EEVblog® Electronics Community Forum
Products => Computers => Security => Topic started by: EEVblog on July 05, 2025, 01:31:02 am
-
I want to set up a hardware (router) based VPN at the lab and at home (plus my Android phone).
What do I need?
I know I could just get any of the dozen software based VPN's that are advertised constantly, but I think that having hardware just do it at the router level is way cooler.
I presume my phone will need one of those software options though.
My home router supports OpenVPN and PPTP
https://www.tp-link.com/us/user-guides/Archer-AX6000_V1/chapter-11-vpn-server#ug-sub-title-1 (https://www.tp-link.com/us/user-guides/Archer-AX6000_V1/chapter-11-vpn-server#ug-sub-title-1)
My lab router is an old TP-Link C1200 and Google Gemini seems to think it's capable using OpenVPN via tplinkwifi.net ? :-//
I also have my dedicated server in the US, so can potentially set up a VPN via that server box I presume?
I asked this on Twitter and Linus himself responded with their video:
https://www.youtube.com/watch?v=St-Itlk0W50 (https://www.youtube.com/watch?v=St-Itlk0W50)
-
OpenVPN would be the way to go, it can be a little fiddly to set up initially, but it's very well supported across multiple platforms.
Are you looking to establish a point-to-point VPN so the two networks are connected, or do you just want to be able to remote into one or the other from your devices, as required? Are you wanting to use the gear you already have, or are you open to new hardware?
Feel free to shoot me an email, happy to help.
-
OpenVPN would be the way to go, it can be a little fiddly to set up initially, but it's very well supported across multiple platforms.
Are you looking to establish a point-to-point VPN so the two networks are connected, or do you just want to be able to remote into one or the other from your devices, as required? Are you wanting to use the gear you already have, or are you open to new hardware?
Don't really need to connect the two networks, as I don't have that at the moment, but it might be handy to access my NAS at the lab from home.
Happy to buy new routers if needed, although my AX6000 at home is very nice in terms of WiFi range, which I need to have.
My only goal is to have an IP address on all machines at home and the lab (plus phone) that is not Australia.
-
Not a good start with OpenVPN
Tried to sign up, didn't send the code but sent an email sayign to finish setup, and the password doesn't work :--
EDIT: worked after restarting the login a third time
EDIT2: Ran the supplied command on my dedicated server box but there were errors. Penguin support called.
-
My only goal is to have an IP address on all machines at home and the lab (plus phone) that is not Australia.
imho, if that's the main goal, then the vpn services are actually a pretty good option. They know their customers rely on them for that and will work to keep their IP addresses "clean" if they want to keep customers. Rolling your own vpn is great for point-to-point or even mesh setups among your own networks/devices, but relying on an ip assigned from some datacenter or cloud provider on your gateway node tends to make for a bad experience on a lot of sites/services.
-
My only goal is to have an IP address on all machines at home and the lab (plus phone) that is not Australia.
imho, if that's the main goal, then the vpn services are actually a pretty good option. They know their customers rely on them for that and will work to keep their IP addresses "clean" if they want to keep customers. Rolling your own vpn is great for point-to-point or even mesh setups among your own networks/devices, but relying on an ip assigned from some datacenter or cloud provider on your gateway node tends to make for a bad experience on a lot of sites/services.
Well, I have three dedicated bare metal boxes that run this site and other things, so I figured I might as well try that first and get some experience with this stuff.
-
Just found out my router with OpenVPN support is not the required client access type I need.
New WiFi routers I guess, or an additional box before my existing routers?
-
I'm not familiar with these third-party VPN services like what TP link are doing. Usually the server is hosted on the router itself, and you just connect back to your home IP address. But TP Link might be doing some kind of Dynamic DNS type stuff, especially if you don't have a static public IP address at both ends. CG-NAT might also cause problems (as you can't connect directly to the WAN IP address on your router).
If you're looking to build a new router, pfSense is my recommendation. Runs on normal Intel-based hardware. Supports Wireguard as well.
But then this opens the question, what kind of internet connections do you have? FTTP is the easiest to work with as it's just Ethernet out of the NTD. If it's FTTN, you need a modem. You *could* double-NAT, but I don't recommend it. Do it once, do it properly.
Personally, this is one of those things where I like to be on-site, see your existing set up, talk it through, rather than going back/forth via messages. There is more than one way to do this, but what is right for you depends on several things.
-
OpenVPN doesn't require any kind of payment/registration to use it, it's FOSS and can be setup for free, we actually already use it to manage the EEVBlog servers over a secure tunnel.
One thing that nobody is saying in the video, is that the DIY VPNs come with access limitations too. Many sites and service such as banking, and most things behind CloudFlare proxies will reject or flag your connection as suspicious if you're coming from an IP that belongs to a major data centre. This can be a real hassle.
Point to point VPN setups to connect your lab to the home makes sense, but for general daily browsing it has little to no benefit.
If you're looking to use a VPN to bypass network restrictions imposed by the AU government, it's far simpler to just change your local system to use a DNS server such as 8.8.8.8 (google) to avoid the poisoned records the AU government mandate our ISPs must respond with for blacklisted/blocked websites. With the global adoption of SSL (HTTPS), this is the only viable way these sites can be restricted by a government without resorting to filtering on the scale of the great firewall of china. And before someone states IPs can be blocked, yes, they can, but that's becoming extremely ineffective with the number of sites using reverse proxy services (ie, CloudFlare) where blocking the IP would also block many thousands of other websites too.
Edit: I also agree, use pfSense for your home and office gateways instead of the ISP provided router's inbuilt software. Unless you're paying for a Cisco class router, any VPN client software in your router will be very primitive/basic or proprietary.
-
FTTP is the easiest to work with as it's just Ethernet out of the NTD.
Just FYI, I have FTTP via TPGTelecom on a business plan and it still requires PPPoE for authentication.
-
Question: Is the following what you are envisaging?
All devices on LAN A accessing any website -> router A -> VPN tunnel -> server B -> rest of internet
Router A = some SOHO router you already own
Server B = some VPS overseas on a static IP
Some problems to be aware of that you might encounter:
(1) SOHO routers with "OpenVPN" support often don't let you edit the OpenVPN, routing & NAT configs directly yourself (because that's complicated and they want to shield you from that), so you are stuck with whatever config they thought you might want. Sometimes they only support a config designed for external internet devices (eg mobile phone on mobile broadband) to pretend they are inside your LAN, eg so you can check your LAN security cameras on your mobile phone whilst across the country. This is not the config I describe above and so is probably not what you want. YMMV, depends on the device and vendor.
(2) SOHO routers with "OpenVPN" support tend to ship outdated versions or (in one case I encountered) delete their OpenVPN support after a couple of years because it's easier than supporting it. I had a customer call me up to tell me his VPN stopped working, I had a look at his router and discovered the feature was magically gone. Turns out his router had auto-updated its firmware and the vendor had removed it because of security issues.
If you pay an external provider then your need to configure things & deal with the frustrating complexity of computer network are heavily reduced. If you do it all yourself then it's best to get help from a friend for the first time, a second set of eyes can point out lots of things. +1 that this is hard to advise on using only text over the internet, there are dozens of small back-and-forth questions that will probably need answering.
N.B. As a backup plan, if your SOHO router's software ends up infuriating you:
(1) Setup an old computer on your lan as the VPN gateway. Put it on a static IP and tell it to use the router as its gateway. Any Linux distro will work, whatever is easiest.
(2) Change the DHCP config on your router so that it tells everyone on your network to use that old computer as the gateway out.
-
Warning ... Security/Network nerd alert below.
My suggestion would be to:
With Halycon's blessing ;D - He'd have to help setting the 'senses up.
I could help here (If pfSense) .... But the time diff could be somewhat "challenging".
0:
If possible at all ... Get a "Static/Fixed" ip address on your Home internet connection.
Else setup some kind of DynDNS registration, if you're not behind CGNAT.
1:
Get two pfSense/OPNsense capable "'x86 boxes" w. Intel netcards.
Maybe some low-power N100 like these - 8G Ram / 128G Disk would be sufficient:
https://www.aliexpress.com/item/1005006427348753.html? (https://www.aliexpress.com/item/1005006427348753.html?)
Use those as Internet routers.
Will give you much better "Firewall protection" , and "great" OpenVPN possibilities.
Both OpenVPN "Dial-in" and Lan-to-Lan (L2L) / Site-to-Site (S2S) capabilities.
2:
If you're happy with your current WiFi ...
Convert your current WiFi units to Accespoints , instead of routers.
Quite easy .... Primarily disable DHCP server , and just "drop the wan-ports on those.
Make all OpenVPN server & clients certificate based:
pfSense cert mgmt. & OpenVPN Client exporter makes it quite easy.
Root (CA) certificates minimum 10yr lifetime.
L2L certificates i'd also make 10yr lifetime.
Dial'in (RoadWarrior) Certs i'd make 2'yr lifetime.
Since you can make firewall rules per OpenVPN instance (interface) , i'd run several OpenVPN instances.
For the L2L connection :
Make the "home" firewall OpenVPN Server , and the "Lab firewall" OpenVPN Client (connection initiator).
On Home: Route Lab lans towards the "remote" OpenVPN gateway.
On Client: (Lab) route "Home Lans" towards the "remote" OpenVPN gateway ... Will allow Inet traffic, to exit locally on Lab inet.
For the dial-in connection(s):
I chose to make 3 OpenVPN Server instances for "dial-in":
ADM - Practically no firewall limits (Dave mode)
INT - Internal trusted users
EXT - External untrusted users.
I use both Certs & uid/pwd VPN login.
Certs are for verifying i trust the client , uid/pwd is for verifying that it's the correct user.
I just have dial-in on my home fwall, and just use the L2L to access the summerhouse.
This is somewhat how i have been running my home/summerhouse setup for 10+ years.
I would do just about anything to NOT run a TP-Link (Or D-Link or ....) box with "Original" firmware as my directly internet connected device.
They all habe some nasty track records.
NB:
Now is the time to think about Vlan enabling your network. >:D
If you think Vlan's into the design now, your (firewall) life would be soo much easier, going forward.
1Gb managable switches are cheap...
I like the D-Link DGS-1210 (fanless) series , and the DGS-1100-08 ($50) for small sattelites (tv-bench) etc ....
Edit:
Remember to set your OpenVPN Certs w the right properties.
Server needs the server property ticked ....
Edt2:
I use OpenVPN Connect" on my Apple devices
https://apps.apple.com/us/app/openvpn-connect/id590379981 (https://apps.apple.com/us/app/openvpn-connect/id590379981)
Just "Export" the pfSense OpenVPN def file - e-mail it to the phone , and import it .... done
-
But then this opens the question, what kind of internet connections do you have? FTTP is the easiest to work with as it's just Ethernet out of the NTD. If it's FTTN, you need a modem. You *could* double-NAT, but I don't recommend it. Do it once, do it properly.
I have FTTP at the lab going into my Archer C1200 wifi router (then into a 16 way switch that goes everywhere)
Home is Telstra cable NBN into a AX6000 Wifi Router
-
But then this opens the question, what kind of internet connections do you have? FTTP is the easiest to work with as it's just Ethernet out of the NTD. If it's FTTN, you need a modem. You *could* double-NAT, but I don't recommend it. Do it once, do it properly.
