With the passing of S.J.Res.34 and H.J.Res.86, and now that the bill is signed, many people are panicking about their privacy. Now, I have read all sorts of things about changes we will or won’t see as a result of this bill, but either way, you should take this as a wake-up call. As we always see in the software security realm, unfortunately, security is never a concern until it is too late. Well, I have no idea if this counts as ‘too late’ or not, but I decided to take this as a good reason to finally implement securing my home network traffic (something I have put off for almost 4 years now). Below are a few ideas for keeping your internet traffic private, with some analysis of each. A big thanks to my buddy Tim (he’s a nerd for hire), for letting me bounce some ideas off of him, and pointing me in a direction or two.

Before we dive into anything, I think it’s pertinent talk about what the issue is, and what we’re looking at accomplishing. Based on those articles I pointed out, and many many others, we want to ensure our web traffic can’t be viewed by anyone. As has been pointed out numerous times, using something like incognito mode in your browser keeps data from being saved locally, it doesn’t obfuscate that traffic from anyone else: your Internet Service Provider (ISP), network sniffers, etc. What we want, is to ensure the traffic you are generating can’t be read, so we need something more.

SSL

When you visit a secure site (one using HTTPS), all of the data passed between you and the site is encrypted (assuming the site was setup properly). This is a major step to ensuring your personal data is safe. This means, ensure your email, Facebook, banks, etc are all being visited over HTTPS. Depending on the browser, you should verify that a little (sometimes green) lock is present to the left of the url. So, this sets us in the direction of what we’re looking for, keeping our data safe from prying eyes. But it doesn’t do everything.

Pros

  • You shouldn’t need to change much
  • Simple
  • Completely Free
  • Supported on any browser, any OS, any device without any additional work

Cons

  • Only works for browser traffic
  • Not all sites have HTTPS as an option
  • ISPs can still see what sites you are visiting (they just can’t see the content you are viewing on them)

TOR

So, let’s dive in a little deeper. For just a little added setup, we can ensure all of the data we’re browsing through gets hidden from our ISP. Do you watch House of Cards? Do you remember them mentioning the ‘dark web.’ Maybe you’ve seen Mr. Robot. They more directly (and more accurately) represent this ‘secret’ side of the internet that hackers hang out in. Well, it’s not necessarily a dark nasty corner of the web. The Onion Router, or TOR (originally developed by the Navy), is simply a way to browse the web anonymously. Yes, there are private servers within the network you’ll want to avoid, but our goal here is anonymity, not treachery. What does that mean for us? If you don’t want your ISP to know what sites you are visiting, or you want to visit a site that doesn’t support HTTP, ensure you install TOR and make that your new browser. You can even run TOR on your mobile device.

Pros

  • Relatively simple
  • Free
  • Supported on most devices

Cons

  • Limited to TOR browser
  • Difficult to get working on iOS
  • Slows down internet speeds (because you are bounced from server to server to provide anonymity, this slows down your connection speed)
  • Only works for browser traffic
  • Install needs to be made on every machine you want to use

TOR as a Proxy

We’re moving in the correct direction, so let’s dive even deeper. In our previous example, we’ve ensured all of our browser traffic is secure. To get additional security, you can configure your TOR browser as a proxy, which means we can pass any internet traffic through it. This means not only can we gain security any still use any browser we want, but also our actions outside our browsers (such as backups, messaging, or email clients) are also secure. Here are some relatively simple instructions to gather the information needed from TOR, and how to setup your Windows, MacLinux, or Android machine to route all it’s traffic through TOR.

I’d like to put a note at this point about streaming services. Services like Hulu, Netflix, Prime, and many others require that you run outside a VPN. It’s part of their ToS. This means that if you wanted to watch Netflix on your machine, in our previous scenario, you just wouldn’t use the TOR browser. If ALL of your traffic is setup to run through TOR, you need to turn this off in order to use these streaming services.

Pros

  • Free
  • All traffic can be secure (other than that over cellular networks)

Cons

  • More complicated setup
  • Setup needs to be repeated each time machine is rebooted (or TOR is launched)
  • Setup needs to be repeated on each machine you want to secure
  • Slows down traffic
  • Can’t run streaming services

VPN

As we can see from the above, using TOR is becoming more and more complicated. If we want to get back into a simple realm, we need to start talking VPNs. The purpose of a VPN is the same as we were looking for with TOR. It should encrypt your connection and provide you with an anonymous IP to protect your privacy. This, however, switches us from the free realm, into the paid one. Now, while there are plenty of free VPNs, you want to be very careful about which VPN you choose. You need to consider WHY a VPN service would be free. They have hardware they are using and maintaining, software to setup, and people to pay. How are they making money? Many of them will do exactly what you’re trying to avoid; sell your information, inject ads, or worse, use your bandwidth.

