AX1800 hardening

Greetings, I finally bought an AX1800 in the Amazon Prime sale and wanted to ask if there are any options I should enable or disable to ensure maximum privacy and security possible? It was surprising to see the Flint worth nearly £100 doesn’t have a VPN leak kill switch to automatically prevent leaks but the £25 Mango V2 does. Thanks

There’s all kinds of things you can depending on how deep down the rabbit hole you want to go but by default the firewall rules are already configured to reject any unauthorized/unknown incoming WAN traffic to the device.

Most hardening would be related to the LAN side of things which may/may not be important depending on your threat model.

One aspect I would highly advise regardless is to enable Encrypted DNS via DOH through either Cloudflare or Quad9. Note Cloudflare is generally faster but US based & holds logs for 25 hours per their privacy policy.

GL GUI → Network → DNS → DNS Server Settings →

  • Mode → Encrypted DNS
  • Encryption Type → DNS over HTTPS
  • Servers → + Server → [ search for Cloudflare/Quad9 ]

Confirm your results via

There’s other details that can harden Encrypted DNS at the cost of a slight performance hit but that requires digging into configuration files (.conf) within the underlying OpenWrt Linux OS. If you’re comfortable with the premise of learning SSH, basic command line usage, basic text editing it can be done easily enough.

Of course I’m still neglecting a discussion of VPN providers.

It does but it’s a change in terminology as firmware v. 4.x is more flexible than the Mango’s v. 3.x: GL GUI → VPN → VPN Dashboard → VPN Client → Global Option.

Also, 4.23-release5 is the latest stable firmware for the Flint: GL GUI → System → Upgrade or GL.iNet download center

1 Like

Thanks for your response, do I still need to do Encrypted DNS if I’m using a DNS server provided by my VPN? I checked dnsleaks and it correctly shows my VPN company and chosen location.

I always keep DNS out of my VPN provider’s control. DOH can be more secure than anything they offer provided the DOH service supports DNSSEC even ignoring further configuration at the cost of performance (as mentioned).

1 Like

Hmm, I personally feel okay with my VPN company handling both IP and DNS info as they’ve been proven legit in court whereas Cloudflare feels questionable and Quad9 is unheard of to me

Well, it’s your call. Cloudflare is just damn fast so that’s the real draw even if they hold so-called ‘anonymized’ logs for 25 hours. Quad9 is a non-profit based in Zurich & they don’t log at all. IBM thinks they’re worth giving money to. Switzerland is outside the jurisdiction of Fourteen Eyes.

1 Like

That is the issue, they probably aren’t anonymized and they’re probably retained indefinitely. I would also question what Cloudflare gain from providing such a fast service and in exchange for no money. My VPN and its associated DNS protection is paid for by a subscription fee so I feel its more transparent.

14 Eyes is somewhat overemphasized in my opinion also seeing as its a military intelligence sharing network consisting of countries (USA) which have the power to surveil the entire global internet, permission and laws are meaningless when the surveillance itself is illegal

Re: Guardian article

Tell me something I didn’t know. /s

It doesn’t mean you have to make it easy for them. It all depends on your threat model. Quad9 & Proton (another Swiss provider) are known to go to court to fight warrants. Mullvad VPN (Sweden, 14 Eyes) has already been ‘battle tested’ by their no logging policy:

Cloudflare is a major backbone of the 'net, well, the Web, anyways; they’re best know for DDOS protection & caching/proxy servers for thousands^2 of web sites. They’re a better alternative to Google… but still, that ain’t saying much.

They have a vested interest in security especially DNS.

1 Like

As has this one, meaning two VPN’s inside of 14 Eyes gave them nothing
OVPN Wins Court Battle After Pirate Bay Data Demands Rejected * TorrentFreak

Yeah I had the thought they were more to do with DDoS than DNS. They’re easily prodded into doing what someone wants though, I’m not a user but the way they dropped Kiwifarms goes to show how easily lead they can be

Welcome to the Brave New World, Comrade.

Sweetie Squad says hello.

1 Like