Classic college kid Internet privacy question

Am Sat, 23 Oct 2021 22:06:35 +0000 schrieb Robin Goodfellow snipped-for-privacy@Heaven.Net:

Use this net and only connect through a VPN or TOR. Restrict that by certain firewall rules. You can run a TOR client that provides a SOCKS proxy server. The computer the kid uses is directly connected to that computer (not Routing or NAT enabled, just connected via Ehernet) and only uses the SOCKS proxy on it.

Marco Moock snipped-for-privacy@invalid.invalid asked

Thanks Marco Mock for hazarding advice, as I am well aware how risky that is, which I very much appreciate given your knowledge of networking surpasses that of mine.

Two things were already done, one by his parents, the other by me.

1. The parents doubled his cellular hotspot from 5GB to 10GB for /month
2. I flashed the extra Netgear WNR834Bv2 with this "chk" file from dd-wrt
   formatting link
   <ftp://ftp.dd-wrt.com/betas/2015/08-25-2015-r27745/broadcom/dd-wrt.v24_mini-wnr834bv2.chk>

Regarding VPN or TOR, he is mostly gaming, I think, neither of which really lends itself to TOR (at least not the Tor Browser Bundle anyway). I'm sure there is a way to set up the entire system on TOR/Socks but I've tried that about 10 or 15 years ago and it was miserable (privoxy and all that) to do.

Therefore the only TOR he's using is the Tor Browser Bundle, which isn't, he says, useful for gaming.

The VPN he's using are the free vpns, which, as you may know, aren't all that reliable (and which don't have many locales inside the USA usually).

If I understand your suggestion correctly, we can set up an entire computer to run nothing but TOR/SOCKS, which is what the kid can connect to directly from his desktop (but he also wants to use his phone cellular, apparently).

There is a $90 T-Mobile mobile hotspot device which, for $55/month gives him everything he's asking for (50GB/month of cellular data) but of course, that's $600 per year which is a bit steep of a price to pay when he _already_ has "free" Internet provided by the school.

I'm working on figuring out how adding "VPN" to a router works, where I've figured out that Netgear uses "chk" files first.

and then once dd-wrt is on that router, it can take a further dd-wrt "bin" file, but I don't know (yet) which bin to use. And, I don't want to guess (as bricking is always around the corner).

At that location are seven dd-wrt "bin" files, but which one do I use?

1) DD-WRT: Broadcom Generic -= K2.4 - Mini dd-wrt.v24_std_generic.bin 2) DD-WRT: Broadcom Generic -= K2.4 - Mini dd-wrt.v24_mini_generic.bin 3) DD-WRT: Broadcom Generic -= K2.4 - Micro dd-wrt.v24_micro_generic.bin 4) DD-WRT: Broadcom Generic -= K2.4 - Micro + OLSRD dd-wrt.v24_mini-wnr834bv2.chk 5) DD-WRT: Broadcom Generic -= K2.4 - Mini dd-wrt.v24_nokaid_generic.bin 6) DD-WRT: Broadcom Generic -= K2.4 - Mini dd-wrt.v24_voip_generic.bin 7) DD-WRT: Broadcom Generic -= K2.4 - Mini dd-wrt.v24_vpn_generic.bin

Notice the _last_ one has "vpn" in the name, so one might intuit that it's the one to use, but knowing that bricking routers is a distinct possibility, just guessing without any other data is usually not a good idea when it comes to flashing firmware.

I think the VPN router "might" replace your "TOR/SOCKS computer" in the suggested scenario (as I don't have an extra PC to give the kid).

If I understand VPN routers, we still need to pay for a reliable VPN service but after that, the school will only see the (faked) MAC address of the VPN router for _all_ his traffic (whether it's Wi-Fi or Ethernet from his phone or from his desktop or from his laptop).

And, if I understand it correctly, _all_ that traffic will be connected to a single IP address (of the VPN) and it will all be encrypted.

The school will know he's using VPN, and they'll know all the metadata of the size and timing of the packets, but that's it (am I correct?)

If that's a good plan (lowest cost, best compromise on privacy), then all I need to do now is find a tutorial for setting up dd-wrt as a VPN router. I think I need to flash another "bin" file (after the initial "chk" file though - but I don't know which one).

In theory, does this sound like a low-cost plan that "can" work?

1. I put VPN on the extra router & set the MAC to look like a PC
2. I set dd-wrt to always log into a (paid?) public VPN service
3. The kid connects _everything_ to that VPN router

Does _that_ approach give the kid the privacy he is asking for?

Am Sun, 24 Oct 2021 18:33:02 +0000 schrieb Robin Goodfellow snipped-for-privacy@Heaven.Net:

It works, but tor has high latency and because of that isn't capable for real time communication like gaming.

Much harder because Google and Apple are bad companies restricting what users can do and restrict proxy usage to web browsers only. As I know Android only supports an HTTP proxy, so you would need an HTTP/SOCKS proxy connector too.

That would be a solution. The kid is then directly connected via the VPN and the VPN router creates the VPN tunnel.

Yes, makes it much easier.

True. They only see that VPN routers interface to them and the metadata.

Depends on the VPN operator. Some use IPv4-NAT, some give you public IPv4 addresses. IPv6 is normally global, so every device gets its own global IPv6 address.

True

You nee a router that a) supports dd-wrt and is able to flash foreign firmware. There are many models that support that, but some manufactures create barriers to do so, for my TP Link I needed to set up a TFTP server and use the recovery feature of that device to install a foreign (non TP link) firmware on it.

Sound ok

It gives you protection against surveillance from the scholl, but nothing else. Also think about locking the computer when not using and encrypting all hard disks to ensure nobody can gain access to the data/manipulate the computer this way.