I’m trying to help out a friend who is working outside of his home, frequently using unsecured public wifi spots. He has a mac, and is not very technical. I’m hoping to find a consumer router for his home broadband service that will help secure the internet traffic when he is on an unprotected network.
What I’d like to do is to have him use an IPSec VPN client to connect to the home router, hopefully one that restricts split-tunneling, thus further securing the host from the local network. This router would then have to support hairpin back out the home internet service to bounce the traffic back to the web.
Is anyone aware of a consumer grade router that would provide this solution out of the box? As an alternate solution, how about a consumer router that would take a DD-WRT or other upgrade to get this feature set? I would prefer the easiest solution as I will likely find myself supporting this solution as well.
The capabilities of DD-WRT are going to depend on what version you use (“mini”, “small”, “std”, “mega”, etc.). They basically vary by size and you have to choose the one depending on how much memory your router has.
Most builds have PPTP, which is not the most secure method, but it might be suitable for your friend’s purposes.
If you want full openVPN, you need to use the “VPN” or “Mega” build. Wiki has a good breakdown of the features of each build: DD-WRT - Wikipedia
Since you don’t actually have the router yet, you are free to choose one that will fit the DD-WRT version you want. Look here to find out which router will fit what version: Supported Devices - DD-WRT Wiki
(Don’t use the “Router Database”, it’s not maintained).
If your friend is only going to be web browsing, a vpn solution might not be necessary. You may be able to get away with simple ssh access to the DD-WRT router and have his browser configured to use a SOCKS proxy via the router. This way all the browser traffic will go through the router via ssh tunnel, essentially.
On a Mac, it’s pretty easy to set up the client side of a SSH socks proxy, since ssh is installed by default. I use autossh (via Macports) to automatically restart the ssh connection if it dies.
If your friend uses Safari or Chrome, you configure the Socks proxy in the system network settings, not the browser. The same settings are used by other Apple apps like Mail. You can use the Locations setting to make separate configurations for home (no proxy) and away (proxy).
Well, of course there are hardware solutions that have VPN functionality, problem is, I don’t think they ever cost less than a few hundred bucks … I’ve used Sonicwall devices and of course Cisco.
The next closest thing to out-of-the-box for a full VPN solution would probably be a virtual machine pre-loaded with openVPN server (downloadable for free). But then, you need a PC running 24/7 that can host the openVPN vm.
I still think the easiest thing, if you only need web browsing, is no VPN, just plain DD-WRT (you can buy routers pre-loaded with it) + SOCKS proxy config. It’s cheap and requires almost no setup. You also still have the option of using a PPTP client with this method.
Nah, anything involving money he is going to deal with online is going to have SSL engaged so its not like he is throwing butt naked packets to everyone who wants a credit card number. A win7 machine is plenty solid against outside intrusion from other lan members. I know SSL is not bulletproof, neither are people but 99.995% of us get by without a bulletproof vest. Is he doing peoples retirement planning and putting up a sign saying “great materials for identity theft here, please hack me” or writing a book on the mating habits of walking sticks, which to be brutally honest if you are not a walking stick, it probably pretty damn boring stuff that nobody would really bother messing with.
I am a computer guy, I understand the mechanisms of basic network security. Alot of those concepts also revolve around protecting a static target like a server that has to stay exposed to the internet 24/7 with a giant bullseye painted on it. The vast majority of security issues are going to be phishing and virus/spyware, all the hardened network settings in the world wont help that.
A guy who may or may not be at any given starbucks, at any given time who may or may not be doing something with potential for theft of valuable data, you end up with a bunch of expense, effort, and support headaches trying to add a layer of security for a guy who likes to check his etrade account at mcdonalds but is a little skittish about it. Trying to do a driveby on a Fully patched 7 or Mac laptop aint gonna happen.
If hes that worried about it just remote into a machine at home and do the work there. Logmein encrypts the remote connection and none of the actual files are present in any meaningful way on the machine in the friends hands. Childs play to set up, free, and more than tough enough. DNS requests and such are all happening on the home router making what hes doing even more difficult to trace even without the encryption.
Virus issues are a real threat, direct hacks against a random mobile individual netting valuable info are gonna be as likely as lottery wins.
As a computer guy who spent a few years in security-related development, I agree with most of what you said, and I’ll be the first guy to tell a computer neophyte when they’re being too paranoid.
However, in regard to the quoted section, it’s not so much the user’s machine that I worry about as a target; I think it’s the wi-fi hotspot itself that you can never really trust. Anyone can easily set up a hotspot in a busy part of town and name it “Free Wifi!!” or worse, “Starbucks WiFi” with the intent of catching someone unawares. Then just sniff all the traffic going through and catch any passwords that happen to be in the clear.
You say any transaction that involves money will be SSL protected, but if the user visits some other password protected site that doesn’t use SSL, then the malicious hotspot owner then has a username/password combination. And then it’s very possible that the hacker can then figure out where else the user has used this very same username and password (and we all know it’s quite common for people to use the same credentials on almost every site they visit).
Another case might be a smartphone with all manner of apps that will try to log on somewhere as soon as it has a live internet connection. You’re so sure that all of these apps have taken care to encrypt the login process?
You might think the malicious hotspot scenario is far-fetched, and today it may be. But one thing I know for sure, is that if I felt like it I can go and create one right now and I have no doubt plenty of people will come along and use it happily.
Frankly, the OP himself seems to have some technical knowledge so it would be quite easy to set his friend up with DD-WRT and set the friend’s laptop up to use a socks proxy. Personally I find that more convenient than logmein (which, I agree can be very useful for a number of purposes and easy to use by anyone).