13. Nov 2016 08:48 by amad...@riseup.net:
> We see much correspondence in these forums about installing a VPN within > Qubes. Surely, the most secure place for VPN is to install on a Router? > I say these things after reading the following paper [ > > https://cryptome.org/2013/12/Full-Disclosure.pdf> ] in which a group of > hackers demonstrate that the majority of routers (in-particular those > provided by ISP's] have backdoors to government agencies. These adversary's > are able attack our LAN and its devices; including the ability to intercept > VPN and Tor traffic. > The solution they say is to isolate these rogue routers in the Militarized > Zone by creating a DMZ [demilitarized zone]. Achieved by installing a 2nd > router [flashed with open source firmware such as OPenWRT]. It is here, on > the router, that we should enable and run OpenVPN. > Thoughts on this paper and it's conclusions are welcomed > > An always-on VPN connection on the router works well but can be a bit slow since the processing power of router CPUs is generally quite limited. If choosing a router, I'd suggest a dual-core ARM-based device. Although openvpn is only single-threaded you can usually configure cpu-affinity to place it on one core and the other routing tasks on the other core. For those who want to go beyond around 20-25 Mb/s, which is where an ARM router will start to reach its limits, a fine alternative is a small fanless PC, such as the Intel NUC or Gigabyte Brix, and run an open source firewall on it, instead of a router. I'm using IPFire. If the processor supports AES-NI, the limiting factor will be your network speed, not the firewall's CPU. Finally, I've always felt that running a vpn on Qubes and having an always-on vpn running on a router/PC complement each other. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/KWSqbru--3-0%40tutanota.com. For more options, visit https://groups.google.com/d/optout.