I have FTTP at the lab going into my Archer C1200 wifi router (then into a 16 way switch that goes everywhere)
Home is Telstra cable NBN into a AX6000 Wifi Router
The next question then is, do you have a real IP at either location or are you on CGNAT (https://en.wikipedia.org/wiki/Carrier-grade_NAT). Unless you specifically required a real IP, most broadband plans in AU give you CGNAT where you're router also has a private IP and doesn't get even a dynamic real IP address. In which case double-NAT would become triple-NAT, which is even worse.
-
The El' Cheapo method would be two of these
https://www.aliexpress.com/item/1005007298039666.html (https://www.aliexpress.com/item/1005007298039666.html)
I have two of these , but "just" use them as "dumb AP's" WiFi-6 AX1800
Draws 12v ~300mA ...
They can be converted to run stock OpenWRT latest (24.10.2) - They come w. some "other" OpenWRT ... I'd never trust.
Only thing not working on "stock openWRT" is the Box LED ... Ether leds do work.
On home :
Portforward the OpenVPN port you want , from the AX6000 to the OpenWRT box.
On lab:
You could do the same , or even replace the 1200 w. the EDUP.
OpenWRT is quite capable wrt. OpenVPN.
I have no idea what they can forward w. OpenVPN Encryption - Guestimate .... 50Mbit maybe
But as a "pure" Internet box , they can almost forward the full 1Gb, if you enable hw nat
Hint .... They use same SoC as the Ubi ER-X router
Edit:
The Stock OpenWRT mixes up the LAN ports ...
Phys Owrt
3 1
2 2
1 3
So once converted , use phys Lan3 as "Lan1"
-
Just to add into the mix of things... You mentioned you would like to access your NAS. I assume you're using normal Windows/Samba/SMB shares? If so, latency will be a killer here. SMB is a very "chatty" protocol and high latency links will absolutely demolish your speeds to these shares, unless you can keep latency to a minimum (this means, no sending data via an overseas VPS).
I have a site-to-site VPN set up between my home network and a mate in the USA. I mostly use SMB internally, but even browsing the folder structure on an SMB share over that link (which has about a 200ms latency) is unacceptably slow. It takes something like 30 seconds every time you want to change folders. Then the transfer speed itself absolutely sucks. It's not designed for these kinds of links, even if you have a lot of bandwidth (I'm on 500 Mbps this end, he is on Gigabit).
We mostly use SSH/SFTP to transfer files.
Honestly, if you can find a way to use something like pfSense on at least one end (that acts as a VPN server), then I think you'll be sweet. But replacing your existing all-in-one router with something like a pfSense box then means you need to look at how you're going to get WiFi. The quick and dirty way would be to use your existing router as the WiFi access point (disable all the routing functions etc... and just use it as a switch). The proper way would be to look at dedicated WiFi access points, which usually only come in "enterprise" flavours (Ubiquti, HP/Aruba, Cisco etc...)
Ultimately, it comes down to what equipment do you already have that can be repurposed and how much do you want to spend.
-
you need to look at how you're going to get WiFi. The quick and dirty way would be to use your existing router as the WiFi access point (disable all the routing functions etc... and just use it as a switch). The proper way would be to look at dedicated WiFi access points, which usually only come in "enterprise" flavours (Ubiquti, HP/Aruba, Cisco etc...)
Ultimately, it comes down to what equipment do you already have that can be repurposed and how much do you want to spend.
For home usage (If the wifi-box fw is trustworthy ... WPA2(3) / AES-CCM ... No bugs) , I see no reason to switch to "real" enterprise AP's, if you're on a tight budget.
My suggestion would be give them a go'.
After all - The TP-links wo. wan/routing & dhcp server is also "just" "A few WiFi radios bridged to an ethernet interface (switch)"
I'm using Cisco C2702I (autonomous fw) as my main AP's, but just installed two of the EL-cheapo's (EDUP routers) above w. Stock OpenWRT, as dumb L2 AP's.
They will be serving my IoT WiFi vlan, as i don't want the Radio slowdown of an ESPxx - To affect my main WiFi radios.
The EDUP's are performing quite well, and draw less than half power of a Cisco.
But i do agree that UBI's or Cisco's or Aruba's are nice, but also usually "expensive" & power hungry for a home user.
And i doubt our "great master" would need the extended number of user connections, that an enterprise AP offers.
-
I've been running wireguard on Asus router hardware for a while now. Works great.
-
you need to look at how you're going to get WiFi. The quick and dirty way would be to use your existing router as the WiFi access point (disable all the routing functions etc... and just use it as a switch). The proper way would be to look at dedicated WiFi access points, which usually only come in "enterprise" flavours (Ubiquti, HP/Aruba, Cisco etc...)
Ultimately, it comes down to what equipment do you already have that can be repurposed and how much do you want to spend.
For home usage (If the wifi-box fw is trustworthy ... WPA2(3) / AES-CCM ... No bugs) , I see no reason to switch to "real" enterprise AP's, if you're on a tight budget.
My suggestion would be give them a go'.
Definitely a worthy contender for those playing along at home, but I'm also kind of catering to Dave's request. Ubiquiti is very affordable stuff, but it does require know-how to get set up (not as much as Cisco stuff). I use it at home, not because it can handle 200+ clients, but because it's fast, the coverage is excellent, it's highly configurable, and it works extraordinarily well overall.
I'm sure Dave could easily claim the cost of this equipment back as a business expense, and depreciate it accordingly. People at home buying this kind of equipment (depending on their occupation) might find it difficult claiming this stuff back on tax.
-
Ten years ago I would have recommended Ubiquiti as router and firewall, but they have gone to the cloud now. Still running the trusty Erlite-3, and I haven't found a good replacement yet. It's still good for 1Gbit/s (hardware ASIC routing). Maybe Mikrotik, they are pretty much the only vendor for affordable, real routers. Eyeing their L009, but I don't really need speeds faster than 1Gbit.
Having separate wifi access points gives better flexibility. I prefer having the router in its own cabinet and distributing the access points around the house for better coverage. And when the router/firewall is a separate appliance, you can get the device that fits your needs, without having the wifi network in the equation.
-
I'm sure Dave could easily claim the cost of this equipment back as a business expense, and depreciate it accordingly. People at home buying this kind of equipment (depending on their occupation) might find it difficult claiming this stuff back on tax.
I'm using Ubi AP-AC-Pro's at work, they're nice, and not as power hungry as the Cisco's.
The "Real" PoE feature is nice if you want to put several up.
I think they make some "better" wifi6 AP's today.
I run the UBI Controller on a VM Deb-12, "mongodb" was the challenge there.
Being able to deduct the cost, ... I'd love to do that too :-\
It would certainly help the budget.
My main priority would be to get the 'sense boxes first, for the security they offer.
And then have a look at the WiFi later, if i'm not satisfied w. the boxes i already have.
-
Still running the trusty Erlite-3, and I haven't found a good replacement yet. It's still good for 1Gbit/s (hardware ASIC routing).
Why not a x86' and pfSense/OPNsense ??
pfSense just got a new 2.8 release , so i hope there's still some future with the free CE edition.
pfSense 2.8.0 is still quite new "freshly released" , i'd install 2.7.2 and wait a bit of time before upgrading to 2.8.
Note: Always install the pfSense System_Patches package, in order to get/pull "inbetween release ... patches"
Do you use VRF's ? ... Then i'd look at Vyos
Just converted my "old" ER-X to OpenWRT latest ... Just because i could, and that it hasn't seen updates in a long time.
just using it for test setup's today.
-
The next question then is, do you have a real IP at either location or are you on CGNAT (https://en.wikipedia.org/wiki/Carrier-grade_NAT). Unless you specifically required a real IP, most broadband plans in AU give you CGNAT where you're router also has a private IP and doesn't get even a dynamic real IP address. In which case double-NAT would become triple-NAT, which is even worse.
I have a static IP at the office through AussieBB, the same one you set up the backup server with.
Home is with Exetel which seems be be carrier grade NAT, but it gives me an opt-out option:
-
Why not a x86' and pfSense/OPNsense ??
pfSense just got a new 2.8 release , so i hope there's still some future with the free CE edition.
Do you use VRF's ? ... Then i'd look at Vyos
Just converted my "old" ER-X to OpenWRT latest ... Just because i could, and that it hasn't seen updates in a long time.
just using it for test setup's today.
I got this small 1 litre Thinkcentre with that in mind, to run VyOS (just because I like the command line and it's similar to the Vyatta based EdgeOS). Ended up running xcp-ng and virtualizing a few applications. Could as well run the router/firewall on the same box, but I'd rather not. Prefer the router to be a separate appliance. The ERlite-3 has had pretty much 100% uptime. I'm sure if I begin tinkering, there would be downtime. So I guess I'll run the Erlite-3 until it breaks down. You can still get the Edgerouter ER-4 new, but OS updates is a concern. OpenWRT isn't bad, but do you retain the hardware routing capabilities (pretty much useless on this old hardware otherwise)?
-
OpenWRT isn't bad, but do you retain the hardware routing capabilities (pretty much useless on this old hardware otherwise)?
I can enable HW nat on my OpenWRT ER-X, so performance is the same as on EdgeOS.
Maybe they do the same for the lite-3.
In fact ER-X performance it's better than on EdgeOS... One of the "Gurus" made a linux connect hw trick on the ER-X (non SFP model).
He was able to "software" connect the WAN port directly to the CPU , and not via the switch chip.
That removed the "total combined up/down bw. 1Gb max" limit that the switch imposes.
Now you are able to do approx 1.6 Gb combined.
Edit:
I totally agree with not virtualizing my main router.
Imagine my "ear pain" if my "most important customer ... SWMBO" lost Netflix or FB for a longer period of time.
Especially if it was caused by an unnecessary complicated setup, that i made my self :scared:
Are we drifting off-topic here or ... ?
-
Ten years ago I would have recommended Ubiquiti as router and firewall, but they have gone to the cloud now.
How so?
All my Ubiquiti stuff runs entirely locally. There is one exception, which is their doorbell, that requires a (free) UI cloud login to enable push notifications to my phone. It is one of the reasons I like them.
You can enable a cloud login to act as an administrator, I do that for some charities I help out with. They have UniFi kit and I can get alerts to issues and make changes as needed for them via the cloud login. The cloud service acts as a proxy to their local on premise controller, confusingly called a cloud key or cloud gateway, despite not using the cloud for any of the configuration data. I could also VPN onto their LAN and do it "locally", either is fine.
I've recently moved back to using a UnFi router from a MikroTik, hard to ignore the performance of some of the new routers.
-
How so?
All my Ubiquiti stuff runs entirely locally. There is one exception, which is their doorbell, that requires a (free) UI cloud login to enable push notifications to my phone. It is one of the reasons I like them.
You can enable a cloud login to act as an administrator, I do that for some charities I help out with. They have UniFi kit and I can get alerts to issues and make changes as needed for them via the cloud login. The cloud service acts as a proxy to their local on premise controller, confusingly called a cloud key or cloud gateway, despite not using the cloud for any of the configuration data. I could also VPN onto their LAN and do it "locally", either is fine.
I've recently moved back to using a UnFi router from a MikroTik, hard to ignore the performance of some of the new routers.
Maybe I have to take a look at their products again. There was a big debate when they started to ramp down the Edgemax devices, and the "cloud" devices received some criticism. And I realize it's quite some time ago. I see now that there are also cheaper models available. Such as maybe the Unifi Cloud gateway ultra. That was one example I found by a quick search.
Edit. I already found one downside. There is no way to add your own, or download existing dnsmasq blocklists on Unifi. That's too bad.
-
I want to set up a hardware (router) based VPN at the lab and at home (plus my Android phone).
What do I need?
I know I could just get any of the dozen software based VPN's that are advertised constantly, but I think that having hardware just do it at the router level is way cooler.
I presume my phone will need one of those software options though.
My home router supports OpenVPN and PPTP
My lab router is an old TP-Link C1200 and Google Gemini seems to think it's capable using OpenVPN via tplinkwifi.net ? :-//
I also have my dedicated server in the US, so can potentially set up a VPN via that server box I presume?
Dave, I would stay away from any of SOHO routers as front end to the Internet.
The AX6000 from TP-LINK may be a good AP choice at home, but I wouldn’t trust it as a router,
the AX6000 can be configured as AP only and link with decent router.
You should check pFsesnse and OPNsense. I didn’t try OPNsense, but I used pFsense since ~2011 as firewall for >10 mln users
(in peak hours > 3Gbs traffic), vpn p-2-p solution and as vpn server for warrior admin users.
Both solutions offer IP layer 2 routing and filtering.
As VPN protocol I suggest OpenVPN, or WireGuard.
Using pFsense, or OPNsense you could link all your locations over p-2-p of your choice
and access it from any place in the world using an vpn client.
pFsense (aka Netgates and formerly Electric Sheep Fencing, LLC) is offering appliances,
but the software is free and you could build your own using older, decommissioned hardware.
Link to pFsense: https://www.pfsense.org/ (https://www.pfsense.org/)
Link to OPNsense: https://opnsense.org/ (https://opnsense.org/)
Both are based on FreeBSD which in my opinion is best when come to IP protocol.
-
Dave, I would stay away from any of SOHO routers as front end to the Internet.
The AX6000 from TP-LINK may be a good AP choice at home, but I wouldn’t trust it as a router,
the AX6000 can be configured as AP only and link with decent router.
Why?
-
Dave, I would stay away from any of SOHO routers as front end to the Internet.
The AX6000 from TP-LINK may be a good AP choice at home, but I wouldn’t trust it as a router,
the AX6000 can be configured as AP only and link with decent router.
Why?
I don’t trust these manufactures, below is link to one of many examples
https://www.tomsguide.com/computing/malware-adware/thousands-of-tp-link-routers-have-been-infected-by-a-botnet-to-spread-malware (https://www.tomsguide.com/computing/malware-adware/thousands-of-tp-link-routers-have-been-infected-by-a-botnet-to-spread-malware)
I’m working 30+ years in IT and maybe I’m a little bit paranoid, however not without a reason.
Helpful links:
https://www.securityweek.com/ (https://www.securityweek.com/)
https://thehackernews.com/ (https://thehackernews.com/)
-
I am not entirely clear what you want to accomplish.
You can link your home and office networks using a pair of almost any VPN routers, so machines on one side can see machines on the other side. This will also allow your phone to call into your VPN router from anywhere and see everything. This might be done with OpenVPN, or some other protocol.
I pay Cryptostorm to provide a VPN service over OpenVPN and Wireguard so that machines (or VMs) on my single network can access the internet as if they were somewhere else. Cryptostorm also provides port forwarding from a routable IPv4 and IPv6 address for higher user ports even though I am behind several layers of NAT. In case it is not clear, this also gives me full IPv6 access.
Now I have never gotten it to work, but the PFSense/OPNSense router that I use (1) should be able to connect to my VPN service and handle all of the routing to various VPN endpoints, so that my router decides which machines, or even applications, connect to which endpoints. The problem here is just a matter of getting the configuration right.
I would not trust someone's dedicated router hardware to do this, or pretty much anything these days; their firmware and support tends to be awful. Whatever you do, I would recommend x86 hardware running PFSense or OPNSense. Network appliance type of x86 hardware is available for this, but you could start out with a decommissioned PC that has a couple of extra network ports installed. Netgate has small routers preinstalled with PFSense which will definitely do anything you need. Micro
There are VPN providers which will sell/rent a fixed IP to you if you want a fully routable endpoint that will accept any incoming connections, but I am not sure if that is what you are looking for, and it is more expensive. I remember when getting a static IP over a VPN did not have an additional cost.
(1) PCEngines apu4 - Unfortunately discontinued, but Netgate has similar x86 hardware at higher cost but probably with better support.
-
My only goal is to have an IP address on all machines at home and the lab (plus phone) that is not Australia.
That would be a NAT service, usually miscalled as VPN service. That's basically a VPN connection to a NAT server somewhere around globe supplying you with a different outbound IP address. The original (real) VPN service is something completely different. It's meant to establish a private (encrypted) virtual link between two or more sites over public internet, or between a mobile device and a central site. There are also different forms via leased lines and ISP services. The goal is to connect the sites or mobile devices to access or share internal network services safely.
Regarding TP-Link routers, I'd recommend too to stay away from them or to run OpenWrt if supported. TP-Link has a bad security track record (as bad as D-Link).
-
Too much Off topic ...
removed
-
Finally got some time to respond here properly
@EEVBlog, there is no such thing as a "hardware VPN" device, in years gone by there was when it was important to offload the VPN workload to a hardware device to accelerate the encryption, but these days there is no advantage to using a "hardware" device. They are all embedded Linux devices running VPN client software.
If anything there is a very very good reason to avoid them, which is outdated software and vulnerabilities. Unless your spending big for a enterprise grade device with a support contract, they are not worth touching. You're better served recycling an old PC and installing pfSense or similar which will not only be practically free, but cutting edge and maintainable. Your recycled PC becomes your "hardware VPN" device with more power then any cheapo TP-Link like device.
In the past I have used Wyse Thin Clients for this purpose (They are just embedded PCs in a small form factor), pfSense sings along on them very well and can easily cope with the traffic for most small to medium sized businesses (think, 25+ users). The only downside here is they usually only have one Ethernet port, which can be limiting and confuse new users on how it could still be viable (ie, VLANs).
If you're willing to spend a bit of cash on something decent, there are fully integrated industrial PCs on AliExpress that are absolutely perfect for this, for example:
https://www.aliexpress.com/item/1005008165245304.html (https://www.aliexpress.com/item/1005008165245304.html)
[attach=1]
-
Ten years ago I would have recommended Ubiquiti as router and firewall, but they have gone to the cloud now.
How so?
All my Ubiquiti stuff runs entirely locally. There is one exception, which is their doorbell, that requires a (free) UI cloud login to enable push notifications to my phone. It is one of the reasons I like them.
You can enable a cloud login to act as an administrator, I do that for some charities I help out with. They have UniFi kit and I can get alerts to issues and make changes as needed for them via the cloud login. The cloud service acts as a proxy to their local on premise controller, confusingly called a cloud key or cloud gateway, despite not using the cloud for any of the configuration data. I could also VPN onto their LAN and do it "locally", either is fine.
I've recently moved back to using a UnFi router from a MikroTik, hard to ignore the performance of some of the new routers.
Seconded. I just use a self-hosted controller. There are cloud options too.
-
If you're looking to build a new router, pfSense is my recommendation. Runs on normal Intel-based hardware. Supports Wireguard as well.
pfSense used to be the go-to solution but it's slowly becoming... not enshittified as such but just stagnating somewhat as it focuses on commercial use, while OpnSense has improved markedly in the last few years and has overtaken pfSense in terms of functionality and user community. I'd also go with WireGuard, overall a better protocol and widely supported.
If you just want an out-of-the-box solution rather than wet-nursing yet another bit of IT gear I can recommend Firewallas, a lot of overlap with the *Sense feature set but you get complete control of things via a phone app, really useful when you can just pull out your phone to deal with any network issue. This also makes it a lot easier to manage than having to hand-configure rulesets and similar in *Sense.
-
Dave, I would stay away from any of SOHO routers as front end to the Internet.
The AX6000 from TP-LINK may be a good AP choice at home, but I wouldn’t trust it as a router,
the AX6000 can be configured as AP only and link with decent router.
Why?
They're a perpetual vulnerability engine. Google $router-brand + "vulnerability" to see all the horror stories. And they're typically never patched or fixed via press release, "oh, that's gone out of support in the two weeks since it was released, you'll have to buy a new model and see if that fixes it".
-
I gave up on VPN
Many networks filter VPN connections: I can't access via Starling or 4G/5G. At the Uni VPN stopped working , too.
OpenVPN didn't work on all devices and was a pain to setup.
Nowadays I just access the remote computer via RustDesk and do everything in the respective network from this computer. Using a Tapo internet outlet I can switch the computer on/off remotely. Files are shared via WeTransfer.
Works well for me and I just stopped using VPN.
-
Dave, I would stay away from any of SOHO routers as front end to the Internet.
The AX6000 from TP-LINK may be a good AP choice at home, but I wouldn’t trust it as a router,
the AX6000 can be configured as AP only and link with decent router.
Why?
They're a perpetual vulnerability engine. Google $router-brand + "vulnerability" to see all the horror stories. And they're typically never patched or fixed via press release, "oh, that's gone out of support in the two weeks since it was released, you'll have to buy a new model and see if that fixes it".
Wouldn't that be the same for every router, ever? At some point it's going to get discontinued for support.
-
Dave, I would stay away from any of SOHO routers as front end to the Internet.
The AX6000 from TP-LINK may be a good AP choice at home, but I wouldn’t trust it as a router,
the AX6000 can be configured as AP only and link with decent router.
Why?
They're a perpetual vulnerability engine. Google $router-brand + "vulnerability" to see all the horror stories. And they're typically never patched or fixed via press release, "oh, that's gone out of support in the two weeks since it was released, you'll have to buy a new model and see if that fixes it".
Wouldn't that be the same for every router, ever? At some point it's going to get discontinued for support.
Often though even ones with support when vulnerabilities are discovered are not updated/patched to fix them.
This is why in any situation where you actually care about the security of your network, you avoid these. Use a little industrial computer instead that you can update without relying on the vendor to do the right thing.
Edit: I literally built this out of recycled crap over the last few days to provide VPN access to my corporate workstations. Fully custom setup though (arch, iproute2, openconnect, etc) as I have some very specific routing requirements that no out of the box solution would solve for me.
[attach=1]
-
Finally got some time to respond here properly
@EEVBlog, there is no such thing as a "hardware VPN" device, in years gone by there was when it was important to offload the VPN workload to a hardware device to accelerate the encryption, but these days there is no advantage to using a "hardware" device. They are all embedded Linux devices running VPN client software.
If anything there is a very very good reason to avoid them, which is outdated software and vulnerabilities. Unless your spending big for a enterprise grade device with a support contract, they are not worth touching. You're better served recycling an old PC and installing pfSense or similar which will not only be practically free, but cutting edge and maintainable. Your recycled PC becomes your "hardware VPN" device with more power then any cheapo TP-Link like device.
In the past I have used Wyse Thin Clients for this purpose (They are just embedded PCs in a small form factor), pfSense sings along on them very well and can easily cope with the traffic for most small to medium sized businesses (think, 25+ users). The only downside here is they usually only have one Ethernet port, which can be limiting and confuse new users on how it could still be viable (ie, VLANs).
