ASUS RT-86U Merlin and NordVPN pre-configured/custom configuration and DNS settings ?

[Befuddled]

@Tech9, you and @L&LD certainly seem strongly convinced that a VPN is worthless. And I have not enjoyed tinkering with it, so I am inclined to drop it. (Although I may still read https://defensivecomputingchecklist.com/vpn.php. I did read https://gist.github.com/joepie91/5a9909939e6ce7d09e29 and https://protonvpn.com/blog/can-be-tracked-using-vpn/)

@Viktor Jaep - Just wondering - you have invested time in providing a guide for to configure a router to use NordVPN - so it would seem that you believe using a VPN is useful, at least in certain circumstances. Any comments about why and when you think a VPN is useful? Thanks!

Yes, but the device you use it on may have different processing power and speed limits. Today's computers will do easily 300Mbps on OpenVPN,

Thank you, that's good to know.

 

[Tech9]

VPN is not what you think it is. I’m using VPN connections every day 24/7. They connect my business locations. I also have VPN connections back to my networks, my own VPN servers in other countries as well as NordVPN account. There are certainly use cases, but privacy and security with commercial VPNs is somewhere at the bottom of the list. I call commercial VPNs Virtual Public Network, not Virtual Private Network. If you asked what VPNs are good for we would have a different conversation. With your privacy ideas and VPN choice - mostly inconvenience and extra expense. There are ways to save money with commercial VPNs, but this a completely different conversation.

 

[Befuddled]

Well, I just sent an email to Nord, requesting a refund for my one-year subscription. (I am still within the 30-day trial period.)

I guess I am convinced I am better off without a VPN. I am certainly quite convinced I am better off without NordVPN, with their appalling customer service.

So you don't think ProtonVPN would be a better choice, in terms of relying on them not to sell my info? I am still upset by the idea that my ISP, Spectrum, is doing this. It's not like I'm not paying them for my internet service! But maybe I would just run the VPN app on my computer, and not try to install it on the router, so as to avoid affecting our internet radios and our VoIP Spectrum phone.

 

[Viktor Jaep]

@Viktor Jaep - Just wondering - you have invested time in providing a guide for to configure a router to use NordVPN - so it would seem that you believe using a VPN is useful, at least in certain circumstances. Any comments about why and when you think a VPN is useful? Thanks!

I'm convinced my ISP is inherently evil, and would rather put my trust in providing an "internet proxy" to a VPN provider than them. ISP's literally watch every move you make as they can spy on every single piece of traffic leaving your ISP modem with relative ease. This doesn't go to say I don't trust my VPN provider completely either... there's varying levels. For instance, I don't trust them with my DNS queries, so I do my own using Unbound... but that doesn't go to say my VPN provider is not spying on that traffic too. Just makes it harder for them. They say they have a no-log policy, like every other VPN provider. Do I believe it? No. They supposedly get audited to prove to the world they are not logging... but who knows. I don't trust it. Could your VPN provider have a government tap at each of their 5000 exits watching all traffic coming and going? Sure. Any VPN provider would also have to comply legally if it was asked to provide a government with your data. There's no getting around that. You basically have to assume you are being tracked in some way or fashion no matter what you do when you participate on the internet. There literally is no privacy.

 

[ColinTaylor]

I am still upset by the idea that my ISP, Spectrum, is doing this.

I don't know about Spectrum, but most ISPs simply use your DNS lookups to determine your online activity. Sure, some would argue that they can determine your activity by other means as well (e.g. IP addresses, packet sniffing, etc.). But in my (UK) experience they don't do that (unless they're investigating criminal activity), it's too much effort for little reward compared to the low hanging fruit of DNS snooping.

The easy solution to this problem is to enable DNS-over-TLS in the router's WAN DNS settings (DNS Privacy Protocol). This encrypts your DNS traffic similar to what a VPN does and so prevents your ISP from seeing it. It's not 100% effective but it's easy to do and doesn't cost you anything.

 

[Tech9]

am still upset by the idea that my ISP, Spectrum, is doing this.

ISPs around here are required by law to retain activity logs for specific period of time. Part of what they are doing is mandatory, not their own idea. In case of suspicious criminal activity authorities will chase you down regardless of what you use. Your ISP knows which VPN you used. A commercial VPN will not protect you for $3/month.

 

[Befuddled]

The easy solution to this problem is to enable DNS-over-TLS in the router's WAN DNS settings (DNS Privacy Protocol). This encrypts your DNS traffic similar to what a VPN does and so prevents your ISP from seeing it. It's not 100% effective but it's easy to do and doesn't cost you anything.

Cool! I will do this now. Is there anything else I need to do for that to work?

