How To Be Secure?

[DoZZa]

Hello,

I have been using Merlin firmware for a long time now, its great.

I have two Asus routers both with Merlin firmware, a RT-AC66U and an RT-66U

I know my way around Merlin and it and it fulfils all of my needs so far.

But just recently I am concerned about my security and privacy online.

I am wanting to make my connection to the internet as secure and anonymous as possible.

Are there features of the Merlin firmware that will allow me to achieve this?

I have used services such as VyprVPN, HMA and the like. They seem to perform OK but I was wondering if there is anything that I can do myself, administer myself.

Or am I best to just use a VPN service of some type?

Thanks

 

[RMerlin]

Personally, I'm not a big believer in the idea that using a third party VPN tunnel really improves your security or privacy. You are effectively handing it out into the hands of an unknown third party when you do that.

It might still be a good idea if you are using your computer from outside of home in a public place (for example in an hotel room), as I would still put more trust into a VPN tunnel provider than into whichever part-time tinkerer configured the hotel's wifi.

 

[Deleted member 28123]

In addition to RMerlin's feedback, I would recommend the following:

1. Running dnscrypt (dnsproxy) to anonymize your DNS requests
2. Running Unbound with DNSSec enabled
3. Blocking Ad servers at router level
4. Blocking Countries at router level
5. Enable Blocklist (typically for torrenting but can include additional categories) using IPFilterX at router level
6. For VPN, I recommend AirVPN.org as they utilize PFS (Perfect Forward Secrecy) with 4096 bit keys and you are allowed to have 3 running instances connected to different servers at any given time under the same account.

There are several threads in this forum covering recommendations 1 through 5.

Enjoy!

 

[DoZZa]

Thanks for the tips. I will have a look into the options here.

I have started to try and configure the DNSCrypt but not able to get it to work at all.

I have posted my issues in the thread related to DNSCrypt setup.

Hopefully I can get it to work with some help.

Thanks again

 

[CaptainSTX]

One thing to keep in mind when using a commercial VPN service is that your connection is only encrypted from your device/router to the VPN server you are connecting through. If you are physically located in Miami, using a VPN server located in Atlanta and connecting to a web site or server in LA only the hops between Miami and Atlanta are encrypted. For all other hops the data is in the clear.

I regularly use a VPN server on my mobile devices when connecting to unknown SSIDs in airports and coffee shops to protect against man in the middle attacks and other mischief. Even without a VPN your data is protected when connecting to many sites if they use https.

Even though the protection with commercial VPNs is not total I run it on my network because in this day and age every little bit of security helps.

For additional anonymity you can always consider using TOR.

The trade off of both or either security methods is that you sacrifice throughput. If I run both a VPN and TOR my 75 Mbps FIOS connection is lucky to get 10 Mbps.

 

[Cake]

In addition to RMerlin's feedback, I would recommend the following:

1. Running dnscrypt (dnsproxy) to anonymize your DNS requests
2. Running Unbound with DNSSec enabled
3. Blocking Ad servers at router level
4. Blocking Countries at router level
5. Enable Blocklist (typically for torrenting but can include additional categories) using IPFilterX at router level
6. For VPN, I recommend AirVPN.org as they utilize PFS (Perfect Forward Secrecy) with 4096 bit keys and you are allowed to have 3 running instances connected to different servers at any given time under the same account.

There are several threads in this forum covering recommendations 1 through 5.

Enjoy!

Great Idea, I plan to do #2&4 on your list soon. I see RMerlin has a wiki on ipset https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset ,I want to block all of China. I suspect half the phones on my guest network are not going to be happy about it. (according to web history *.cn) ;-)