If you're willing to spend a bit of cash on something decent, there are fully integrated industrial PCs on AliExpress that are absolutely perfect for this, for example:
https://www.aliexpress.com/item/1005008165245304.html (https://www.aliexpress.com/item/1005008165245304.html)
(Attachment Link)
Thanks. I've got several of those new Beelink mini PC's sitting doing nothing, and they have dual ethernet ports.
So I just install pfSense and insert inline between my NBN modem and my router and that's it?
So I have to subscribe to pfSense and pay per US$0.08/hr? That's almost US$60/month, or US$120/month for home and work. Seems pricey?
-
Finally got some time to respond here properly
@EEVBlog, there is no such thing as a "hardware VPN" device, in years gone by there was when it was important to offload the VPN workload to a hardware device to accelerate the encryption, but these days there is no advantage to using a "hardware" device. They are all embedded Linux devices running VPN client software.
If anything there is a very very good reason to avoid them, which is outdated software and vulnerabilities. Unless your spending big for a enterprise grade device with a support contract, they are not worth touching. You're better served recycling an old PC and installing pfSense or similar which will not only be practically free, but cutting edge and maintainable. Your recycled PC becomes your "hardware VPN" device with more power then any cheapo TP-Link like device.
In the past I have used Wyse Thin Clients for this purpose (They are just embedded PCs in a small form factor), pfSense sings along on them very well and can easily cope with the traffic for most small to medium sized businesses (think, 25+ users). The only downside here is they usually only have one Ethernet port, which can be limiting and confuse new users on how it could still be viable (ie, VLANs).
If you're willing to spend a bit of cash on something decent, there are fully integrated industrial PCs on AliExpress that are absolutely perfect for this, for example:
https://www.aliexpress.com/item/1005008165245304.html (https://www.aliexpress.com/item/1005008165245304.html)
(Attachment Link)
Thanks. I've got several of those new Beelink mini PC's sitting doing nothing, and they have dual ethernet ports.
So I just install pfSense and insert inline between my NBN modem and my router and that's it?
So I have to subscribe to pfSense and pay per US$0.08/hr? That's almost US$60/month, or US$120/month for home and work. Seems pricey?
You don't have to pay a dime for pfSense, only if you want support.
And yes, just put in in-between, there will be some configuration required. Ideally you would put the router into "Bridge Mode" too if you can, this way the pfSense box becomes the router, and the NBN modem/router just becomes a dumb modem. You will need the authentication details from your ISP for this though as you will need to put them into pfSense.
I recommend you don't change your network at all initially, put pfSense on it, treat your LAN as if it's the WAN, and put a PC/Laptop on the new "LAN" interface for testing/configuring/verification, etc.
If I were closer i'd come and give you a hand, doing this for the first time can be quite a chore as it's a pretty steep learning curve. If I were you, i'd take up @Halcyon on his offer for help.
-
Finally got some time to respond here properly
@EEVBlog, there is no such thing as a "hardware VPN" device, in years gone by there was when it was important to offload the VPN workload to a hardware device to accelerate the encryption, but these days there is no advantage to using a "hardware" device. They are all embedded Linux devices running VPN client software.
If anything there is a very very good reason to avoid them, which is outdated software and vulnerabilities. Unless your spending big for a enterprise grade device with a support contract, they are not worth touching. You're better served recycling an old PC and installing pfSense or similar which will not only be practically free, but cutting edge and maintainable. Your recycled PC becomes your "hardware VPN" device with more power then any cheapo TP-Link like device.
In the past I have used Wyse Thin Clients for this purpose (They are just embedded PCs in a small form factor), pfSense sings along on them very well and can easily cope with the traffic for most small to medium sized businesses (think, 25+ users). The only downside here is they usually only have one Ethernet port, which can be limiting and confuse new users on how it could still be viable (ie, VLANs).
If you're willing to spend a bit of cash on something decent, there are fully integrated industrial PCs on AliExpress that are absolutely perfect for this, for example:
https://www.aliexpress.com/item/1005008165245304.html (https://www.aliexpress.com/item/1005008165245304.html)
(Attachment Link)
Thanks. I've got several of those new Beelink mini PC's sitting doing nothing, and they have dual ethernet ports.
So I just install pfSense and insert inline between my NBN modem and my router and that's it?
So I have to subscribe to pfSense and pay per US$0.08/hr? That's almost US$60/month, or US$120/month for home and work. Seems pricey?
You don't have to pay a dime for pfSense, only if you want support.
And yes, just put in in-between, there will be some configuration required. Ideally you would put the router into "Bridge Mode" too if you can, this way the pfSense box becomes the router, and the NBN modem/router just becomes a dumb modem. You will need the authentication details from your ISP for this though as you will need to put them into pfSense.
I recommend you don't change your network at all initially, put pfSense on it, treat your LAN as if it's the WAN, and put a PC/Laptop on the new "LAN" interface for testing/configuring/verification, etc.
If I were closer i'd come and give you a hand, doing this for the first time can be quite a chore as it's a pretty steep learning curve. If I were you, i'd take up @Halcyon on his offer for help.
Ah, got it, thanks.
I only have the one connection from the 4 port NBN modem to my WiFi router, the single output of which goes into a 24way switch which then connects everything.
Grok said pfSense has basic VPN capability built in? But can also be used with third party services like Nord, ExpressVPN etc? Which one should I go with?
-
Grok said if I want VPN capability I need to use one of the third part services like Nord, ExpressVPN etc?
pfSense has multiple VPN clients available to it and can connect to most of the offerings out there. It really depends on your usage requirements.
1) If you want to link your home to your lab, you need a corporate VPN service, or run your own, which is what I would do. In your office you'd setup pfSense to be a VPN server, not client.
2) If you are intending to route your traffic through another country for your entire network to bypass network/geo restrictions, you would need to use one of these services, or rent a VPS in one of these countries and setup a VPN server for your own usage.
If you setup your gateway to route your traffic via a VPN, this will affect every device on your LAN, not just your PC. Generally when you want to bypass a network/geo restriction you'd just use a VPN client on your own PC for that temporary session. Routing your entire network through a VPN service will slow things down considerably, no matter how fast they claim to be (remember, 200+ms from AU to US minimum).
For work I route through the AMD VPN, which is a top shelf service, no expenses spared (GlobalProtect Palo Alto Network), this routes via a VPN gateway in Sydney. On my gigabit FTTP connection without the VPN I achieve 980Mbit/s... via the VPN nearly 400Mbit/s, and this isn't being routed overseas. The impact can be very substantial even when there is no financial limit.
-
pfSense has multiple VPN clients available to it and can connect to most of the offerings out there. It really depends on your usage requirements.
1) If you want to link your home to your lab, you need a corporate VPN service, or run your own, which is what I would do. In your office you'd setup pfSense to be a VPN server, not client.
2) If you are intending to route your traffic through another country for your entire network to bypass network/geo restrictions, you would need to use one of these services, or rent a VPS in one of these countries and setup a VPN server for your own usage.
If you setup your gateway to route your traffic via a VPN, this will affect every device on your LAN, not just your PC. Generally when you want to bypass a network/geo restriction you'd just use a VPN client on your own PC for that temporary session. Routing your entire network through a VPN service will slow things down considerably, no matter how fast they claim to be (remember, 200+ms from AU to US minimum).
I don't have much traffic part from my Synology NAS backing up to the cloud.
No lab<>home access required right now, I just want my lab and home to "disappear" into another country 8)
I know it's easy to just run the normal VPN software, but I kinda like the idea of it "just working" on any PC I plug into or WiFi into the network.
I need it on my phone(s) too, so I'll just join one of the mainstream VPN services and I think they allow multiple PC access, so one paid VPN account for home, lab, and phones.
-
Current lab setup.
Everything hangs off the switch in the lab, and a 2nd cascaded switch down in the dungeon which also has another Wifi hotspot and a few devices hanging off it.
-
Is that router ISP supplied, or one you threw in there?
-
I have to create a Netgate account to download pfSense? Urgh.
-
This is how I would do it, you should be able to configure the C1200 to be just a standard AP to bridge wireless clients onto the LAN. You'd need to disable it's DHCP server and assign it a static IP address, that's all. PfSense would take over DHCP duties.
-
Is that router ISP supplied, or one you threw in there?
An old one I threw in there.
-
This is how I would do it, you should be able to configure the C1200 to be just a standard AP to bridge wireless clients onto the LAN. You'd need to disable it's DHCP server and assign it a static IP address, that's all. PfSense would take over DHCP duties.
That makes sense, thanks.
-
Is that router ISP supplied, or one you threw in there?
An old one I threw in there.
Great, it wont be ISP locked down, you can use it for this still.
-
So pfSense should provide me additional network security from disgruntled viewers ;D , as well a VPN capability through a third party service?
-
And much much more, pfSense is an enterprise level solution, you can do all kinds of magic with it.
-
And much much more, pfSense is an enterprise level solution, you can do all kinds of magic with it.
I'm only a level 1 apprentice magician.
https://www.youtube.com/watch?v=GjEkYdsZ5R0 (https://www.youtube.com/watch?v=GjEkYdsZ5R0)
-
So pfSense should provide me additional network security from disgruntled viewers ;D , as well a VPN capability through a third party service?
Yes, PFSense will do everything you need. OPNSense would work also.
Like I wrote earlier, I have not gotten my third party VPN service to terminate at my OPNSense router, but that is just a configuration problem on my side which I have not been able to figure out. PFSense is more widely used so there is better documentation online.
-
It's not going well...
Also, when installing, do I need the pfsense machine plugged directly into the NBN modem? I assumed so, so connect it to the modem direct.
I got to the install window where it asked me to select the WAN port and gave me the two ethernet port options, but both said "no carrier"
-
this is just the kernel being noisy, unfortunately it's corrupted the screen a bit. You should still be able to accept the license and proceed without issue.
"no carrier" just means there is nothing plugged into it
-
this is just the kernel being noisy, unfortunately it's corrupted the screen a bit. You should still be able to accept the license and proceed without issue.
"no carrier" just means there is nothing plugged into it
It's plugged into one of the ports the NBN modem though?
The message keeps popping up all the way through the install process
-
I wouldn't yet be putting it on the NBN modem, just plug it into your switch and don't modify your network. Treat the switch like it's the internet (WAN). Generally you do this and get it all configured and working before altering your working network.
-
It's not seeing the netgate server, even after I reconnected to the LAN switch. Nothing seems to work...
-
It's not seeing the netgate server, even after I reconnected to the LAN switch. Nothing seems to work...
Got it working, somehow switching the ethernet port worked. Install in progress.
I have video of this, of course...
-
Well, that didn't work.
Everyone on X says use OPNsense?
https://www.youtube.com/watch?v=xkeJ7vXme2o (https://www.youtube.com/watch?v=xkeJ7vXme2o)
-
Wouldn't that be the same for every router, ever? At some point it's going to get discontinued for support.
Depends on the router. Draytek support their gear more or less forever, I've received updates for thoroughly obsolete decade-old hardware from them. TP-Link OTOH never release anything beyond the 1.0 firmware, and then re-release the hardware under the same name but another rev when there's too many problems with the first version. The Firewalla gear I mentioned is now getting close to its ten-year anniversary and that's still actively supported.
-
Current lab setup.
Everything hangs off the switch in the lab, and a 2nd cascaded switch down in the dungeon which also has another Wifi hotspot and a few devices hanging off it.
Did anyone else look at that and say "Dongeon Switch? Is that some Korean brand?".
Oh, and now try and unsee it...