My DNS servers are currently set to Nord's. Should I set them back to Spectrum's, or is there a better choice? Or does it not matter whose I use, if I have enabled DNS-over-TLS?

My personal opinion - for home use CleanBrowsing is very consistent and good enough. They have free DNS filtering in three different packages.

I took a quick look at CleanBrowsing, but I'm not sure it's for me - only a few reviews in App store, many of them negative, their website doesn't make it easy to figure out how to get free service (maybe they have eliminated that?), and their focus seems to be more on screening porn than malicious sites (tho perhaps that doesn't matter).

I don't trust them with my DNS queries, so I do my own using Unbound.

I'm guessing that would be something too complicated for me...

In case of suspicious criminal activity authorities will chase you down regardless of what you use. Your ISP knows which VPN you used. A commercial VPN will not protect you for $3/month.

No worries! I am not up to any nefarious! And I'm not really worried about the government spying on me (though maybe I should be), but I really don't like the idea of these data companies amassing a huge, detailed dossier on me, including all my device identifiers, what websites I visit, what I read, who my relatives are, the names of my pets, what brand of underwear I buy, etc, etc...

I'm convinced my ISP is inherently evil, and would rather put my trust in providing an "internet proxy" to a VPN provider than them.

Would you mind saying which VPN provider has earned your (limited) trust?


By the way, Consumer Reports has a "Data Action Day" Live Stream tonight on privacy - it may turn out to be mainly a marketing ploy, but I'm going to try to attend. https://action.consumerreports.org/2023_data_action_day (link says 2023, but it's tonight)

 

[Tech9]

only a few reviews in App store

What App store??

You have a link to the free DNS filters in post #35 above. DNS-over-TLS is also supported.

Other popular free filtering DNS services are provided by Cloudflare, OpenDNS, Quad9, AdGuard, etc.

You need to learn some basics first. Otherwise the greatest danger to your privacy and security is... you.

You even have presets in firmware for popular services with DoT support:

 

[Tech9]

including all my device identifiers

Disable IPv6 if you have it enabled for some reason and your ISP won't see your devices behind NAT. All they can see is your router and can guess what devices you have behind it based on what servers they commonly access. For example Windows Update server query is obviously a computer on your network running Windows.

More information about free DNS servers in one place:

A List of Free and Public DNS Servers for 2024

A list of the best public and completely free DNS servers, plus why you might want to change them.

www.lifewire.com

 

[Befuddled]

What App store??

Sorry, brain glitch. I didn't realize I could just copy the IP #s. I got confused when I hit the link on the left of the page for MacOS, and read "The easiest way to install CleanBrowsing on your MacOS device is to use our App." But they were talking about the DNS in the Mac's networking setting, not the router's.

By the way, in my Mac, the DNS is set to the IP for my router. Is that bad? CleanBrowsing seems to be saying that it should also be set to the IPs for their DNS servers.

You need to learn some basics first.

Agreed! It's really nerve-wracking, making decisions and adjusting settings, when I don't know what I'm doing. (And this router has a gazillion settings.) But I don't have unlimited time to put into this, and it's so complicated. I've been doing some reading - mostly at dongknows.com. Is there anything you would specifically recommend that I read? Thanks for the DNS article, by the way.

Disable IPv6

IPv6 is disabled. Always has been.

Now what's worrying me is that I need to go back and reset things to NOT use the VPN.

Problem is I thought I made a backup of settings right before I started trying to follow Nord's instructions for adding the VPN - but maybe I didn't (stupid!) I purchased NordVPN on Jan 4, and first contacted Nord Support on Jan 14. The last .CFG file I have is from Jan 13; the one prior to that is from Nov 9th, shortly after I flashed from Asus to GNUton, so maybe I should use that one. Or I could try to step my way backward through Nord's instructions. Oh, well, I'll figure out some hybrid approach tomorrow. (But I'll leave DNS-over-TLS enabled.)

Thanks again!

 

[Viktor Jaep]

Would you mind saying which VPN provider has earned your (limited) trust?

Primarily Nord, been using it for a good 3 years now... because they have a great selection of servers across the world, but also because they've got good performance, and their API capabilities are probably the best of any of the lot out there. My second go-to is AirVPN.

 

[Befuddled]

Thanks! (I just got a refund from Nord...)

 

[Viktor Jaep]

Thanks! (I just got a refund from Nord...)

And you are right... their support is some of the worst I've ever encountered. They stick with their script, and never have been able to answer any of my questions. The few times I've had to reach out, I just gave up in frustration, and let them know my thoughts about the matter.

 

[Befuddled]

As did I... They were reasonably speedy at getting back to me, but completely useless.