Posted on by cyberfella

Secure Internet at Home, in the Office and on the Move.

Most people inside and outside of I.T. just accept the router their ISP provides them, connect to its Wi-Fi and allow guests in their home to do the same, and when they’re on the move or travelling abroad for work or pleasure, connect to hotel and public wifi or turn on roaming on their smartphone.

This is simply not acceptable opsec going forward.

The solution is affordable, fun to set up and incredibly satisfying to use. It’s also modular. There’s a minimum requirement to get fully set up and there are a few optional extras that can be built into the solution over time, or free services to subscribe to if you want to keep your in-house infrastructure set-up simple.

Reference Diagram so you don’t get lost.

GL.inet provide a host of devices that serve similar but subtly different use cases. They all use the OpenWrt Operating System for a consistent, familiar and intuitive UX/UI.

My personal choice would be a Flint v2 at home, replacing the ISP provided router, and a Slate AX with a M2 5G Development Board plugged into the USB socket, using an Unlimited Data-Only SIM from Smarty Mobile. For constantly-on-the-move, I’d favour using a Mudi V2 over the Slate AX and M2 5G board combo for it’s compactness, flexibility and battery power over the performance and a dependency on mains power of the Slate (or Beryl).

Home/Office Setup (Flint V2)

Confirm the WAN connectivity requirements of your ISP. For UK BT/EE Customers.

Replace the ISP Provided Router with the GL.inet Flint V2.

Connect your laptop over Wi-Fi/cable on the default address of 192.168.8.1 and configure the WAN connection. Confirm ISP connectivity and perform a system update.

If you also have the M2 5G Dev Board and SIM and want to make use of it while not travelling, plug it into the USB on the Flint for hybrid/resilient connectivity. Don’t forget it when you’re travelling with your Slate though. If you’ve opted for the Mudi V2 in preference to the Slate, you don’t need the M2 board but you will likely need the SIM card in it for your Mudi V2 for 4G connectivity. Make sure you have everything you need when travelling.

On the Flint, configure the Private and Guest Wi-fi networks. 2.4GHZ has better reach but lower transfer rates. 5G is faster but the signal falls off faster, the further you are from the router. You can have one or the other or both, so do what you want in that regard.

Configure OpenVPN with a config file from a reputable and performant VPN provider such as ExpressVPN. This will ensure all traffic going out of the router to the ISP will be over a VPN. You can choose to use an OpenVPN configuration for whatever country you want to appear in, whether that is your own resident country or not.

Configure AdGuard to protect your network from malware and adverts.

Configure DNS to use a Secure DNS Provider such as Quad9

Configure Tailscale application to add your GL.inet router to your existing tailnet if applicable. Tailscale is a VPN service that places all your devices in our out of your home/work network, on the same virtual private subnet or tailnet in the easiest way possible. It’s really very good indeed.

Configure Wireguard Server (already installed on the Flint) to allow your Wireguard Clients (Slate AX or Mudi V2 travel routers) inbound connectivity to your LAN from outside of it, while on the move. This will route ALL traffic from your devices back home, and out through your Flint, when travelling. A great video on this end-to-end setup here.

Remote/Travelling (Slate AX or Mudi V2)

The OpenWrt interface for your Slate AX Travel Router or Mudi V2 4G Travel Router are the same as with your Flint, so it’ll look very familiar. You can connect your chosen travel router to the public/hotel Wi-Fi and/or roaming 4G service, then configure the Wireless Access Point to allow your devices a private connection to the travel router. This offloads the responsibility of firewalling and public service connectivity to the travel router, providing a layer of protection for your devices themselves.

You can also configure tailscale on the travel router and on your devices to allow you connectivity to all tailscale devices on your secure tailnet, including your Slate, Mudi and even your Flint back in the home/office and anything else back there that’s running tailscale. Tailscale gives you the confidence that you’ll always be able to connect to the interfaces of all your devices wherever they may be, provided you’re authenticated to your tailscale tailnet (you can use your Google account for this authentication).

You can also configure WireGuard Client using the config downloadable from your WireGuard Server running on your Flint, to optionally connect back to your LAN from your remote location, and any services on it. This is very similar to tailscale in that regard but gives you connectivity to the entire LAN rather than just placing devices running tailscale on a common virtual lan. ExpressVPN, Tailscale and WireGuard are all “VPN” services, but differ slightly in terms of their benefits and use cases. It can be very troublesome to run all three on a client computer but the GL.inet devices seem to take it in their stride, no problem whatsoever – another good reason to offload the responsibility to the GL.inet devices, keeping your client devices config relatively simple. You just connect to the Wi-Fi of the travel router and that’s all you need to do. Travel can be stressful, you don’t need it to be any more complicated that that.