-
I have to create a Netgate account to download pfSense? Urgh.
Just use OpnSense, see my earlier post on the two.
-
I have to create a Netgate account to download pfSense? Urgh.
Mini intro to pfSense , versions and installer types.
Two or three years ago - Netgate abandoned the "One image fits all" , and decided to make a Plus version that is subscription $$ based.
The "fancy" features like hw accelaration etc. just goes into the plus version now.
They old free version was named CE (Communty edition).
Netgate stated they would still support the CE, but new fancy features for CE had to be community driven.
For home/soho users CE would mostly be adequate.
Plus
Subscription version w. limited intall support - Has more features than the CE (Free) version.
Support some datacenter options (DCO) , and gets updated more frequently than CE.
CE - Community Edition
Free , support via forum/friends
Long time between new releases - Almost 2 years between 2.7.2 and the new 2.8.0
AFAIK there has been no major security issues on the CE version , in the two year period between releases. (That couldn't be solved via system_patches)
https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=pfsense&search_type=all&isCpeNameSearch=false
Always install the latest System_Patches package , and install the patches it suggests
Install/Download:
In their (IMHO lack of) Infinite visdom Netgate has switched from a full downloadable install image.
To an "Installer image", that boots up an installer , and requires registration and "online/internet" connection to install the final version.
IMHO that is a BIG mistake.
But Netgate uses this way to install the PLUS version, and says CE has to follow same way (no extra testing/cost)
Last full image DL
You can download the old "almost current." 2.7.2 CE edition here wo. registration.
https://atxfiles.netgate.com/mirror/downloads/
Always check the validity on any OS downloads , and especially firewall sw.
This is my saved sha256 for the 2.7.2 series for reference
2.7.2 sha256 sums
Memstick Serial
bc3ee3d82b8195387114a64c3398505f238a6cb5393ae9b2d45d1bf9408ed192
Memstick VGA
7c68b40c02f06f17146e2f1d5899e2f4a2bcfd98803f06fef8ecf3e2d0f63dcb
ISO
883fb7bc64fe548442ed007911341dd34e178449f8156ad65f7381a02b7cd9e4
You should not even trust my list above, but download both the xxxx.gz and the xxxx.gz.sha256 (sum file)
Now calculate the sha256sum of the downloaded xxxx.gz
MS Win can do it with this built-in program.
certutil -hashfile xxxx.gz sha256
Compare the calculated sha256 with the value in the downloaded xxxx.gz.sha256 file.
The "Old full image" downloadable installer, came in 3 flavours (see above).
memstick = usb stick image.
memstick .... VGA based installer - You have srcreen/kbd attached to pc
memstick serial .... serial based installer - You have a serial connection to the box
ISO ... requires a cd/dvd drive
pfSense is FreeBSD , and can sometimes be picky w. hw.
Especially "netcards" ... FreeBSD drivers (pfSense) "loves" Intel netcards
Pre 2.6.x - Using realtek was a painfull experience ... Even "don't"
Upgrading pfSense:
pfSense has a nice reputation of being able to import an older configuration , and convert it to current wo. any issues.
That makes it easy to ie. download the 2.7.2 "full image" and upgrade to current 2.8.0 (online)
Downgras is not (officially) supported.
Using a newer config (like from plus), on an older version like (CE) - Is not guaranteed to work.
I'm still considering a switch to OPNsense, would offer same features (maybe even PLUS like features too), and more frequent updates.
But they have previously (i checked two years ago) has some unfortunate updates, that affected stability.
If the quality of the updates has been fixed, i will seriously reconsider...
But for now i have been staying with pfSense CE.
-
IMHO pfSense 2.8.0 is still too "fresh off the press"
I'd use 2.7.2 and the "Full installer" (memstick vga) , and wait for 2.8.0 to become 2.8.1 or whatever fix release they make.
Make the bootstick w. BalenaEtcher , or your favourite stick creator sw.
BTW:
You should use ZFS as filesystem, even if just having one drive.
Much more robust (against powerfailures)
And your MOST Important (GUI) command in pfSense is (Backup config):
Diagnostic --> Backup & Restore --> "Download Configuration as XML"
See attached pict.
Once you can fallback to a working config, even the worst crash/FSCK'up is just:
Install pfSense again , restore backup ... Done
Edit:
pfSense vs OPNsense would right now depend on "What type is your best friend" able to help you out with ...
If OPNsense , then go for it.
But as i read responses here, it still seems like you'd get most answers from pfSense users.
Remember the "engine" on the two is much alike ...
But the instrument panel (GUI) is quite different.
Lawrence systems makes some nice pfSense videos on YT
https://www.youtube.com/watch?v=bjr0rm93uVA (https://www.youtube.com/watch?v=bjr0rm93uVA)
-
So much for OPNsense
https://www.youtube.com/watch?v=3trzaw6P3A8 (https://www.youtube.com/watch?v=3trzaw6P3A8)
-
I'm tempted to just give up, it likely isn't worth my time.
What is the dumbest arse easiest way to get a box between my NBN modem and my switch so that everything on my network goes through a thirty VPN?
-
Don't worry so much about the ACPI errors, usually they're minor , and just powersaving related.
Test if your box/login works.
Connect a pc to the "Lan" of the 'sense
do you get a dhcp ip ?
'sense is usually on 192.168.1.1
I can see you have realtek netcards , by the interface re names.
my guess is that re0 is wan , and re1 is lan
-
I've never used *BSD, but couldn't you just ignore those ACPI errors and login anyway? The kernel output just hides the command line and the system seems to have booted. Or is it supposed to start a GUI automatically? I think I've seen ACPI errors on Linux a loong time ago (must be 15-20 years ago) when some hardware wasn't fully supported and it still worked just fine.
Edit. Of course, you are supposed to connect with a browser and configure it. You should just have tried that and ignored the console.
-
Don't worry so much about the ACPI errors, usually they're minor , and just powersaving related.
Test if your box/login works.
Connect a pc to the "Lan" of the 'sense
do you get a dhcp ip ?
'sense is usually on 192.168.1.1
Nope, nothing. Same on 192.168.0.124 it said the WAN is on.
Login with both Installer and Root with a bank password don't work.
-
password was opnsense
installing now, I think...
-
Install worked correctly, rebooted, running.
192.168.1.1 it told me to use does not work.
Screw this, I wasted best part of a day on this, I'm out.
-
Installed pfsense again, setup WAN and LAN ports correctly, still nothing on 192.168.1.1 or 192.168.0.141
So installed new pfsense between the NBN modem and the router hoping it would "just work", but nothing again on either of those address.
-
Install worked correctly, rebooted, running.
192.168.1.1 it told me to use does not work.
Screw this, I wasted best part of a day on this, I'm out.
And you are connecting from a PC (or switch) connected directly to the fwall lan-port ?
Do you get a 192.168.1.x DHCP ip addy ??
Wan would NOT answer (show any login webpage) on any ip's as default (it's a firewall)
I think the default login on pfSense is :
admin/pfsense
-
@EEVblog if you have or can obtain a KVM over IP device i'd be happy to schedule a time to help you get this setup.
Ie: https://pikvm.org/
Otherwise you really need a good understanding of networking to do what you want here, this is not trivial.
-
@EEVblog if you have or can obtain a KVM over IP device i'd be happy to schedule a time to help you get this setup.
Ie: https://pikvm.org/
Otherwise you really need a good understanding of networking to do what you want here, this is not trivial.
Thanks, so I'm begining to realise.
What's the easy option then, apart from installing the usual Surfshark/Express/whatevershill VPN software on every machine?
-
This is basically it.
I could preconfigure a box that put whatever is behind it onto a VPN for you, but you'd need to source a device and provide the VPN details for the service you want to use. This though would result in double nat which ideally you want to avoid if possible.
-
What's the easy option then, apart from installing the usual Surfshark/Express/whatevershill VPN software on every machine?
It's Network and Security.
If doing it right : There is unfortunately no "easy option"
Btw:
These KVM's seems to be popular ATM - Get the full version.
https://www.aliexpress.com/item/1005004825413332.html? (https://www.aliexpress.com/item/1005004825413332.html?)
DON'T connect them directly to the internet ....
-
What's the easy option then, apart from installing the usual Surfshark/Express/whatevershill VPN software on every machine?
It's Network and Security.
If doing it right There is unfortunately no "easy option"
Millions of people just use Surfshark etc. Am I just dumb for thinking it would be at least relatively easy to do this with a router that supports said VPN service so it automatically does the whole house/lab?
-
Surfshark support both wireguard and oepnvpn clients, if you configure a router correctly that supports these, yes it is possible. I can't start enough though how bad an idea this is. Those "millions of people" just connect each PC directly, not via a router.
Another thing to note... Contrary to what providers say, pretty much everything you do today is encrypted with "military grade encryption". With a decent gateway you can enforce encrypted DNS too, making your activity on the Internet completely illegegable to an attacker. VPN services are overrated.
-
Millions of people just use Surfshark etc. Am I just dumb for thinking it would be at least relatively easy to do this with a router that supports said VPN service so it automatically does the whole house/lab?
That might be easier doable, but is just one of your requirements/wishes.
Doing it right would be (according to your statements):
Increase security w. a 'sense firewall - Well not a statement ... But imho needed
Making a L2L VPN between House & Lab
Making a "secure dial-in" VPN from "anywhere" to House & Lab
Making a VLAN & WiFi SSID, that when connected to - Would exit "somewhere" in the world using the VPN provider you subscribe to.
-
I'm tempted to just give up, it likely isn't worth my time.
Find a networking geek and offer to solder up their Arduino gadget for them in exchange for them setting up a VPN for you? :-).
I do think the Beelink is the problem though, they've been tested to work with all the OSes around, Windows 10 20H1, Windows 10 20H2, Windows 10 21H1, Windows 10 21H2, Windows 10 22H2, Windows 11 21H2, Windows 11 22H2, and Windows 11 23H2, so it's not surprising that an OS that doesn't even exist because it's not Windows won't run on it.
-
i use private internet access, (torrent optimized) i do rotate the given location once in a while, they do give you time delay/access times on each locations
and i was checking pfsense thingies you can create with dedicated routers or some small pc's,
my company use Fortinet hardware stuff, now they have began aggressive email checks since we are Office 365, all unknown sources pass thru a release request, all goes thru the IT guy, once checked he release it ... and validate the source and add it to the white list .. he check all who knocks on the company doors .... he says lots of bots ..
As for websites like eevblog, i think recently there was some changes / stories ... because some of my vpn regions does not go thru, simply does not open ? many chineses sites does that too, behind a vpn they simply stall
-
As a followup, for hardware to run it on the go-to used to be the Alix APU2, three NICs, entirely solid-state, and built to run Linux or FreeBSD rather than Windows, but sadly they've been EOL'd. Current go-to is the ODroid H4, also entirely solid-state and FLOSS-targeted. You just need to either get an H4+ for the extra NIC or add the 4-port NIC card to the standard H4.
-
Surfshark support both wireguard and oepnvpn clients, if you configure a router correctly that supports these, yes it is possible. I can't start enough though how bad an idea this is.
I don't get it, why is that bad idea compared with installing on every PC?
As I see it, it's just doing the exact same thing, but inside the router so all downstream PC's get the benefit.
What am I missing?
Those "millions of people" just connect each PC directly, not via a router.
Doesn't practically everyone have modem -> wifi router -> PC(with VPN software)
Why can't the VPN software be on the router instead?
