this post was submitted on 10 Aug 2024
49 points (94.5% liked)

Privacy

31991 readers
525 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
49
submitted 3 months ago* (last edited 3 months ago) by [email protected] to c/[email protected]
 

I'm thinking of configuring a VPN in my router so that all traffic runs via Mullvad, just trying to consider if there are any downsides to this?

If I buy Mullvad via the onion site with Monero, obviously there's no link to me, and they appear to keep no logs, as has been tested. In any case I trust them to keep no logs more than my ISP and government.

I do already have ProtonVPN but it's attached to my debit card details, my email address, and name etc. No need to give them all my traffic too.

I know I can still be tracked by browser fingerprint and IP but I'll be one of many users using the same Mullvad IP and I also employ adguard DNS, anti fingerprinting on my browsers etc.

My threat model is generally removing as much passive data gathering and tracking as possible, corporate or state. My threat model does not include active investigation from the law enforcement or state

all 18 comments
sorted by: hot top controversial new old
[–] [email protected] 17 points 3 months ago (2 children)

There's no point in hiding the transaction. A state level actor will see that you're connecting to the Mullvad VPN addresses and won't need to check your credit card statement to determine that you're using it.

[–] [email protected] 6 points 3 months ago (1 children)

Just because they could doesn't mean you have to make it trivial for them.

[–] [email protected] 3 points 3 months ago

It's already trivial to see that you're connecting. You're not making anything at all more difficult for state level actors, just yourself.

[–] [email protected] 2 points 3 months ago

The purpose of hiding the transaction would be to make it so that Mullvad couldn't tie the transaction (or your identity) to your account even if they wanted to. I know they say they don't log that data and I believe them, but they physically could if they wanted to, as opposed to paying in a private way, which Mullvad encourages anyway.

Of course, this then depends on what you'll do with your VPN. If you're using it to log into anything, unless that account is completely anonymised, the Mullvad servers could tie you to your account if they wanted to track you. Same goes for if you connect from your home network as opposed to eg public wifi. But there definitely exist threat models and use cases where what you're doing on that VPN wouldn't otherwise be tie-able to your real identity and therefore wanting to guarantee your VPN provider can't know who you are may be something you're interested in.

And some people just like anonymity for the sake of it 🤷‍♀️

[–] [email protected] 12 points 3 months ago* (last edited 3 months ago)

I've been doing this for a while now with opnsense being what masks the whole network behind the mullvad VPN.

Pros:

  • Even fresh new devices that have all that crap junkware installed get routed through the VPN, meaning no tracking to you immediately (unless they sniff the rest of the network and relay your network AP I guess)
  • one device instead of many, leaving extra devices available to use for a single mullvad account (limited to 5 devices, at least for wireguard)
  • if using wireguard, you honestly won't be hit with network performance issues. Just don't choose a server across the world from you. I chose one in the same country as myself and get an average 95-97% of my internet speed, and that's because I also have IDS/IPS enabled

Cons:

  • as others mentioned, increase captcha annoyances
  • some banks may lock your account if you try to log in with the VPN
  • if the VPN server goes down, the whole network will. This may be a good thing since your don't want traffic to leak, but just pointing out you now have another single point of failure outside your ISP
  • when someone's hoarding the entire VPN server you're connected to, you'll probably witness a slowdown

That all being said, if you're not very technically savvy on the networking side or haven't ever setup a custom router/firewall, this will be a pain. But it you want to learn something new and are up for the challenge, eventually it gets down to almost never having to worry about it. I've been doing it for a long time now, so for me personally, I've gotten to the point of only needing to login to the firewall for a VPN setting update or server change maybe once a month

[–] [email protected] 12 points 3 months ago

Downsides include having to solve lots of captchas or just getting blocked by services. I prefer just booting up Tails and connecting through the VPN with that but give it a try.

[–] [email protected] 8 points 3 months ago

There are a few performance issues that you may experience. For example, if you're into online gaming then your latency will likely increase. Your internet connection bandwidth could also be limited by either Mullvad's servers, your router, or any of the additional hops necessary due to the VPN. There's also the situation where you have no internet connection at all due to an issue with the VPN connection.

There are also some user experience issues that users on the network nay experience. For example, any location based services based on IP address will either not work at all or require manual updates by the user. The same is true for other settings like locale, but they are hopefully better handled via browser/system settings. What's more likely is content restrictions due to geographic IP addresses. Additionally, some accounts/activity could be flagged as suspicious, suspended, or blocked/deleted if you change servers too frequently.

I'm sure you are either aware of or thought through most of that, but you may want to make sure everyone on the network is fine with that too.

In terms of privacy and security, it really comes down to your threat model. For example, if you're logged into Facebook, Google, etc. 24/7, use Chrome, Windows, etc., and never change the outbound Mullvad server, you're not doing too much more than removing your ISP's ability to log your activity (and maybe that's all you want/need).

[–] [email protected] 8 points 3 months ago

Router-level VPN is going to be more difficult to configure and cause more problems than just having it on all your devices. There are some games where online play just refuses to work if connecting through a VPN. Some mobile apps are the same. When a website blocks your currently selected server, and the usual solution is switching to another server, that's going to be more difficult and more tedious when it's configured at the router level. In addition, if you do something like using a self-hosted VPN in order to connect remotely to a media server on your home network, that becomes more difficult if your home router is on a different VPN.

If you're trying to keep local devices in the building from phoning home and being tracked, a PiHole or router-level firewall might be a better solution. I think if you're running a pfsense or opnsense router and are a dab hand with VLANs then maybe you could get what you're looking for with router-level VPN, but it's a huge hassle otherwise. Just put Mullvad on your computers and phones and call it a day.

[–] [email protected] 7 points 3 months ago (1 children)

Imo the most important thing is the separation of what you do. If you're logged in on facebook, you can do that from your public ip. Anything you're not associated with your name you want to use a diffferent browser identity and maybe a different ip.

If you use Torrents or do anything illegal or whistleblowing or similar stuff, use a live linux iso with no persistence and a vpn bought with monero.

[–] [email protected] 2 points 3 months ago (1 children)

I did try to install Qubes recently for this purpose but it's not well supported on my laptop hardware.

[–] [email protected] 1 points 3 months ago (1 children)

You could try Tails maybe? I found that a lot easier to set up that Qubes personally.

[–] [email protected] 1 points 3 months ago

I have Tails on a USB for temporary use , I don't think it's supposed to be used as a full time OS with persistent storage though.

[–] [email protected] 7 points 3 months ago

I think your in a situation that a lot of users fall into, where your making your life harder without any benefit to your threat model.

You really have no reason to switch from Proton to Mullvad based on your threat model.

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago) (1 children)

My threat model is generally removing as much passive data gathering and tracking as possible, corporate or state. My threat model does not include active investigation from the law enforcement or state

Honestly just route your tcp traffic through Tor, even if you're being snooped on by guard and exit nodes owned by the state when using clearnet sites, no advertiser is going to know who you are, and state owned exit nodes aren't going to investigate you for visiting random common clearnet sites (note even if you're deanonymized you're still protected by tls). No reason to pay for a VPN for this, and the more Tor users the safer Tor gets against certain types of attacks.

It's worth noting neither a VPN nor Tor will protect you from advertisers fingerprinting you due to poor opsec; and that is very difficult to get around if you're doing something like using popular social media platforms with an account.

[–] [email protected] 2 points 3 months ago

Yeah don't worry I have no social media accounts other than Lemmy

[–] [email protected] 2 points 3 months ago

I do this, I have different vlans setup using different wireguard tunnels. It's totally fine.

Until you need to debug something, then it gets annoying

Depending on your threat model, you might want to make sure that your VPN connection fails safe, or fails dangerous, depending if you want the internet to always work, or you want to never leak