Secure Internet at Home, in the Office and on the Move.

Most people inside and outside of I.T. just accept the router their ISP provides them, connect to its Wi-Fi and allow guests in their home to do the same, and when they’re on the move or travelling abroad for work or pleasure, connect to hotel and public wifi or turn on roaming on their smartphone.

This is simply not acceptable opsec going forward.

The solution is affordable, fun to set up and incredibly satisfying to use. It’s also modular. There’s a minimum requirement to get fully set up and there are a few optional extras that can be built into the solution over time, or free services to subscribe to if you want to keep your in-house infrastructure set-up simple.

Reference Diagram so you don’t get lost.

GL.inet provide a host of devices that serve similar but subtly different use cases. They all use the OpenWrt Operating System for a consistent, familiar and intuitive UX/UI.

My personal choice would be a Flint v2 at home, replacing the ISP provided router, and a Slate AX with a M2 5G Development Board plugged into the USB socket, using an Unlimited Data-Only SIM from Smarty Mobile. For constantly-on-the-move, I’d favour using a Mudi V2 over the Slate AX and M2 5G board combo for it’s compactness, flexibility and battery power over the performance and a dependency on mains power of the Slate (or Beryl).

Home/Office Setup (Flint V2)

Confirm the WAN connectivity requirements of your ISP. For UK BT/EE Customers.

Replace the ISP Provided Router with the GL.inet Flint V2.

Connect your laptop over Wi-Fi/cable on the default address of 192.168.8.1 and configure the WAN connection. Confirm ISP connectivity and perform a system update.

If you also have the M2 5G Dev Board and SIM and want to make use of it while not travelling, plug it into the USB on the Flint for hybrid/resilient connectivity. Don’t forget it when you’re travelling with your Slate though. If you’ve opted for the Mudi V2 in preference to the Slate, you don’t need the M2 board but you will likely need the SIM card in it for your Mudi V2 for 4G connectivity. Make sure you have everything you need when travelling.

On the Flint, configure the Private and Guest Wi-fi networks. 2.4GHZ has better reach but lower transfer rates. 5G is faster but the signal falls off faster, the further you are from the router. You can have one or the other or both, so do what you want in that regard.

Configure OpenVPN with a config file from a reputable and performant VPN provider such as ExpressVPN. This will ensure all traffic going out of the router to the ISP will be over a VPN. You can choose to use an OpenVPN configuration for whatever country you want to appear in, whether that is your own resident country or not.

Configure AdGuard to protect your network from malware and adverts.

Configure DNS to use a Secure DNS Provider such as Quad9

Configure Tailscale application to add your GL.inet router to your existing tailnet if applicable. Tailscale is a VPN service that places all your devices in our out of your home/work network, on the same virtual private subnet or tailnet in the easiest way possible. It’s really very good indeed.

Configure Wireguard Server (already installed on the Flint) to allow your Wireguard Clients (Slate AX or Mudi V2 travel routers) inbound connectivity to your LAN from outside of it, while on the move. This will route ALL traffic from your devices back home, and out through your Flint, when travelling. A great video on this end-to-end setup here.

Remote/Travelling (Slate AX or Mudi V2)

The OpenWrt interface for your Slate AX Travel Router or Mudi V2 4G Travel Router are the same as with your Flint, so it’ll look very familiar. You can connect your chosen travel router to the public/hotel Wi-Fi and/or roaming 4G service, then configure the Wireless Access Point to allow your devices a private connection to the travel router. This offloads the responsibility of firewalling and public service connectivity to the travel router, providing a layer of protection for your devices themselves.

You can also configure tailscale on the travel router and on your devices to allow you connectivity to all tailscale devices on your secure tailnet, including your Slate, Mudi and even your Flint back in the home/office and anything else back there that’s running tailscale. Tailscale gives you the confidence that you’ll always be able to connect to the interfaces of all your devices wherever they may be, provided you’re authenticated to your tailscale tailnet (you can use your Google account for this authentication).