Another thing to note... Contrary to what providers say, pretty much everything you do today is encrypted with "military grade encryption". With a decent gateway you can enforce encrypted DNS too, making your activity on the Internet completely illegegable to an attacker. VPN services are overrated.
How else do you make your PC appear to be in aother country without a VPN server in that country?
-
As for websites like eevblog, i think recently there was some changes / stories ... because some of my vpn regions does not go thru, simply does not open ? many chineses sites does that too, behind a vpn they simply stall
This thread has nothing to do with the EEVblog server. On the forum we have to block some IP ranges and also hosts because they forum would be ruined by spam within a day if we didn't.
-
Millions of people just use Surfshark etc. Am I just dumb for thinking it would be at least relatively easy to do this with a router that supports said VPN service so it automatically does the whole house/lab?
That might be easier doable, but is just one of your requirements/wishes.
Doing it right would be (according to your statements):
Increase security w. a 'sense firewall - Well not a statement ... But imho needed
Making a L2L VPN between House & Lab
Making a "secure dial-in" VPN from "anywhere" to House & Lab
Making a VLAN & WiFi SSID, that when connected to - Would exit "somewhere" in the world using the VPN provider you subscribe to.
The only real thing I'm trying to do is add a VPN so all my computer appear to be in another country.
Anything else is bonus.
I have no real need to access the lab or home remotely. I don't currently have that and I get by fine without it.
-
The only real thing I'm trying to do is add a VPN so all my computer appear to be in another country.
Easiest way i can imagine.
Would be to get a new VPN capable WiFi router, make a SSID called ie. DaveVpn , and set that WiFi router up to permanently VPN connect to your select VPN provider/exit-destination.
Whenever you want to exit abroad , connect to the VPN SSID.
Else connect to the "Normal/Old ssid".
If you have cabled devices needing VPN , connect the cable to the VPN router's lan port.
That way you don't need to bother about policy routing or other complicated stuff .....
Anything connected to the VPN router goes out via VPN.
Ie. something like this - I haven't tried this, bit it doesn't look to complicated.
https://www.linuxscrew.com/openwrt-openvpn-luci (https://www.linuxscrew.com/openwrt-openvpn-luci)
Ought to work w. the el-cheapo's (Converted to latest openWRT), where el-cheapo wan is just connected to "house/lab lan"
https://www.eevblog.com/forum/security/hardware-router-vpn/msg5967529/#msg5967529 (https://www.eevblog.com/forum/security/hardware-router-vpn/msg5967529/#msg5967529)
Verify the VPN exit
This
https://www.dnsleaktest.com/ (https://www.dnsleaktest.com/)
Or This
https://dnsleaktest.org/dns-leak-test (https://dnsleaktest.org/dns-leak-test)
Are excellent sites, to check where your internet exit are located , and if you "leak" your aussie location via DNS.
-
The only real thing I'm trying to do is add a VPN so all my computer appear to be in another country.
Easiest way i can imagine.
Would be to get a new VPN capable WiFi router, make a SSID called ie. DaveVpn , and set that WiFi router up to permanently VPN connect to your select VPN provider/exit-destination.
Whenever you want to exit abroad , connect to the VPN SSID.
Else connect to the "Normal/Old ssid".
If you have cabled devices needing VPN , connect the cable to the VPN router's lan port.
That way you don't need to bother about policy routing or other complicated stuff .....
Anything connected to the VPN router goes out via VPN.
Ie. something like this - I haven't tried this, bit it doesn't look to complicated.
https://www.linuxscrew.com/openwrt-openvpn-luci (https://www.linuxscrew.com/openwrt-openvpn-luci)
That's exactly what I was saying, and a ton of people on X said, just get a router that supports a VPN service (wireguard or Open VPN support?). But gnif says this is a bad idea, so :-//
-
The only real thing I'm trying to do is add a VPN so all my computer appear to be in another country.
Easiest way i can imagine.
Would be to get a new VPN capable WiFi router, make a SSID called ie. DaveVpn , and set that WiFi router up to permanently VPN connect to your select VPN provider/exit-destination.
Whenever you want to exit abroad , connect to the VPN SSID.
Else connect to the "Normal/Old ssid".
If you have cabled devices needing VPN , connect the cable to the VPN router's lan port.
That way you don't need to bother about policy routing or other complicated stuff .....
Anything connected to the VPN router goes out via VPN.
Ie. something like this - I haven't tried this, bit it doesn't look to complicated.
https://www.linuxscrew.com/openwrt-openvpn-luci (https://www.linuxscrew.com/openwrt-openvpn-luci)
That's exactly what I was saying, and a ton of people on X said, just get a router that supports a VPN service (wireguard or Open VPN support?). But gnif says this is a bad idea, so :-//
Maybe he thought you wanted to replace your existing router w such a guy...
Don't ... Add it as an extra that is just connected to when you want to be "cloaked" :)
That said ... I do agree that most Manufactor router firmware is buggy like h...
And that it is a risk to connect them directly to the internet.
But if you have thought about it, it's now a "Calculated risk".
But that's another story, not covering your VPN need.
Just your data security & ransomware risk (NAS & Family pictures) ... >:D
Edit: An EEVblog analogy.
Using most stock firmware on an internet router, is like buying components on ebay/Aliexpress.
You can be lucky they are originals/"bug free" .... But time usually proves otherwise.
Components : Your thingy starts to act/smell weird.
Router : You get "strange guests" on your inside lan, and maybe even the "bonus" of participating in a BotNet
-
Just two examples of configuring routers for 'VPN services':
- Setting up a router with NordVPN - https://support.nordvpn.com/hc/en-us/articles/19426084718865-Setting-up-a-router-with-NordVPN
- How to set up a VPN on your router: an easy step-by-step guide (2025) - https://surfshark.com/blog/setup-vpn-router
Both include links to guides for specific router brands.
-
The only real thing I'm trying to do is add a VPN so all my computer appear to be in another country.
Anything else is bonus.
I have no real need to access the lab or home remotely. I don't currently have that and I get by fine without it.
You may want to try "PIA VPN". It's inexpensive, there is no limits how many computers you use and it works on any OS.
Link: https://www.privateinternetaccess.com/ (https://www.privateinternetaccess.com/)
I checked and latency US - AU is in 46 ms range using PIA VPN.
-
I'd still consider to install the two 'sense boxes towards the internet, for the much better hacker protection.
But realizing your situation - I would just install them "default" ... No fancy/complicated setup.
Default would :
Block anything comming "uninvited" from the outside (Wan/Inet) towards Lan.
Allow anything comming from the Lan towards (Wan/Inet).
Change DNS to use the A-root servers, skipping your ISP DNS servers.
Serve DHCP ip addresses on Lan.
Pro:
MUCH better hacker protection from anything coming uninvited from internet
Avoid using your ISP for DNS lookup (tracking)
Your TP-link's & other "eastern" boxes can be deployed much more safe, now that your "Front internet door" is securely closed. Just internal users have access.
Con:
Possible Double NAT - Both pfSense & ISP Box ... Unless ISP Box is in "bridge mode"
Yet another Box in the Internet chain.
Current 'sense is not good for DNS resolving your DHCP clients, but avahi (Multicast DNS / Bonjour) can be installed. - Might have changed in pfSense 2.8.0
Then for VPN I would still get the "el-cheapo" OpenWRT router, and make the setup described above.
Things to watch out for:
Make sure that the upcomming 'sense lan subnet (default 192.168.1.0/24) is NOT used anywhere in your existing setup right now.
All your Fixed IP addresses would have to be changed to fit into the new 'sense lan range .
Sidenote:
I hate 192.168.1.0/24 as Lan segment ... 50% of the world uses that.
I would chose something else during 'sense install ...
Make sure you don't have multi DHCP servers active on lan.
ISP Box can (must) serve DHCP for pfSense wan - Think it already does - You mentioned 192.168.0.124 as wan ip.
TP-Link '6000 (existig WiFi router) must NOT have DHCP active on the Lan side, would clash with the 'sense DHCP server.
Disconnect TP-link wan cable (routing function)
Set TP-Link Lan interface to DHCP , or (better) a static ip + def-gw. and connect it to 'sense lan.
Does anyone know what default start ip-addres 'sense DHCP uses ... DHCP Pool range ?
I don't use pfSense DHCP but local ISC.
Info needed for Dave's static ip assignments.
I think the 'sense DHCP P range is starting at .100 to 254
So any 'sense Lan - Static IP assignments should be between .2 and .99
Suggested install Steps:
First make sure that the 'sense lan subnet you install/use is NON existing in your current network.
Connect 'sense wan port to ISP Lan , could be along w. the existing TP-Link if you have the ports.
Install 'sense
Connect a PC to 'sense lan port directly , check you get a DHCP ip in the lan range.
Now make sure you can browse (login) to 'sense would be the lan .1 address.
Now you should also be able to browse internet normally, using the PC connected to 'sense lan.
Now move your TP-Link '6000 WAN port to the 'sense lan port (maybe reboot it)
Your existing home infrastructure should work normally.
You have now inserted the 'sense between ISP & TP-Link WiFi (router box)
You could stop here ... Only "Con" would be an extra Nat step in the 'sense box.
To avoid the extra Nat step you would have to disable the TP-Link router function, and make it function as a WiFi Access Point (AP)
Aka ... Disconnect TP-Link Wan, and connect 'sense lan directly to the same (switch) as TP-Link Lan
But you also have to change the ip adddress of the TP-Link Lan adapter to fit the new 'sense Lan subnet.
Either set TP-Link Lan to get a DHCP ip address , or set a static ip in the 'sense lan range.
And disable the TP-Link DHCP server... Now that the 'sense box is serving DHCP.
*** I'd snoop a bit around in the TP-Link, to see where & what to do , before disconnecting any cables. AND MAKE a TP-Link config backup.
Now you should be "done"
-
Surfshark support both wireguard and oepnvpn clients, if you configure a router correctly that supports these, yes it is possible. I can't start enough though how bad an idea this is.
I don't get it, why is that bad idea compared with installing on every PC?
As I see it, it's just doing the exact same thing, but inside the router so all downstream PC's get the benefit.
What am I missing?
I do not think you are missing anything. The only disadvantage is that the VPN part is more difficult to get working. I never had a problem getting pfSense or OPNsense to work on random hardware. (1)
I think there is a disadvantage to using a consumer grade router, including the one which comes from your internet service, because they have a terrible record for security and reliability. If you put your pfSense or OPNsense router between your provider's device and your network, and likely access the internet through a VPN, that will protect you from your provider's security lapses.
I always recommend using a pfSense or OPNsense router instead of a consumer piece of junk, whether VPN features are desired or not, unless a router from someone like Ubiquiti or mikrotik used.
(1) Back around, oh, call it 2010, the ice maker in my kitchen leaked and the water dropped into the basement directly onto the Pentium 2 hardware that I had running pfSense. It took me about 20 minutes to pull the ethernet cards and drive and install them into a decommissioned Gateway Pentium 4. It booted on the first try, and all I had to do was assign the ethernet interfaces from the console to get back up and working like before.
Those "millions of people" just connect each PC directly, not via a router.
Doesn't practically everyone have modem -> wifi router -> PC(with VPN software)
Why can't the VPN software be on the router instead?
