you for your tip, I will take a look at Travelmate package.

This would only matter if you were using the opkg system to install a package while connected to a compromised network (which is unlikely in general). if you don’t actively install software when on an untrusted network, the vulnerability shouldn’t even matter (to the best of my knowledge, opkg doesn’t do any background tasks or connections unless called by the user). And I think (but could be wrong) that this is no longer an issue based on the package signing system in place.

1 Like

hi @airship and welcome to the forum. consider looking into travelmate and wireguard. wireguard is a lot faster than openvpn.

1 Like

I don't think so. I believe it's easier to hack into other devices from the same network or sniff data as man-in-the-middle for example. Also it can be easier to hack the router /AP from within (i.e. The LAN side) and go from there to sniffing the packets, especially when we have no idea how secure that public AP is or how strong the management password is.

Resedential Public IPs, on the other hand, have their own disadvantage of being fixed, making the router continuously available at the same IP for extended time, allowing time for lengthy attacks.

So each have their problems, yes, but there is a lot more unknown in the case of accessing a public AP.

I would argue that adding a travel router between a public wifi network and your devices can only increase your overall security, although as @mhegab points out, there are still some risks/vectors of attack.

A malicious person/system on the public network as the victim could certainly perform MITM and/or sniffing attacks, for sure. I would agree that this type of attack is much more likely on public wifi than on a home connection where it is harder to sniff or MITM unless the hacker has also penetrated the ISP's network. While the threat of MITM/sniffing attacks are not entirely solved for internet activities, the devices behind the travel router would at least be able to share data with each other without exposure to the upstream attacks thanks to the NAT+firewall. Internet related attacks could still be an issue, with the addition of a VPN on the travel router, I think this becomes essentially moot.