You can also configure WireGuard Client using the config downloadable from your WireGuard Server running on your Flint, to optionally connect back to your LAN from your remote location, and any services on it. This is very similar to tailscale in that regard but gives you connectivity to the entire LAN rather than just placing devices running tailscale on a common virtual lan. ExpressVPN, Tailscale and WireGuard are all “VPN” services, but differ slightly in terms of their benefits and use cases. It can be very troublesome to run all three on a client computer but the GL.inet devices seem to take it in their stride, no problem whatsoever – another good reason to offload the responsibility to the GL.inet devices, keeping your client devices config relatively simple. You just connect to the Wi-Fi of the travel router and that’s all you need to do. Travel can be stressful, you don’t need it to be any more complicated that that.

One nice feature on the Slate AX is an easily-overlooked physical toggle switch on the side of the unit next to the power switch, that can be configured to provide a variety of functions. You can configure this to optionally turn any one of your VPN’s on and off. I’d use it to toggle WireGuard on or off, literally giving me a button that will force all my traffic through my connection back at base. ExpressVPN and Tailscale will turn on by default anyway (and you’d likely want them on permanently).

Summary

The Flint forces all internet traffic over ExpressVPN and is accessible from anywhere via Tailscale VPN authenticated devices. It also allows inbound VPN connectivity to the LAN via WireGuard.

The Slate/Mudi provides protection for your devices by removing the requirement to connect devices directly to public/shared wi-fi or foreign mobile networks. It also provides connectivity back to base, forcing all your internet traffic through a trusted ISP and secure VPN provider, instead of through a foreign/customer/adversary’s free, open guest network.

Optional Extras

Cybersecurity threats come in many forms and protection can be proactive or reactive in nature. I’ve already mentioned the use of Quad 9 Secure DNS, whereby your name resolution queries will be encrypted as well as the traffic itself. This masks what sites you’re resolving as well as masking what sites you’re visiting. You should want to mask everything you do, irrespective of what it is. The “I’ve nothing to hide so I’ve nothing to worry about” argument simply doesn’t stack up.

Pi-Hole DNS Filters

Before you use your secure DNS service to provide private name resolution services, you can also filter what DNS names even get resolved at all, using subscriptions to known dynamic lists of threat actors, using Pi-Hole running on a fixed, permanently powered-on SBC such as a Raspberry Pi as your primary DNS server for all clients on your LAN/Tailnet.

If you visit a page of your choosing, that in turn starts sending packets of identification data, metrics, telemetry, analytics to the algorithms of multiple third party advertising agencies, social media companies, intelligence agencies or domestic/foreign adversaries, then it’s best if the IP addresses that correspond to the FQDNs of those undesirable endpoints are never sent to your Secure DNS provider for resolution in the first place and are halted in their tracks.

Pi-Hole comes with it’s own UI and there’s an excellent guide here and accompanying doc here

CrowdSec Dynamic Firewall

If a rogue packet from a malicious actor manages to make it through your many lines of defence (which is very unlikely at this point), then as a last line of defence you should consider installing Crowdsec on your devices. Similarly to Pi-Hole, it subscribes to dynamic lists of bad actors, but instead of filtering a DNS resolution on the way out of your LAN (subsequently allowing re-entry back in), it puts up a firewall preventing any inbound connections from those known bad IP end points). The lists are updated constantly by crowdsec agents running on all crowdsec clients worldwide, so you’re literally being kept safe by everyone, all the time.

Did you like this?
Tip cyberfella with Cryptocurrency

Donate Bitcoin to cyberfella

Scan to Donate Bitcoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some bitcoin:

Donate Bitcoin Cash to cyberfella

Scan to Donate Bitcoin Cash to cyberfella
Scan the QR code or copy the address below into your wallet to send bitcoin:

Donate Ethereum to cyberfella

Scan to Donate Ethereum to cyberfella
Scan the QR code or copy the address below into your wallet to send some Ether:

Donate Litecoin to cyberfella

Scan to Donate Litecoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some Litecoin:

Donate Monero to cyberfella

Scan to Donate Monero to cyberfella
Scan the QR code or copy the address below into your wallet to send some Monero:

Donate ZCash to cyberfella

Scan to Donate ZCash to cyberfella
Scan the QR code or copy the address below into your wallet to send some ZCash:

Protect your privacy with a VPN

Protecting your privacy doesn’t need to be as complicated as using all manner of CIA-beating tech to hide yourself and your computer from the evils that lurk on the interwebs these days, where literally nobody is to be trusted.  It’s fun setting all that stuff up, if that’s what you’re into, but for most of you, you just want a nice, easy solution that works and doesn’t affect your day-to-day online experience.

