Merlin FW and VPN Setup Questions. ...Confused

[Mrwirez]

Note 1:
I am not a big router configuration guy (noobish)... BUT
I CAN get by with a good guide. I am using Merlin FW, but I do have a few questions on using VPN's and setup.

Note 2:
We were using IPvanish previously and it became kind of a pain with logging in and out for everyone. (Wife and two young teenage sons).

Question 1:
Are there Advantages or Disadvantages of purchasing a VPN service -VS- Configurating ASUS rt-n66u with Merlin FW and OpenVPN. (Besides obviously a yearly fee) ? Security, configuration, ease of use??

Question 2:
I want to run my whole house through a VPN client or server (?) but, I use an Obihai box for VoIP and a whole home network wouldn't work with VoIP. I am now using Merlin FW..

Question 3:
Are there any really good guides for Noob users for setting up what I'm looking for? See my setup below.

My Devices and House:
Comcast HSI, ASUS rt-n66u as an access point with Merlin FW, 4 Windows PC's, 3 Roku's boxes, 5 Android Nexus devices, PS3, Xbox 360, Obihai 110 VoIP Box. 2000 square foot multilevel home...

Any suggestions for good internet privacy for my family would be greatly appreciated!

Thanks for any help... Confused Noob

 

[martinr]

You didn't mention why you want to set up this vpn connection. If you state your reasons, it may be that any concerns you have are exaggerated or not valid. As I understand your question, the vpn setup you explained would give you an encrypted tunnel between your home network, through your ISP and then to the vpn service provider. Thereafter, your traffic pops back out, unencrypted, onto the Internet and on to its destination. The return traffic does the joirney in reverse. So it goes through your ISP encrypted. If, for example, you were concerned that your ISP reads your traffic, then this would prevent that. But if your vpn service provider wanted to read your traffic they could do so just after decryption.

As for my own use of vpn technology, I don't use a vpn provider; if I'm on a public wifi, or, to be honest, any wifi other than mine back home, I turn the vpn client on eg on my iPhone and then connect to the vpn server on my router back home; thereafter, the traffic pops back out onto the Internet on exiting my router, unencrypted, as if I were back at home. So my traffic is protected from snooping when I'm on an untrusted network. But when I'm at home, I don't use a vpn to encrypt my traffic,.

So, give us a quick run down on your reasons and I'm sure you'll get fixed up with the info you need.

By the way, even the experts were, once, also confused noobs, so don't worry about it.

 

[Mrwirez]

Thanks.. Well there are quite a few reasons...

I would like to securely reach devices on my home network from anywhere..

I don't like corporations and government snooping/spying.

Like this article from today.
http://www.androidpolice.com/2015/0...-successfully-exploited-uc-browser-for-years/

I don't want to be tracked all over the internet and targeted with ads.

Hackers & thieves

My family anonymity online.

Comcast...

 

[martinr]

I think you'll get quite a few replies, and possibly stir up debate. But the gist will be that a vpn can't do all the things you want. For example, when your traffic reaches your final destination - a website - having passed, part of the journey, encrypted it won't make you anonymous or stopp your being targeted by ads. Even if, your traffic were encrypted all the way - as it would be to an https site - you can't be amonymous unless you take other steps. And, similarly, unless you take other steps, ads on the destination website will still be sent back to you, albeit encrypted, only to be decrypted inside your network.

Securely reaching devices on your network from a remote location is also what my vpn setup allows me to do. Vpn server running on my router, vpn client software on my remote iPhone or laptop - same setup I mentioned earlier that also allows me to encrypt traffic when logged on to an untrusted network

 

[Asmodian]

Only your first reason would be possible without a VPN provider.

An OpenVPN (or any VPN) connection needs to have someone on the other end with an internet connection.

Also tracking and ads seem to work pretty well even when using the VPN, they track with a lot of different methods, not only your IP address. (I regularly use the VPN provider iVPN)

This has caused oddities for me; when using a VPN connection through the Netherlands for a while I started getting some ads in Dutch even when not on the VPN.

Hiding what you are doing from Comcast and lazy governments should be good with a router + VPN provider. iVPN has guides for setting it up, it is pretty simple. You just add their config file to the router and are good to go. There are many good VPN providers but I wouldn't trust them if I wanted to hide from the NSA or similar unless I did a lot more research. I like AirVPN as well but they aren't as fast as iVPN for me.