When selecting a VPN service, I happen to like this site for comparing. TorrentFreak also has some good reviews on VPN services. Some of the things I look for when selecting a VPN service are OS options (can it run on Linux, and Android (for me at least), available simultaneous connections, price (kind of obvious), speed, and privacy policy. Once you choose a VPN, install it on your machine(s), and set it up to run at startup. Most services I’ve been interested in have great instructions and even provide good technical support. As a reminder from above, if you want to stream video, you’ll probably need to turn your VPN off (much simpler than turning off TOR as a proxy for your system). Alternatively, some VPNs are set up to allow you to run a split tunnel. If you do this, you can ensure streaming services run directly to the internet, but that all other traffic goes through the VPN; this is typically very complicated to setup, and depending on the service you choose, their technical support might or might not be able to assist with it.

Pros

  • Simple to setup
  • Simple multiple machine support
  • No speed reduction
  • All traffic is secure

Cons

  • Not free
  • Setup needs to be repeated on each machine you want to secure
  • More difficult to run streaming services

Verifying You Are Secure

Before we dive much further, I believe it’s worthwhile discussing a few ways you can verify that you’ve secured your data. First off, head over to https://whatismyipaddress.com and take note of what it says; I’ll be referring to this as your personal IP address. Once you connect securely, using any of the above methods, there are a few ways to verify you have truly secured yourself.

  1. Navigate to https://www.xmyip.com/
    1. Verify that is not your personal IP address
    2. Click the Additional details button
    3. Check that is not your actual location
    4. Confirm that is not your ISP
  2. Navigate to https://whoer.net/#extended
    1. Verify that is not your personal IP address
    2. Check that is not your actual location
    3. Confirm that is not your ISP
    4. If you’re running TOR, it will indicate so
    5. Run the interactive detection to ensure no data is being leaked
  3. Navigate to https://dnsleaktest.com/
    1. Verify that is not your personal IP address
    2. Click the Extended test button
    3. Verify that none of the hostnames contain your personal IP address
    4. Confirm that none of the ISPs match your ISP

 

These next few suggestions all ramp up the complications. The idea is to run all of your network traffic through one device that can provide a secure connection. A typical home setup might like this:

Obviously, yours may vary, but above are two pretty typical network setups. In order to ensure that all of our network traffic runs through TOR or our VPN, we need to inject TOR or our VPN between our machines and our modem. We’ll get into specifics about how to do that below, but we would be looking at a new network setup which looks like this:

Now, this definitely adds to the complexity of the setup, as you’re starting to inject some additional hardware. Notice I put in a black box labeled privacy. This just means, as this point, we don’t care what it is, we just want it in place to route all our traffic through. It can be a physical machine, a VM, or even some specialized hardware. Additionally, it could be running TOR, or a VPN, at this point in our decision making, we’re more concerned at the high level of where it is, and what its purpose is – to secure our data.

In our first setup, I added a switch to route traffic to multiple machines, but our mobile devices now can’t connect to this system, since there is nothing wireless behind our privacy box. Our mobile device can only connect directly to the modem with the router, which doesn’t keep its data secure. We could replace the switch with a router, but that adds more cost to our setup.

Now, based on this setup, we can cause some problems. As I mentioned above, sometimes you need some traffic to run outside your private network. For this reason, I always like to have 2 connection points, one inside your private network, and one outside. This way, if there is anything you need to access directly (Netflix, Alexa, work VPN), you have another access point. While this might add some additional cost to your home network setup, it should increase your capabilities.

Below, I will dive into some ways to implement our ‘black box of privacy’.

Setup VPN on Router

While this option is more complicated than any of those above, I still believe it is relatively simple and worth getting into in this document. The other 3 options are complicated to the point that the detailed steps will be outlined in future blog posts.

One of the simplest ways to setup our above ‘black box of privacy’ is actually to combine your router with our secure connection. The same VPN service you might have selected above will work just fine for this step. The idea here is to actually have your router run your VPN, thereby eliminating the need for any additional hardware. Most routers out there by default don’t support this, but luckily, ‘by default’ is not what we’re looking at here. At their core, routers are hardware that run software. What we’re interested in here, is modifying the software that the router is running, so that it will support running our VPN service. There is a great piece of open source (free) firmware (software for specific hardware) called DD-WRT which runs on a slew of different routers. Among other capabilities, DD-WRT allows you to run a VPN directly on your router. There is other software out there that can accomplish the same thing, but DD-WRT seems to be the simplest, with the most community support. The steps to set this up is as follows:

  1. Determine if your current router (not your main internet connection or modem) is compatible with DD-WRT
    1. If it is not, you may need to get one that is
  2. Install DD-WRT on your router
    1. Locate your router from the above router-database link
    2. Download the ‘Webflash image for first installation’ bin file
    3. Log in to your router
    4. Select upgrade firmware
    5. Provide this file for the upgrade
    6. Restart your router
  3. Configure your VPN – these steps may differ depending on your VPN
    1. Log in to your router
    2. Select the Services tab
    3. Click the VPN sub-tab
    4. Select ‘enable’ under OpenVPN Client
    5. Enter in your VPN information
    6. Restart your router
  4. Verify your VPN
    1. Log in to your router
    2. Select the Status tab
    3. Click the OpenVPN sub-tab
    4. Verify the state shows success
      Alternatively, you could use any of the above verification methods

These instructions are a little generic but are the correct overall process to follow. Whichever router you choose to go with, it might be worth your time googling some instructions on how to install DD-WRT on that specific router. Additionally, check with your VPN provider, and see if they have more detailed instructions on running with DD-WRT – many of them do.