Frankly, everyone should be using a VPN, whether they realise it or not and whether they think they have anything to hide or not.

My personal favourite service (there are a few very good ones) is ExpressVPN.

Sign up for a small monthly fee and download the software for your given operating system – in my case Linux Mint (so I downloaded the Ubuntu 64bit .deb package).

The commands to install it, activate it using the code supplied when you subscribe, and connect to it are shown below….

Does it get any easier than that?  I don’t think so.

Once it’s installed and running, you should add it to your startup applications, so that it starts automatically when you log in for convenience.

Lastly and for completeness, you can add the extension for Firefox (not essential but why wouldn’t you?).

You can activate up to 3 devices with your subscription.  All major operating systems and phone operating systems are supported.

It just works.

Did you like this?
Tip cyberfella with Cryptocurrency

Donate Bitcoin to cyberfella

Scan to Donate Bitcoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some bitcoin:

Donate Bitcoin Cash to cyberfella

Scan to Donate Bitcoin Cash to cyberfella
Scan the QR code or copy the address below into your wallet to send bitcoin:

Donate Ethereum to cyberfella

Scan to Donate Ethereum to cyberfella
Scan the QR code or copy the address below into your wallet to send some Ether:

Donate Litecoin to cyberfella

Scan to Donate Litecoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some Litecoin:

Donate Monero to cyberfella

Scan to Donate Monero to cyberfella
Scan the QR code or copy the address below into your wallet to send some Monero:

Donate ZCash to cyberfella

Scan to Donate ZCash to cyberfella
Scan the QR code or copy the address below into your wallet to send some ZCash:


Protect your Anonymity online with Vadalia, Privoxy and Proxychains

Happy New Year.  You will be monitored.  We are watching you.  We know who you are.  We know where you are.

The following is a concise guide to configuring Internet Anonymity on Linux by leveraging the tor network (vidalia) and a local proxy server (privoxy) then running your web browser using proxychains.

I have tried the tor browser bundle but couldn’t access most of my websites so found it to be pretty useless in everyday life.  This however, lets me access all my sites fine (so far), so provides protective anonymity without getting in the way.

I have found certain sites like Google sometimes use captcha to prove you’re a human but it’s no big deal.  It is a response that is more likely to be coming from OpenDNS rather than Google actually.

Disclaimer:  The following should be used for educational purposes only and not to facilitate any illegal online activity.

This is a compliment to your firewall.  It should remain ON.  You can further harden your web browser by “jailing” it to prevent penetration by following this guide here.

Remember:  Todays paranoia is tomorrows security standard.

TEST
firefox www.dnsleaktest.com www.whatismyip.com
You should see your IP address and location.

This information is logged along with the sites you visit and held by your ISP in line with new regulations.  Everything they need to lead them right to your door.  FTS.

PACKAGES TO INSTALL
sudo apt-get install privoxy vidalia proxychains

PRIVOXY – local privacy proxy server runs on 127.0.0.1:8118
vi /etc/privoxy/config, search for localhost:8118 and replace with 127.0.0.1:8118

VIDALIA – tor front-end. set up relaying to use local privoxy proxy (enter privoxy settings above) then add vidalia to Session & Startup apps list.

  Note that the green Tor onion may take a little while to go green after your computer initially connects to the network/wifi.

DNS SERVICES – change your network/wifi IPv4 settings
Use OpenDNS addresses 208.67.222.222 208.67.220.220

PROXYCHAINS
ProxyChains allows to run any program through HTTP or SOCKS proxy.
This tool tunnels all TCP and DNS connections of given applications.