One nice feature on the Slate AX is an easily-overlooked physical toggle switch on the side of the unit next to the power switch, that can be configured to provide a variety of functions. You can configure this to optionally turn any one of your VPN’s on and off. I’d use it to toggle WireGuard on or off, literally giving me a button that will force all my traffic through my connection back at base. ExpressVPN and Tailscale will turn on by default anyway (and you’d likely want them on permanently).

Summary

The Flint forces all internet traffic over ExpressVPN and is accessible from anywhere via Tailscale VPN authenticated devices. It also allows inbound VPN connectivity to the LAN via WireGuard.

The Slate/Mudi provides protection for your devices by removing the requirement to connect devices directly to public/shared wi-fi or foreign mobile networks. It also provides connectivity back to base, forcing all your internet traffic through a trusted ISP and secure VPN provider, instead of through a foreign/customer/adversary’s free, open guest network.

Optional Extras

Cybersecurity threats come in many forms and protection can be proactive or reactive in nature. I’ve already mentioned the use of Quad 9 Secure DNS, whereby your name resolution queries will be encrypted as well as the traffic itself. This masks what sites you’re resolving as well as masking what sites you’re visiting. You should want to mask everything you do, irrespective of what it is. The “I’ve nothing to hide so I’ve nothing to worry about” argument simply doesn’t stack up.

Pi-Hole DNS Filters

Before you use your secure DNS service to provide private name resolution services, you can also filter what DNS names even get resolved at all, using subscriptions to known dynamic lists of threat actors, using Pi-Hole running on a fixed, permanently powered-on SBC such as a Raspberry Pi as your primary DNS server for all clients on your LAN/Tailnet.

If you visit a page of your choosing, that in turn starts sending packets of identification data, metrics, telemetry, analytics to the algorithms of multiple third party advertising agencies, social media companies, intelligence agencies or domestic/foreign adversaries, then it’s best if the IP addresses that correspond to the FQDNs of those undesirable endpoints are never sent to your Secure DNS provider for resolution in the first place and are halted in their tracks.

Pi-Hole comes with it’s own UI and there’s an excellent guide here and accompanying doc here

CrowdSec Dynamic Firewall

If a rogue packet from a malicious actor manages to make it through your many lines of defence (which is very unlikely at this point), then as a last line of defence you should consider installing Crowdsec on your devices. Similarly to Pi-Hole, it subscribes to dynamic lists of bad actors, but instead of filtering a DNS resolution on the way out of your LAN (subsequently allowing re-entry back in), it puts up a firewall preventing any inbound connections from those known bad IP end points). The lists are updated constantly by crowdsec agents running on all crowdsec clients worldwide, so you’re literally being kept safe by everyone, all the time.

Did you like this?
Tip cyberfella with Cryptocurrency

Donate Bitcoin to cyberfella

Scan to Donate Bitcoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some bitcoin:
Donate via Installed Wallet
[X] Click Here to Hide Donation Details

Donate Bitcoin Cash to cyberfella

Scan to Donate Bitcoin Cash to cyberfella
Scan the QR code or copy the address below into your wallet to send bitcoin:
Donate via Installed Wallet
[X] Click Here to Hide Donation Details

Donate Ethereum to cyberfella

Scan to Donate Ethereum to cyberfella
Scan the QR code or copy the address below into your wallet to send some Ether:
Donate via Installed Wallet
[X] Click Here to Hide Donation Details

Donate Litecoin to cyberfella

Scan to Donate Litecoin to cyberfella
Scan the QR code or copy the address below into your wallet to send some Litecoin:
Donate via Installed Wallet
[X] Click Here to Hide Donation Details

Donate Monero to cyberfella

Scan to Donate Monero to cyberfella
Scan the QR code or copy the address below into your wallet to send some Monero:
Donate via Installed Wallet
[X] Click Here to Hide Donation Details

Donate ZCash to cyberfella

Scan to Donate ZCash to cyberfella
Scan the QR code or copy the address below into your wallet to send some ZCash:
[X] Click Here to Hide Donation Details

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.