Pros

  • Entire network is secure, no need to install anything on any individual system
  • All traffic is secure

Cons

  • Some initial setup is required
  • Associated costs with equipment and VPN provider
  • May notice some speed reduction (router may not have the capacity to encrypt and decrypt as fast as desired)

Run Router through TOR

Another ‘black box of privacy’ option is to configure your router to run all of its traffic through TOR. This is kind of a combination of our previous setup, with running TOR as a proxy. What we’ll do here is setup a separate machine (or VM) running TOR, and this machine will be our black box in the above diagram. We’ll also install DD-WRT on our router, similar to the above step. This time, however, instead of installing a VPN on our router, we’ll configure our router to proxy all of its traffic through our TOR machine. We’re accomplishing the same feat as the above example, but we don’t need the VPN service (which remember, comes at a price).

More detailed steps to fully implement this setup will be contained in a blog post I’ll get out later this month.

Pros

  • Entire network is secure, no need to install anything on any individual system
  • All traffic is secure
  • No need to pay for a VPN service

Cons

  • A more complicated initial setup is required
  • Associated costs with equipment
  • Slows down internet speeds

Run Network through TOR or VPN

You may not have a router that you can install DD-WRT on, and you might not want to spend money on one that you can. That doesn’t mean you’re out of luck. Rather than using software to route all of your traffic, you can just setup your network so that all outbound traffic from your router, passes through another machine (virtual or not) before it hits your modem. In this case, this other machine becomes your ‘black box of privacy’, and will need an additional network card (again, maybe it’s virtual). Configure your ‘black box of privacy’ to accept inbound traffic, and then setup TOR as a system proxy, or setup a VPN (see the above instructions) to run on it. This way, all traffic passing from your router to your modem goes through this machine and gets protected.

As with the above option, as the detailed steps for this are quite complicated, they will be contained in a separate post out later this month.

Pros

  • Entire network is secure, no need to install anything on any individual system
  • All traffic is secure
  • Your option to pay for a VPN service or not
  • No router configuration

Cons

  • A much more complicated initial setup is required
  • Potential associated costs with equipment and/or VPN provider
  • Slows down internet speeds (if taking the TOR route)

Run Network through pfSense

Setting up a VM to handle traffic like described above is not simple. In addition to the basic machine setup just to get the traffic to work, you need to worry about ensuring your machine (virtual or not) is setup properly and securely. Managing that machine might also be a challenge. Enter pfSense: an open sourced operating system designed for secure network traffic. This last configuration is similar to our machine and networking setup in the above option, however, the base OS of the machine would be pfSense. Alternatively, instead of building (physical) or creating (virtual) a machine to run pfSense, you can just buy a small cheap machine, specifically designed for this sort of traffic, with pfSense already installed on it. Many more networking options open up with pfSense, but I’ll go into those with a future post. Your last step is to configure pfSense with TOR as a proxy server, or configure your VPN service on it.

As with the above 2 options, as the detailed steps for this are more complicated, they will be contained in a separate post out later this month.

Pros

  • Entire network is secure, no need to install anything on any individual system
  • All traffic is secure
  • Your option to pay for a VPN service or not
  • No router configuration
  • Pre-built pfSense machines can eliminate the need for a separate router

Cons

  • A very complicated initial setup is required
  • Potential associated costs with equipment and/or VPN provider
  • Slows down internet speeds (if taking the TOR route)

 

*I have gone through the process of setting up each of these options over the past few days. None of them were particularly difficult (if you know what you are doing). Most of the instructions I found online, but there were a bunch of bad suggestions/instructions out there. In an attempt to consolidate some good information, many steps I have just linked to; why re-write the internet?

One thought on “Staying Secure on the Internet

  • Boni

    Max,

    Amazing piece of resource! I’m going to bookmark this and share it with my friends. In a few months down the line – securing your network will become sort of a necessity/ need.

    The implementation part is slightly complex for a non-tech person like me – but you made it super simple in presentation and implementation.

    Thanks again for all the hard work and trying all the methods – showing us how to do it!

    Cheers!

    Reply

Leave a comment

Your email address will not be published. Required fields are marked *

X