Note: precede launcher command of application with proxychains, i.e. proxychains firefox %u

vi /etc/proxychains.conf
comment out strict_chain
uncomment dynamic_chain
add these lines under [ProxyList] section
socks4 127.0.0.1 9050
socks4a 127.0.0.1 9050
socks5 127.0.0.1 9050
http 127.0.0.1 8118

TEST
proxychains firefox www.dnsleaktest.com www.whatismyip.com
You should see that you now appear to be in a foreign country, not your actual geographical location.

Download the latest Linux .iso file to create some bandwidth and view the bandwidth graph in vidalia.

That’s it.  You’re Anonymous!

Did you like this?
Tip cyberfella with Cryptocurrency

Donate Bitcoin to cyberfella

Scan to Donate Bitcoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some bitcoin:

Donate Bitcoin Cash to cyberfella

Scan to Donate Bitcoin Cash to cyberfella
Scan the QR code or copy the address below into your wallet to send bitcoin:

Donate Ethereum to cyberfella

Scan to Donate Ethereum to cyberfella
Scan the QR code or copy the address below into your wallet to send some Ether:

Donate Litecoin to cyberfella

Scan to Donate Litecoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some Litecoin:

Donate Monero to cyberfella

Scan to Donate Monero to cyberfella
Scan the QR code or copy the address below into your wallet to send some Monero:

Donate ZCash to cyberfella

Scan to Donate ZCash to cyberfella
Scan the QR code or copy the address below into your wallet to send some ZCash:


Protect your Linux system by jailing your web browser

Your Linux system is inherently less vulnerable to attack than Microsoft Windows for a number of reasons.

  1. You’re less of a target to virus attack by being in the minority (Only 2.18% of people run Linux as their desktop operating system with most of those running a Debian derivative, the most popular being Linux Mint).
  2. You execute user processes as a non-privileged user (Remote code executing in your browser is not running in the context of a local Administrator account so has much less privileges to do potentially damaging things to your computer and data).
  3. Your Linux system is built entirely from packages obtained and installed from known, trusted repositories (No dodgy software downloaded from goodness-knows-where that may or may not be what you think it is.  The code of any given package undergoes constant scrutiny and improvements by the open source community.)
  4. There’s no marketing, advertising, ransom-ware or hidden agendas lurking in the operating system or the applications that are ultimately built by the people, for the people, and distributed to the people for free (feel the love).

Despite all these advantages, we live in the (dis)information age, and that means that the way to reach your users is through their web browsers.  So this next part should interest you.

…we live in the disinformation age, and that means the way to reach you is through your web browser.  So this next part should interest you.

How do I protect my web browser? (Firefox is the default web browser on Linux Mint -my OS and browser of choice)

firewall

  1. Enable the firewall (above)
  2. Once a new installation of Linux Mint is complete, I reboot, log on, Install all pending updates by typing sudo apt-get update && sudo apt-get dist-upgrade in a terminal window.
  3. Connect to my WiFi network, open Firefox and install the AdBlock Plus and uBlock Origin plugins.

And that’s it.  Or at least it has been until now, and in fairness it’s kept me safe since 2005.  I’ve never installed anti-virus software and never had a problem in over a decade.  AV products on Linux such as clam are usually for the benefit of Windows users on the same network or mail attachment scanning on Linux mail servers, neither of which is applicable in my home network environment.

Today though, I learned about something else.  The existence of firejail, -a program that “jails” certain other programs, and I really like what I see.

Like most Linux programs, it’s super quick to install with a quick sudo apt-get install firejail command in a terminal window and as easy to “use”.  In firejail’s case, you just edit the shortcuts of your existing launchers and pre-pend the command firejail

e.g. firefox %u becomes firejail firefox %u

firejail

By jailing the firefox process, it prevents the web browser from being able to access your system, quite literally.  Kind of like a firewall for processes rather than TCP/UDP ports, that only allows certain interactions with the rest of the operating system through.