My router (PCEngines OPNsense, shown below) and wifi (Ubiquity UniFi) are separate devices, but it works out to the same thing. Combination wifi-routers tend to be limiting and buggy; I have not used one since before 2000 when I installed the predecessor to pfSense, m0n0wall, on a Packard Bell 90 MHz Pentium with 128 MB of RAM.
The VPN software, or more properly the VPN endpoint, *can* be on the router, and do exactly what you intend and more, but at least in my experience, the VPN part is difficult to get working unless you have specific instructions for setting it up. The easiest option is to buy a small hardware router which is preconfigured for the VPN service that you want to use.
Another thing to note... Contrary to what providers say, pretty much everything you do today is encrypted with "military grade encryption". With a decent gateway you can enforce encrypted DNS too, making your activity on the Internet completely illegegable to an attacker. VPN services are overrated.
How else do you make your PC appear to be in another country without a VPN server in that country?
Well, that is exactly the point. Most things you do on the internet now are encrypted by the selection of protocol, like HTTPS or encrypted DNS, but that still allows traffic to be traced back to you through your IP address. A VPN service effectively conceals your IP address, and usually traffic patterns, by using a remote IP address as an exit and entry for multiple users through NAT and lack of logging where it is not required.
I am still terminating my VPN connections on my individual systems, but I would prefer to have my router be the VPN endpoint. I know my router running OPNsense can do it; I just have not put enough effort into getting it to work. PFSense would be easier because of better documentation for specific services, but I prefer OPNsense since pfSense went commercial; I am not entirely happy with NetGate.
-
The VPN software, or more properly the VPN endpoint, *can* be on the router, and do exactly what you intend and more, but at least in my experience, the VPN part is difficult to get working unless you have specific instructions for setting it up. The easiest option is to buy a small hardware router which is preconfigured for the VPN service that you want to use.
If I'm going to just go the new router option then that seems like a good idea.
Looks like I have three options here:
1) Continue with the firewall as I tried and get it working. And then get the VPN service working on top of that. (Two entirely separate problems?)
2) Just buy new routers that support a VPN service directly (or come pre-configured already)
3) Just install a software VPN service on every machine like 99% of people do.
The thing is I never started this with the intention of improving my network security, yet it somehow seems to have pivoted towards this.
I don't actually care that much about security, I've had just normal consumer routers for 15 years now and it hasn't been a problem (yeah yeah, until it is...), I just thought a LAN wide VPN would be nice.
The problem is I have a ton of people who I'm sure all know what they are talking about, suggesting something different, so :-//
-
You opened a big can of worms here, lol. Using the VPN to appear to be from another country is about the only real usage of these services, but like I and others have said, there are caveats such as websites blocking VPN users, and being flagged as suspicious on even Google and needing to enter a captcha for every 3 or so searches.
The most accepted small home office solution is to use a box like pf/open sense. Any network administrator you pay to deploy what your asking for will use this unless you give them the budget to buy a Cisco or ubiquity device, which are really just the same thing in the end.
Tplink and such are generally good for just a generic home router, but add a VPN on top and they are often lacking the horsepower to give a good and reliable experience, especially for a network of multiple systems when the network is busy. Not to mention the security and support implications.
The complexity Dave is your jumping into the deep end. To do all this stuff properly you need to understand multiple technologies in the stack, from subnets and routing tables to services such as DNS and DHCP, not to mention encapsulation layers like PPPoE often needed for NBN, along with a good understanding of firewall policies.
Professional solutions like pfsense/open sense and Cisco, etc, all come default configured with nothing, you have to set all the configuration for how you want things to work. For example, the default policy on a pfsense firewall (IIRC) is to block all traffic. This is intentional, so the network admin isn't surprised by some extra "feature" like UPnP that was default enabled that compromises their secure design.
Even services like DHCP are not enabled by default, otherwise when setting up a new device, you might disrupt the local working network because suddenly you have another DHCP server on the network messing things up.
-
You opened a big can of worms here, lol. Using the VPN to appear to be from another country is about the only real usage of these services, but like I and others have said, there are caveats such as websites blocking VPN users, and being flagged as suspicious on even Google and needing to enter a captcha for every 3 or so searches.
The most accepted small home office solution is to use a box like pf/open sense. Any network administrator you pay to deploy what your asking for will use this unless you give them the budget to buy a Cisco or ubiquity device, which are really just the same thing in the end.
Tplink and such are generally good for just a generic home router, but add a VPN on top and they are often lacking the horsepower to give a good and reliable experience, especially for a network of multiple systems when the network is busy. Not to mention the security and support implications.
The complexity Dave is your jumping into the deep end. To do all this stuff properly you need to understand multiple technologies in the stack, from subnets and routing tables to services such as DNS and DHCP, not to mention encapsulation layers like PPPoE often needed for NBN, along with a good understanding of firewall policies.
Professional solutions like pfsense/open sense and Cisco, etc, all come default configured with nothing, you have to set all the configuration for how you want things to work. For example, the default policy on a pfsense firewall (IIRC) is to block all traffic. This is intentional, so the network admin isn't surprised by some extra "feature" like UPnP that was default enabled that compromises their secure design.
Even services like DHCP are not enabled by default, otherwise when setting up a new device, you might disrupt the local working network because suddenly you have another DHCP server on the network messing things up.
Thanks.
So what you telling me is to just install a VPN software service on every machine and enable/disable as required, and anything else it too hard ;D
-
Setting up a serious network appliance of any sort is quite possibly biting off more than you want to chew.
What's the actual reason behind wanting to have all your devices routed out of country? It's bound to cause headaches and broken services, and be far more annoying to disable as needed, so what's the actual goal?
-
Thanks.
So what you telling me is to just install a VPN software service on every machine and enable/disable as required, and anything else it too hard ;D
For this use case, yes, but not because it's too hard, but more because I think you wont be happy with the results.
-
Thanks.
So what you telling me is to just install a VPN software service on every machine and enable/disable as required, and anything else it too hard ;D
For this use case, yes, but not because it's too hard, but more because I think you wont be happy with the results.
Yep, I suspect so too. Thanks.
-
Setting up a serious network appliance of any sort is quite possibly biting off more than you want to chew.
What's the actual reason behind wanting to have all your devices routed out of country? It's bound to cause headaches and broken services, and be far more annoying to disable as needed, so what's the actual goal?
I just thought it would be cool and simple in the long term, done once and never having to ever worry about an issue with any one machine. But I now realise that's not the case.
-
So, as an aside, should I opt out of this carrier grade NAT for my lab connection?
It says I have a fixed IP as part of my plan, but my AC1200 router says I have a Dynamic IP
Am I right in that a fixed IP will allow me to then change the DNS manually to 8.8.8.8 as suggested by gnif?
As currently the DNS can't be changed with the router set to Dynamic IP.
(https://www.eevblog.com/forum/security/hardware-router-vpn/?action=dlattach;attach=2606973;image)
-
This just means you're using NAT, if you don't want to remote connect to your lab, or host services there such as a server, then you can leave it enabled as it does give you some level of protection as you don't have a real IP to expose.
As for the DNS, no this wont help you here. If your router has DHCP settings it might let you configure the DNS server that it tells your network to use, the setting you're looking at is for the router device itself (or both if it's not changeable in the DHCP settings).
If the router doesn't give you enough control, you can do this per PC:
1) Click edit DNS server assignment in the Ethernet settings:
[attach=3]
2) Select manual:
[attach=1]
3) Turn on IPv4:
[attach=2]
Don't worry about IPv6, its highly doubtful your ISP provides this, AU is very backwards with IPv6 support still.
-
Ah, I see it now in the router. Worth putting in the 8.8.8.8 or whatever?
-
I would if only to stop your ISP spying on your DNS queries
-
Don't worry about IPv6, its highly doubtful your ISP provides this, AU is very backwards with IPv6 support still.
Aussie support it it seems.
I have two IPv6 addresses, one /48 and one /64, plus one normal IP address
There is an Edit IPv6 Delegation button
-
I would if only to stop your ISP spying on your DNS queries
Done. 8.8.8.8 for primary and 1.1.1.1 for secondary. How do I check that it's worked?
-
In windows run `ipconfig` in a terminal and you should see the DNS server as 8.8.8.8, if it's not, just renew the IP address (ipconfig /renew), or reboot.
-
In windows run `ipconfig` in a terminal and you should see the DNS server as 8.8.8.8, if it's not, just renew the IP address (ipconfig /renew), or reboot.
Nope, " Connection-specific DNS Suffix" is blank.
No 8.8.8.8 or 1.1.1.1 or other mention of DNS
-
Ah, I see it now in the router. Worth putting in the 8.8.8.8 or whatever?
No. Maybe they've finally fixed it but Google's DNS used to be location-moronic so it would direct you to servers located wherever it felt like rather than fast local ones, to the point where some sites became inaccessible depending on where it sent you at the time of the lookup.
And for the other reply above, about worrying about your ISP spying on you: You're suggesting that the solution to concerns about your local ISP, who in practice doesn't give a toss about your DNS lookups, is to hand your queries to the world's largest and most comprehensive surveillance platform instead? I specifically send my DNS queries to my local ISP because they're the least likely to care about them.
-
Done. 8.8.8.8 for primary and 1.1.1.1 for secondary. How do I check that it's worked?
[snark]When you start seeing intermittent site outages caused by Google DNS you'll know it's working.[/snark]
-
And for the other reply above, about worrying about your ISP spying on you: You're suggesting that the solution to concerns about your local ISP, who in practice doesn't give a toss about your DNS lookups, is to hand your queries to the world's largest and most comprehensive surveillance platform instead? I specifically send my DNS queries to my local ISP because they're the least likely to care about them.
Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government. When you're dealing with a government which genuinely believes the rule of law trumps mathematics or physics...
-
It says I have a fixed IP as part of my plan, but my AC1200 router says I have a Dynamic IP
Your router will be getting the IP via DHCP - it won't know whether it's being given a static assignment or not. If the IP is in the 100.64.0.0/10 range, then you're suffering CGNAT.
-
Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government. When you're dealing with a government which genuinely believes the rule of law trumps mathematics or physics...
Last I checked there was an opt-in blocklist of a small number of known CSAM sites and that was about as far as the ISP's responsibilities went.
-
And for the other reply above, about worrying about your ISP spying on you: You're suggesting that the solution to concerns about your local ISP, who in practice doesn't give a toss about your DNS lookups, is to hand your queries to the world's largest and most comprehensive surveillance platform instead? I specifically send my DNS queries to my local ISP because they're the least likely to care about them.
Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government. When you're dealing with a government which genuinely believes the rule of law trumps mathematics or physics...
Not much they can do if your using DNS over https, or encrypted DNS and a overseas DNS server. You can even rent a cheap VPS and throw bind on it for a personal DNS server if you want one you can trust.
As for spying on you, sorry, but the instant I start getting poisoned DNS records from a provider is the instant I lose all trust in them, government mandated or not.
-
Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government.
This is what Google says about logging DNS queries: https://developers.google.com/speed/public-dns/privacy
And Cloudflare: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/
Both log a lot.
-
Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government.
This is what Google says about logging DNS queries: https://developers.google.com/speed/public-dns/privacy
And Cloudflare: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/
Both log a lot.
And have you read those? I'll give a big hint: They don't store logs containing identifiable information.
-
Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government. When you're dealing with a government which genuinely believes the rule of law trumps mathematics or physics...
Not much they can do if your using DNS over https, or encrypted DNS and a overseas DNS server. You can even rent a cheap VPS and throw bind on it for a personal DNS server if you want one you can trust.
