Encrypt all the things!

I have two routers (in effect access points) simply for boosting the signal.

I wanted to keep an open (i.e. not VPN) link to the internet as it would be better able to achieve the full bandwidth of my 100Mbps connection. The VPN link runs over PIA and the bandwidth is inevitably reduced (especially if you use an exit point that is further away).

I run everything over VPN. I don't really notice lower bandwidth. I'd rather set and forget, basically.

Yes, setting them up like that might be possible.

The point that puzzles me is how I would be able to set up the home server so that it only ever connects to the internet over the VPN link, but it can also still be accessed freely from my local network.

I sense the difficulty will be that I would need to put the home server on a separate subnet that is used by the DD-WRT, but I would also need to be able to selectively route specific LAN traffic to the home server.

A "I don't really know what I am doing" gif would be appropriate at this point.

Interesting, will investigate more.

Out of interest do you do anything to protect against the VPN dropping?

Panic?

Nope. It hasn't yet and if it did I can hotspot from phone and it would only take a couple of minutes to log on to my router, disable the VPN and go back out 'raw'.

Depends on your home server - what is it?
I spent several hours over the weekend setting up a FreeNAS jail to run over VPN for all external connections while still allowing internal connections. It needed a basic set of rules for the firewall (ie allow all packets over the VPN, allow packets to the VPN DNS server over the ethernet, allow packets from 192.168.0.1/24 over the ethernet interface, drop everything else) and it may be that the DNS requests, while going to a safe server, can be intercepted. This also acts as a kill switch (I think), nothing other than the exceptions can go out over the normal connection.
However, if your home server is a little all-in-one NAS like a Synology etc then you may not have that option - why not do as @hippy suggests?

It's a little headless Linux box running Arch Linux so I can fiddle with it.

Happy to try to learn my way around 'iptables'.

What you have done sounds similar to what I want to do.

I used ipfw to forcibly block all traffic that didn't adhere to what I considered safe. Personally, I'd still like someone more knowledgeable to check it over as I'm not sure about how I handled DNS servers...
If you're running linux then you could just run openvpn on the server itself and not worry about any of the network topology after that. That's probably a more elegant solution if you don't want anything else to use the VPN.

Yes, I gather 'DNS leak' can be a concern.

I might look at running openvpn on the server. I think I had looked at that in the past but never got very far with it. I recall getting confused as to how I might set it up so that it was still accessible from the LAN. But I didn't explore it in much depth.

That said, I do like the idea of having the DD-WRT configured to provide a permanent VPN connection for both Wi-Fi and ethernet, and then being able to route things via that.

More thinking required!

Anyone have any experience of F-Secure Freedome VPN?

https://www.wired.com/2017/02/beware-mobile-vpns-arent-safe-seem/

Saw tweet that Twitter archives deleted tweets? Can you see your tweetdelete deleted ones in any twitter archive?

No, they're not in any of my exports, etc.

What they means is that they use a key:value store and only mark the tweet as deleted rather than actually delete it.

This makes sense because:

1. Legal issues (don't actually delete tweets involved in ongoing cases, but they have no way to know which tweets those are)
   
2. Performance (deletion is expensive and fragmentation of storage is messy, best just flip a bit)
   
   

I don't assume that my tweets were never public or no longer exist... I assume that if I can't see them now then those looking will also not see them now without extraordinary resources and access.

I don't tweet things that I'm uncomfortable with saying publicly, but delete because the definition of comfort changes with time.

I get full speed 100Mbps using PIA. I use the openvpn client rather than the PIA one though, not sure if that makes a difference.

This is on a full PC though, and it can be using 10-15% of CPU (an i7) so a router may well struggle.

😭

1 Attachment

https://www.wired.com/2017/02/flaw-millions-chips-strips-away-key-hacking-defense-software-cant-fully-fix/

Entertaining infosec trolling

https://twitter.com/lolwarlol/status/831980176770752516

burglarize

Your challenge is to slip that word in to your next meeting.

What am I reading? Synopsis for the daft?

https://help.yahoo.com/kb/account/SLN27925.html

Fuck. Wrong link. Should have been this one.

https://twitter.com/RSWestmoreland/status/832033441659047936

That makes much more sense!

Guidance for the #resistance

https://theintercept.com/2017/02/20/how-to-run-a-rogue-government-twitter-account-with-an-anonymous-email-address-and-a-burner-phone/

Someone mentioned Mitnick's latest to me today:

https://www.amazon.co.uk/Art-Invisibility-Worlds-Teaches-Brother/dp/0316380504/ref=sr_1_1?ie=UTF8&qid=1487606010&sr=8-1&keywords=kevin+mitnick

CloudFlare had a Cloudbleed

http://www.ibtimes.co.uk/cloudflare-data-leak-how-check-if-your-data-safe-what-do-keep-your-accounts-secure-1608519

Old news, ce n'est pas?