For example, look what happens when trying to upload a picture I’ve saved to my Desktop to this very blog post…

desktop

The Desktop looks empty.  Nothing.  Blank.  No files or subfolders.  Yet my Desktop folder contains loads of images and other files and subfolders, as does my Pictures folder – same again, blank.  This is because firefox is jailed.  It can’t get out and into your filesystem.  Brilliant – and only a little inconvenient as it can still access my Downloads folder.  So if I want to upload a file, I just have a make a copy into my Downloads folder first using my File manager caja (which isn’t jailed).  Uploading to my Dropbox account using the web based interface would be a bit of a pain, but the Dropbox daemon running on my computer does all my file syncing anyway, so it doesn’t present a problem.  I don’t actually need to use Dropbox’ web interface.

This all works in accordance with the application profile in /etc/firejail/firefox.profile -there’s loads of them, not just for firefox but other internet/vulnerable programs like filezilla, transmission etc too.

Filezilla’s firejail profile on the other hand seems to be a lot more lenient and allows access to your home directory where you might wish to upload an entire folder structure to your web server.  You could always edit the filezilla.profile to harden it yourself I guess.

Whilst I found firejail in my repositories, I didn’t find the accompanying firetools package – a simple launcher that sits on your desktop.  It’s not really needed if you’ve edited your launchers to your favourite apps already and just allows you to add some additional programs to it and shows any running jailed processes if you’re interested in seeing that.  It places a convenient icon in your systray area too, for easy recall.

firetoolsfiretools-trayfiretools-processes

 

 

 

Did you like this?
Tip cyberfella with Cryptocurrency

Donate Bitcoin to cyberfella

Scan to Donate Bitcoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some bitcoin:

Donate Bitcoin Cash to cyberfella

Scan to Donate Bitcoin Cash to cyberfella
Scan the QR code or copy the address below into your wallet to send bitcoin:

Donate Ethereum to cyberfella

Scan to Donate Ethereum to cyberfella
Scan the QR code or copy the address below into your wallet to send some Ether:

Donate Litecoin to cyberfella

Scan to Donate Litecoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some Litecoin:

Donate Monero to cyberfella

Scan to Donate Monero to cyberfella
Scan the QR code or copy the address below into your wallet to send some Monero:

Donate ZCash to cyberfella

Scan to Donate ZCash to cyberfella
Scan the QR code or copy the address below into your wallet to send some ZCash:


Adding a blocklist to Transmission torrent client on Linux

When using a torrent client on Windows such as utorrent, it’s not a bad idea to run peer block to protect your computer from inbound connections from a maintained list of known ip addresses.


Linux comes with a torrent client built in, usually Transmission, although Deluge is a bit more like utorrent, i.e. shows more info on the screen, has a few more options etc.  Transmission works perfectly well though and ticks the minimalist box if that’s your thing.  Both are available via the repositories using the built in package manager.

Peer Block isnt available for Linux.  Transmission however, supports the use of blocklists, so increasing your level of protection has actually never been simpler.

In Preferences, just add the following url to the Blocklist field and click Update.  Done.

http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz

transmission

To provide system-wide protection, you should install ufw from the package manager.

  gufw is a GUI that can be used to enable ufw and configure rules.

ufw is installed by default in Linux Mint but is not turned on.

firewall

Did you like this?
Tip cyberfella with Cryptocurrency

Donate Bitcoin to cyberfella

Scan to Donate Bitcoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some bitcoin:

Donate Bitcoin Cash to cyberfella

Scan to Donate Bitcoin Cash to cyberfella
Scan the QR code or copy the address below into your wallet to send bitcoin:

Donate Ethereum to cyberfella

Scan to Donate Ethereum to cyberfella
Scan the QR code or copy the address below into your wallet to send some Ether:

Donate Litecoin to cyberfella

Scan to Donate Litecoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some Litecoin:

Donate Monero to cyberfella

Scan to Donate Monero to cyberfella
Scan the QR code or copy the address below into your wallet to send some Monero:

Donate ZCash to cyberfella

Scan to Donate ZCash to cyberfella
Scan the QR code or copy the address below into your wallet to send some ZCash: