Encrypt all the things!

You need a caching DNS server. A Pi should do, not sure if that router's beefy enough do do it itself.

https://github.com/pi-hole/pi-hole/#one-step-automated-install

Use that hosts file to generate a blacklist of domains for which the DNS server returns no-records-found immediately.

Router config:

1. Block all outbound DNS requests except from the Pi.
   
2. Include the Pi's DNS details in DHCP responses.
   
3. You also need to blacklist (in the router config) the IP ranges used by those domains, but you'll need to be careful not to impact other legit domains that resolve to the
   same IP ranges (shared hosting, Tumblr etc).
   

Cheers. Filed under 'retirement activities' ;-)

I'd like to avoid adding kit, just thought there might be a simple way of using the router for it.

I have an rt-n66u, I'll check tonight to see if you can upload a custom hosts file, but I'm pretty sure it's not possible (without sticking something like wrt or tomato on it).

I was going to suggest the PiHole route too; it's super easy to set up.

Mine is already flashed with one of the custom firmwares - I can't remember which one - wait, Merlin WRT.

I've already got the hosts file on my PCs so I'm not going to buy and run more hardware just to apply it to other devices. I'd rather save the £5 per year it costs in elec for (a) beer.

As I understand it, in the UK and France, authorities can demand info from VPN operators about its users' history. Is this based on where the operator is based, or jut on where each individual server is based? If the later, which countries are safe as far as anonymity goes?

They can demand but the likelihood of them getting anything good is low. For the ultra paranoid, spin up algo vpn https://github.com/trailofbits/algo on a droplet hosted out of reach of the UK and recycle that droplet on a regular basis. Logs take up space and VPS providers don't save for long, so the time it takes for a warrant to be produced, the chance of logs being there are slim

Assuming the logs were good, how straightforward would it be to associate traffic to a particular user?

Easy. As an experiment, spin up a digital ocean droplet and route torrent traffic via that. See how long it takes for a dmca notice to appear

Thanks. My naive view of this stuff was that the VPN provider knows what is going through their servers and where it is coming from, but associating that with specific users isn't trivial. Guess I need to do more research :/

AFAIK, PIA are decentralised and aren't really based anywhere. They don't log or leak DNS info.

Everything is encrypted so "they" will have to go through an awful lot of trouble to get some metadata on some porn sites... unless there's some undisclosed means to intercepting and decrypting all VPN traffic leaving the island.

hmm might be time to finally move from gmail

http://www.reuters.com/article/us-google-usa-warrant-idUSKBN15J0ON

.

I started looking at fastmail ages ago but I'm just too lazy to make the switch.

No email (well, at least the vast majority) is truly private and shouldn't be treated as such.

There's 'available to be intercepted' and there's 'we are actively reading all your shit' though.

Maybe I just have surveillance fatigue...

So, I have an 'encrypt all the things' question. It may be a specialist one :)

I am trying to configure a DD-WRT router to connect to the internet via PIA over OpenVPN, and then I want to use that connection to provide VPN-routed Wi-Fi, and also for VPN-routed access to LAN devices.

So far, I have just about managed to set up the VPN connection, and last night I got a Virtual Access Point (VAP) running, so I could connect to my DD-WRT access point then straight to the internet over the PIA VPN connection. I wasn't entirely sure what I was doing, and I might struggle to do it again, but it seems to work.

There are now two more things I would like to be able to do:

1) Access the devices on my LAN (e.g. my home server) from my laptop when I am connected to the secure VAP. I can't do that at the moment, and I guess that is because I get routed straight into the VPN.

2) Set up a LAN device (e.g. my home server) so that it can be routed through the VPN connection. I assume that will require some clever network configuration but I don't really know what I'm doing.

If someone can point me in the right direction, or say some things that are probably about right, I can do some googling to try to understand them (which will take a while). I have attached a picture that might help explain a bit about my set-up.

1 Attachment

You will want to have the VPN connection (ie the DD-WRT router) between your (ASUS) router and the virgin hub (presumably acting as the modem).

Your version of the internet looks better than IRL internet.

Why the two routers? Can you not just run everything through the DD-WRT unit or is it not capable of that?

Got an email the other day from LogMeIn about some big merger that I didn't really understand. I'm guessing not but are there any privacy/security concerns re Lastpass?

.

https://www.wired.com/2017/02/guide-getting-past-customs-digital-privacy-intact/

http://boingboing.net/2017/02/12/how-to-cross-a-us-or-other-b.html

The comments are interesting/depressing.

I'm giving my phone the Velocio/Cory Doctorow treatment.