Ideally you would want a blob free coreboot system with no Intel ME or
AMD PSP type backdoors.
Intel is actively trying to nerf free software with Boot Guard/ME, if
you buy a computer with those features it isn't really your computer.
A backdoor in a modem is irrelevant, it is post WAN and should be
considered part of the "internet".
You need a computer with more than one server grade pci-e interfaced
nics if you want real LAN>WAN performance, 25Mbps is simply a pitiful
amount to settle for - the newer "server" grade ARM chipsets can do much
better than that.
On 11/13/2016 08:22 AM, hed...@tutanota.com wrote:
13. Nov 2016 08:48 by amad...@riseup.net:
We see much correspondence in these forums about installing a VPN within Qubes.
Surely, the most secure place for VPN is to install on a Router?
I say these things after reading the following paper [ >
https://cryptome.org/2013/12/Full-Disclosure.pdf> ] in which a group of hackers
demonstrate that the majority of routers (in-particular those provided by ISP's] have
backdoors to government agencies. These adversary's are able attack our LAN and its
devices; including the ability to intercept VPN and Tor traffic.
The solution they say is to isolate these rogue routers in the Militarized Zone
by creating a DMZ [demilitarized zone]. Achieved by installing a 2nd router
[flashed with open source firmware such as OPenWRT]. It is here, on the router,
that we should enable and run OpenVPN.
Thoughts on this paper and it's conclusions are welcomed
An always-on VPN connection on the router works well but can be a bit slow
since the processing power of router CPUs is generally quite limited. If
choosing a router, I'd suggest a dual-core ARM-based device. Although openvpn
is only single-threaded you can usually configure cpu-affinity to place it on
one core and the other routing tasks on the other core.
For those who want to go beyond around 20-25 Mb/s, which is where an ARM router
will start to reach its limits, a fine alternative is a small fanless PC, such
as the Intel NUC or Gigabyte Brix, and run an open source firewall on it,
instead of a router. I'm using IPFire. If the processor supports AES-NI, the
limiting factor will be your network speed, not the firewall's CPU.
Finally, I've always felt that running a vpn on Qubes and having an always-on
vpn running on a router/PC complement each other.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.