Build your own router/firewall, or just add a VPN

Twenty years ago broadband internet started taking off and people wanted the option to network more than one computer to their new connection, so home network routers by Linksys and other vendors became popular. This was the days when DSL and Cable companies forced you to clone the MAC address of your computer in order to fool the company into thinking that you only had ONE device connected to their system. These early routers didn’t have too much in the way of built in security, but provided network address translation (NAT) and basically did the job.

Then “wifi” became a thing and wireless routers got added to the mix. I think at some point everyone had to own a Linksys WRT-54G (which was the longest continually produced wireless router produced, from Linksys as an independent company, to after LinkSys was acquired by Cisco, to back when Linksys stopped being part of Cisco).

So there is no reason other than “the hell of it” that anyone needs to build their own router and firewall appliance. However there is a lot of satisfaction in doing things for “the hell of it.”  Of course the published lists of known exploits to vendor software used by various advanced persistent threats (APTs) and other malicious cyber actors makes taking more control of your hardware/software/network a prudent step.

For a standard router/firewall you’ll need a computer with two network interfaces cards (NICs).  One can be wired ethernet, one can be wireless if you just plan on having a wireless network, although my preference is at least two ethernet NICs. My personal router/firewall is one of those compact industrial computers made in China with four Intel brand gigabit NICs, which I got for pretty cheap two years ago. But literally any PC with two NICs will do at this point because the software to run a router/firewall is so lightweight.

pfsense, opnsense, clearOS, VyOS, OpenWRT, zeroshell, are just some of the distributions that can work to turn an old computer into a router/firewall. If you have an old router that is no longer supported by the manufacturer for software updates, I’d look to OpenWRT as the first choice to flash the firmware to get community supported security updates. Ironically a lot of commercial routers in the lower price point are already running OpenWRT or a slight variation on it.

So….what do I recommend at the end of 2019? Well if you want to use a real PC with x86 processor (32 or 64 bit), I recommend opnsense, and if you want to use anything else then OpenWRT if you can.  The exception to this is if you are using Ubiquiti gear, which is built to run their version of software based on VyOS (although VyOS is command line only, no handy web interface) so getting familiar with VyOS is probably better for that one situation.

Things you SHOULD do if you are building your own device.

Set up your own virtual private network (VPN) that you can use to tunnel back to your home network while you are traveling. This will let you use public WiFi in a much more secure manner, as your traffic will go encrypted from your mobile device all the way back to your router/firewall.  Since the government and industry already know you are paying for home internet service, they see you browsing from home, and snoopers can’t snatch your accounts, credit or debit card numbers, or other sensitive data. The downside is slightly less performance, but security ALWAYS has a performance hit.

What VPN software should you use? I’m currently using OpenVPN as it comes bundled into pfsense which I’m already using. OpenVPN also has client apps for smartphones (you can download from the appropriate app store) and it has a lot of industry/community support. The downside to OpenVPN is that is isn’t inherently user friendly to set up (I had to manually edit the client configuration file to get my laptop connection to work), and the connection applications aren’t always the most stable. There is a lot of buzz around Wireguard as a solution, and Wireguard has been kernel incorporated for many Linux distros. The downside to Wireguard is that it is still a “work in progress” in terms of software development and they are still working towards a stable 1.0 release (which means if you adopt now you are essentially a beta tester).

So…why should you build your own router and set up your own VPN? It really is just “for the hell of it” or you don’t want to pay a monthly fee to a commercial VPN service. I don’t recommend “free VPN” services because I suspect they are all intelligence gathering efforts by various state actors (mainly China).  As far as the paid VPN services that promise not to look at your traffic, assume they are lying (paranoia in communications is a GOOD thing).  And as far as paid VPN services go, caveat emptor.

More background on the dangers of free and paid VPN services: https://www.computerweekly.com/news/252466203/Top-VPNs-secretly-owned-by-Chinese-firms

If you already have your network set up the way you like, and just want to add additional security with your own VPN, the old Traffic Layer Security (TLS) VPN solution using a low powered Raspberry Pi is a great option: https://pimylifeup.com/raspberry-pi-vpn-server/  and you can use an OpenVPN client for your tunneling needs when on the road.

In summary, a lot of these projects aren’t “free” in terms of hardware, frustration, or time. Some of them have a learning curve. However all of them are good things to do in order to increase your information security level.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s