As for spying on you, sorry, but the instant I start getting poisoned DNS records from a provider is the instant I lose all trust in them, government mandated or not.
My OPNsense router is currently configured to block all outgoing UDP and TCP DNS requests to port 53. DNS requests must go to the router, which then uses Unbound DNS to resolve all requests with DNS over TLS to port 853 of the usual suspects. My VPN endpoints also resolve DNS through my local router.
I guess I should block port 853 also since browsers will commonly do their own encrypted DNS resolution if not properly configured.
Update: I already blocked port 853 when I originally blocked DNS.
-
Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government. When you're dealing with a government which genuinely believes the rule of law trumps mathematics or physics...
Not much they can do if your using DNS over https, or encrypted DNS and a overseas DNS server. You can even rent a cheap VPS and throw bind on it for a personal DNS server if you want one you can trust.
As for spying on you, sorry, but the instant I start getting poisoned DNS records from a provider is the instant I lose all trust in them, government mandated or not.
My OPNsense router is currently configured to block all outgoing UDP and TCP DNS requests to port 53. DNS requests must go to the router, which then uses Unbound DNS to resolve all requests with DNS over TLS to port 853 of the usual suspects. My VPN endpoints also resolve DNS through my local router.
I guess I should block port 853 also since browsers will commonly do their own encrypted DNS resolution if not properly configured.
Update: I already blocked port 853 when I originally blocked DNS.
I presume with those rules that you do not currently have IPv6 connectivity..
-
Done. 8.8.8.8 for primary and 1.1.1.1 for secondary. How do I check that it's worked?
[snark]When you start seeing intermittent site outages caused by Google DNS you'll know it's working.[/snark]
In that case it should fall back to the Cloudflare DNS right?
-
Done. 8.8.8.8 for primary and 1.1.1.1 for secondary. How do I check that it's worked?
[snark]When you start seeing intermittent site outages caused by Google DNS you'll know it's working.[/snark]
In that case it should fall back to the Cloudflare DNS right?
This is why you can set a primary and secondary, just set the secondary to cloudflare (1.1.1.1), if there is a fault it will automatically try the other server.
-
And have you read those? I'll give a big hint: They don't store logs containing identifiable information.
Because then it's resistant to annoying subpoenas, while Google can still use all the other information it holds on you to de-anonymise as required.
You need to look at "privacy" statements from surveillance organisations like Google in terms of what they're protecting themselves from legally, not what rights they're pretending to leave you with.
-
This is why you can set a primary and secondary, just set the secondary to cloudflare (1.1.1.1), if there is a fault it will automatically try the other server.
Just as an aside, primary and secondary are server-side concepts, typically the primary is authoritative and the secondary is a read-only copy of the primary as a backup. From the client side anything is possible, prefer primary, query either in a round-robin fashion, and then there's the Windows version for which the best description I've seen is the probably DNS and the maybe DNS (gory details here (https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961411(v=technet.10)?redirectedfrom=MSDN), and that's probably changed ten times since then.
This typically hits PiHole and similar users who have the PiHole as the primary and unfiltered DNS as the secondary for emergency access if there's a problem with the PiHole, and then wonder why a lot of their DNS queries aren't being filtered.
-
Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government. When you're dealing with a government which genuinely believes the rule of law trumps mathematics or physics...
Not much they can do if your using DNS over https, or encrypted DNS and a overseas DNS server. You can even rent a cheap VPS and throw bind on it for a personal DNS server if you want one you can trust.
As for spying on you, sorry, but the instant I start getting poisoned DNS records from a provider is the instant I lose all trust in them, government mandated or not.
My OPNsense router is currently configured to block all outgoing UDP and TCP DNS requests to port 53. DNS requests must go to the router, which then uses Unbound DNS to resolve all requests with DNS over TLS to port 853 of the usual suspects. My VPN endpoints also resolve DNS through my local router.
I guess I should block port 853 also since browsers will commonly do their own encrypted DNS resolution if not properly configured.
Update: I already blocked port 853 when I originally blocked DNS.
I presume with those rules that you do not currently have IPv6 connectivity..
My router is behind the house NAT router which is behind the fiber NAT router so no, I do not have IPv6 connectivity. I think our delegated IPv6 subnet is not large enough.
My VPN connections provide IPV6 access for outgoing connections and incoming forwarded ports.
I should probably block outgoing DNS over IPv6 anyway though.
-
My router is behind the house NAT router which is behind the fiber NAT router so no, I do not have IPv6 connectivity. I think our delegated IPv6 subnet is not large enough.
Or possibly the IPv6 PD (Prefix Delegation) doesn't trickle down to the last router in the chain for whatever reason. There are some stingy ISPs, but the recommendation is to assign a /64 for the link between ISP and CPE and at least a /56 for the LAN.
-
Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government.
This is what Google says about logging DNS queries: https://developers.google.com/speed/public-dns/privacy
And Cloudflare: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/
Both log a lot.
And have you read those? I'll give a big hint: They don't store logs containing identifiable information.
Google states (from link above):
Temporary DNS Logs
Temporary logs are the only logs that store both your IP address and your DNS query. Specifically, the temporary logs include:
- the IP address of your device sending the DNS query
...
These logs are subject to our deletion processes within 24-48 hours. ...
So they store your IP address and query together for 24-48 hours. After that your IP address is replaced with a 'city or region-level location' for the permanent logs. From the data points stored in the permanent logs it's possible to narrow down DNS clients to a group, e.g. via the AS number (your ISP) and the geolocation. As an example (should be unlikely, but is simple to explain), let's assume you're the only customer of your ISP in your area. The permanent logs contain the AS number and the geolocation. In this special case it's possible to pin down the logged querries to a specific user. And if you happen to log into some Google service they can correlate that with the DNS logs and identify you. I don't claim that they are doing that, I'm just trying to explain that with sufficient data points which don't include identifiable information directly it can be still possible to identify a person.
Cloudfare is more privacy-friendly. They store a truncated version of your IP address (last octet removed for IPv4) up to 25 hours in volatile storage. And as a bonus they aggregate all data points they log within 25 hours and delete the original logs. I'd prefer Cloudflare over Google in this regard.
-
So they store your IP address and query together for 24-48 hours. After that your IP address is replaced with a 'city or region-level location' for the permanent logs. From the data points stored in the permanent logs it's possible to narrow down DNS clients to a group, e.g. via the AS number (your ISP) and the geolocation. As an example (should be unlikely, but is simple to explain), let's assume you're the only customer of your ISP in your area. The permanent logs contain the AS number and the geolocation. In this special case it's possible to pin down the logged querries to a specific user. And if you happen to log into some Google service they can correlate that with the DNS logs and identify you. I don't claim that they are doing that, I'm just trying to explain that with sufficient data points which don't include identifiable information directly it can be still possible to identify a person.
Cloudfare is more privacy-friendly. They store a truncated version of your IP address (last octet removed for IPv4) up to 25 hours in volatile storage. And as a bonus they aggregate all data points they log within 25 hours and delete the original logs. I'd prefer Cloudflare over Google in this regard.
And when the government rocks up with "give us DNS queries for this user over the last six months" they can simply go "no, we don't have that data". There's a difference between being able to deanonymize using large data sets and storing complete, detailed logs for the perusal of others.
-
My router is behind the house NAT router which is behind the fiber NAT router so no, I do not have IPv6 connectivity. I think our delegated IPv6 subnet is not large enough.
Or possibly the IPv6 PD (Prefix Delegation) doesn't trickle down to the last router in the chain for whatever reason. There are some stingy ISPs, but the recommendation is to assign a /64 for the link between ISP and CPE and at least a /56 for the LAN.
Probably, but I remember checking and finding a smaller than recommended assignment.
IPv6 has been denied to me for so long now that I assume by default that I need to make my own arrangements. Back when AT&T started deliberately blocking IPv6 access, first at their border routers and then at their customer routers, I filed a complaint with the FCC who said it was fine.
So now I get IPv6 through a robust VPN service, rendering that traffic largely inscrutable and anonymous. If this makes things more difficult for the government, that is too bad; they made their choice.
And when the government rocks up with "give us DNS queries for this user over the last six months" they can simply go "no, we don't have that data". There's a difference between being able to deanonymize using large data sets and storing complete, detailed logs for the perusal of others.
What the court can do if the data exists at any point, is order that it be retained and given to law enforcement. The only way to prevent this is to not preserve it for any amount of time, and likely not even generate it.
There was a case where this came up a couple years ago where it was determined by the court that data which only exists ephemerally in DRAM may be subject to an order requiring it to be recorded and given to law enforcement.
-
And when the government rocks up with "give us DNS queries for this user over the last six months" they can simply go "no, we don't have that data". There's a difference between being able to deanonymize using large data sets and storing complete, detailed logs for the perusal of others.
Wouldn't work directly anyway, because DNS querries don't include something like a user name. But it would be different when law enforcement is asking your ISP, because your ISP usually knows your ID and IP address for a given time. So they might start with your ISP and then try to collect as much data as available from other sources. However, law enforcement often doesn't know what to ask for and even struggles to follow the correct procedure laid out by law. In that case the ISP can ignore the request or try to educate them. ;D
-
Everyone talks about OpenWRT, looks like my Archer AC1200 is supported:
https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500
Any advantage in running that?
-
OpenWRT unlocks a lot of functionally, many devices from providers like TPLink already use it, but a modified version.
Again though, it comes in a default zero configuration state and requires a fair amount of technical investment to configure it.
-
Everyone talks about OpenWRT, looks like my Archer AC1200 is supported:
https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500 (https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500)
Any advantage in running that?
Get the best of both worlds. Vender support and updates + OpenWRT core.
One of the Asus routers that comes with AsusWRT.
And if you get really ambitious, you can install the fully open source asuswrt-merlin
https://www.asuswrt-merlin.net/ (https://www.asuswrt-merlin.net/)
That link has a list of compatible hardware.
VPN is super easy to setup and use, both servers and clients. (OpenVPN, PPTP, L2TP, IPSec, and WireGuard)
-
VPN is super easy to setup and use, both servers and clients. (OpenVPN, PPTP, L2TP, IPSec, and WireGuard)
I've just been told this isn't such a good idea ;D
-
VPN is super easy to setup and use, both servers and clients. (OpenVPN, PPTP, L2TP, IPSec, and WireGuard)
I've just been told this isn't such a good idea ;D
both can be true :)
-
Everyone talks about OpenWRT, looks like my Archer AC1200 is supported:
https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500
Any advantage in running that?
Pro:
- long term support
- tons of features
- option to install additional software
Con:
- not simple, but plenty of documentation
- the hardware NAT offloading of the Archer AC1200 isn't supported (proprietary) -> lower NAT throughput
-
Update: I just went with a plain vanilla VPN installed on my devices.
No issues so far, apart from Youtube requesting to confirm it's me.
Will see what happens end of this year...
-
Just note I have over the last few days had to start blocking VPN IP ranges again due to AI abuse.
See attached traffic stats for today alone, they have been super aggressive of late.
Hopefully your VPN provider wont get caught up in this.
-
Just note I have over the last few days had to start blocking VPN IP ranges again due to AI abuse.
See attached traffic stats for today alone, they have been super aggressive of late.
Hopefully your VPN provider wont get caught up in this.
Yeah, we'll see.
For an extra $4/month I can get a fixed IP if needed.