I don't think VPNs help much with any sort of likely hacking/thieves, really you would only be protected from people snooping on your physical Comcast connection which is not how most hackers/thieves get their information. They hack the site you are connected to, phish, or compromise your computer (keylogger, etc.), none of which is protected by using a VPN. On someone else's network (with who knows how many users), or the worst an unsecured wifi connection, a VPN would be a very good idea but your router wouldn't be involved unless you used yourself as the provider like martinr. Of course in that configuration Comcast could see all that traffic as it leaves your house.

 

[Mrwirez]

Well, I do appreciate your input. I'm not so sure on the debate part, aren't these things most folks want? I understand an app developer, or website owner may/would object to my desire for ad eradication... I do use AdAway on my Nexus Devices, and Hostsman on my Windows machines, but I would like to incorporate ad blocking on/through my router, because my methods are definately slowing down my broadband connection.

Please do note, my intentions are not to cause trouble here, just to learn how to protect myself and my family. We have been hacked, and our identification stolen twice causing serious aggravation and headaches... It does appear that a few bad apples are ruining it for everyone everywhere.

 

[cosmoxl]

the point martinr is making is that your web browser will still be identifiable unless you take measures to make it looks like millions of others or make it change with every access to the same web site.

by the same token you would also want to change what VPN server you are using from time to time.

if you get a VPN provider that offers port forwarding you should be able to setup remote access with a little work.

finally, I will warn you that the N66 will not crunch openvpn fast. I'm betting not nearly fast enough to satisfy your family's desires - about 12mbit/s, IIRC.

 

[martinr]

I was mulling over your post and it struck me that prioritising your needs would be helpful. Then you wrote that you had been hacked twice, with your identity being stolen on both occasions. And that made me think preventing that happening again would be my first priority.

"Hacked" covers a multitude of nefarious activity these days. My guess is that originally it meant something like a 'break in' into your system. Nowadays, we use the term quite loosely. Do you have any idea how you were hacked on both occasions? Did a family member click on a link they should have avoided like the plague? Loss of data from a third-party darabase (over which you have no control)? Poor password policy? Insecure wifi........? There are so many ways to be hacked, but to be hacked twice would be enough to put me off for life.

I think what I'm getting round to saying is that there are many hazards, and there are risks associated with each hazard. You could, for example, invest tons of time learning enough about vpns and implementing it, but the benefits by way of risk reduction might be minimal. On the other hand, possibly educating family members on how to use the Internet safely might, for some people, be the greatest way to reduce the risk, as an imitial step, anyway.

So, do you have any idea of how you got hacked twice?

 

[Cherubael]

It seems to me that you're concerned with online privacy more than remote access to your home network, so I'm going to say that what you need is a VPN connection to a third party; AirVPN, Pivatw Internet Access, TORGuard... There are dozens, and they will all have details for setting up OpenVPN connections. Add the details your chosen provider requires, likely a configuration file and some certificate files, to your router using the documentation available from the RMerlin site, or check these forums for more guidance. You can also use VPN clients on your mobile devices to protect yourself while out and about, which is definitely recommended when using public WiFi.

This is only half of the battle, though. Online privacy requires more than an encrypted connection. Yes, you are protecting yourself from monitoring by a third party (your ISP, for instance) but the second party (the site you visit) is still tracking you, along with all of the adcertising services of which they make use. Yon You will severely limit the services you can access if you don't like that idea; Almost every consumer site makes use of tracking.

You can make it more difficult using services like Privoxy on your clients, or browser add-ons like Disconnect and NoScript, but again you affect your experience.

Basically, you need to go full Snowden to avoid tracking online. That means sacrificing a lot of cool online stuff. If that's not for you, you're probably good with what you're doing so far. Just accept that your super private data with $company is a subpoena away, and that if your not happy about that then it's the law that needs to change, not your online use.

 

[RMerlin]

Identity theft and "hacking" rarely comes through a router or through sniffing of your Internet traffic. The most common causes are malware installed on your computers which can contain keyloggers (against which a VPN provider can't protect you), or providing your information to malicious sites (again, something a tunnel can't protect you against).

The weakest link in most of these cases are the users, not the fronting router (speaking for a home user case - this is obviously different for a business which might get specifically targeted).

I would start by ensuring that you run effective security suites on all of your computers, and educate the rest of the family as to the precautions to take concerning opening emails, or browsing the web.

A VPN tunnel would only help if the hacker were sitting at your ISP itself. Once your traffic leaves the tunnel provider's own server to reach the final destination, it's still wide open on the Internet, and just as much subject to potential eavesdropping.

In short: VPN tunnels protect you against snooping from your ISP and their own providers (and the local government). It does NOT protect you from end to end.