Currently setting up my own VPN using Wireguard out of interest and because I want to access my devices from anywhere in the world - how a VPN was meant to be used.
Thought I'd share this since I feel like there are many misconceptions about VPN and public Wi-Fi.
Then I realized I have been using some weird workarounds using SSH tunnels to access my devices when I am not at home which would be obsolete with a proper VPN setup; the original use case of a VPN.
I am already using Mullvad VPN but as far as I am aware that only hides my IP from my ISP (edit: that was wrong, hides my IP from websites I visit) but does not solve this original use case. Maybe it can, but I wanted to know how this VPN stuff works anyway.
So off I went with Wireguard.
I had to change my VPS because Wireguard seems to only be available since Linux kernel v5.6 and my VPS provider was still using 4.15. Also, no option to upgrade the kernel because of their virtualization method (OS-level virtualization using openvz where kernel is shared). So I created another VPS at linode with full virtualization using kvm. Could even pick Arch Linux as my image :) So even learnt something about virtualization along the way, haha
This home access VPN is already setup. Wasn't that hard. The only part I was struggling with was understanding iptables and making the linode VPS act as a VPN "server" which forwards packets between devices (since it's the only one accessible from the internet). (Server in quotation marks because the Wireguard protocol does not distinguish between client and servers. Everyone is just a peer but can have different configs.)
Clients know only how to reach the server using the static IP as endpoint. So they sent all packets meant for any device in the VPN (10.0.0.0/24) to the server which then forwards the packets to the corresponding peer.
The part about iptables such that the server can forward IP packets is done in the PostUp script:
# /etc/wireguard/helper/add-nat-routing.sh
#!/bin/bash
# Setup IP forwarding rules such that clients can connect to each other.
# Following kernel parameters must be enabled:
# - net.ipv4.ip_forward = 1
# - net.ipv6.conf.all.forwarding=1
# See https://wiki.archlinux.org/title/WireGuard#Server_configuration
# and https://www.cyberciti.biz/faq/how-to-set-up-wireguard-firewall-rules-in-linux/
# 1. Setup NAT firewall rules
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o wg0 -j MASQUERADE
# 2. Accept all traffic created by wg0 interface
iptables -A INPUT -i wg0 -j ACCEPT
# 3. Forward packets from wg0 to wg0
iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
Currently trying to figure out how to route all internet traffic of my mobile first to a device at home. Could only get this to work by routing all internet traffic to the VPS. But I don't want to use the connection of my VPS for my mobile usage since it's metered. Want to use my unlimited home internet connection.
Not sure if you wanted it this detailed but that's my progress so far haha
First, you'll need a public IP as a "VPN entrypoint" and some basic linux knowledge since I only know how to do it using the terminal. I used a VPS for this entrypoint but I think if you can forward a port in your home router you can use a device at home, too.
But I can guide you through it if you want. You can write me on Discord.
I'm surprised the EFF didn't mention privacy: public wifi without a login is good for everyone because it makes it harder to trace back web traffic to the individual user initiating it. Normalizing it also makes it easy for people who really need to do something anonymous to actually find an anonymous internet connection.
Similarly, this is why I leave my wifi at home open, without a password. It's also just being a good neighbor: why wouldn't you share your internet in case your neighbor needs it?
Similarly, this is why I leave my wifi at home open, without a password. It's also just being a good neighbor: why wouldn't you share your internet in case your neighbor needs it?
Not sure how the laws in your country are, but here in Germany the owner of the internet connection is responsible for all traffic going through it.
If my neighbor needs it, I'll give him the password or guest access where I can change the password after some time.
Sounds fine if you know your neighbors, maybe in a suburb where your wifi only reaches the houses next to you. In many places though people don't really know who they are living next to. In a large apartment complex you could have 100s of people within reach of your wifi and have no idea what they might get up to if they have steady access to someone else's connection.
The FUD against using public WIFI is nothing more than counterintel. If you are being careful with your cookies and being careful to only use websites in an anonymous way and make sure your WIFI MAC is randomized each time it connects (some adapters and OSs offer this option) using a public WIFI is much more private than using your home connection with a paid VPN. Excepting zero-day exploits of course, staying on the move with your secured laptop is much harder to create a profile of your activity than simply watching your home connection or using entropy correlation on your connection to a paid VPN. As long as you don't accept invalid certificates when connecting to your favorite password, email and storage provider, and you use onion sites for anything that could tie you to your true identity, there's little reason to be concerned about using a public WIFI connection.
Example:
Evil-twin Attack to be launched on unsuspecting victim on a public network:
Attacker sets up Network with the same ssid as you want to connect to.
You are now connected tho the bad actor, and he is routing your traffic. He can spoof your DNS, unless you have taken precautions.
you look up 'facebook.com' he reroutes you to 'faƧebook.com'. He also got his tls certificate for his domain to look legit.
He serves you a login screen that looks just like the original one. you type in your credentials.
he redirects your request to Facebook, logs you in, and steals your PW in the process
you never know what hit you
There are more attacks, Man in the middle, DNS spoofing etc.
By using a vpn, the encrypted is connection made from your device to a secure network, and the requests are made from there, and sent back to you through a secure channel.
Https might encrypt the content, but it won't save you from spoofed DNS and the like
it cannot be done easily
it is definitely harder due to https, but I'd say it is still pretty easy
I'm hating on the article a little bit, because people are already lazy about security, and things like this give an even more false sense of safety. It's still good that https is used as much as it is now, but it's not a silver bullet.
from my ISP(edit: that was wrong, hides my IP from websites I visit) but does not solve this original use case. Maybe it can, but I wanted to know how this VPN stuff works anyway.iptablesand making the linode VPS act as a VPN "server" which forwards packets between devices (since it's the only one accessible from the internet). (Server in quotation marks because the Wireguard protocol does not distinguish between client and servers. Everyone is just a peer but can have different configs.)iptablessuch that the server can forward IP packets is done in the PostUp script: