I’m currently based in France and I’m looking to work remotely in another country. To facilitate this, I’ve attempted to set up a site-to-site VPN. I purchased two GL.iNet routers for this purpose. I installed one at my home and configured it with WireGuard VPN server, while the second one I take with me and set up as a WireGuard client.
However, I’ve noticed a discrepancy when checking on the site https://whoer.net/. It displays a different country for the DNS (Germany). Why is this happening, and how can I prevent it?
When I connect normally through my router in France, there are no DNS issues.
I tried to disabled dynamic DNS, but I get the same results
It doesn’t matter where you connect really. In fact, it might be worse for you connecting back to your house than a provider for a variety of reasons. I will not say too much more here, but your browser and other processes can give you up in a variety of ways. I am sorry, but you might have better luck asking in a privacy related forum rather than a manufacturer support forum.
As mentioned, there are other ways to detect your location. Wifi mapping, web rtc, GPS signals etc. For MOST (not all employers), masking your IP address properly will be sufficient for your laptop, since laptops for the most part don’t have GPS. Your cell phone is a different story, and would likely require GPS spoofing (or keeping corp stuff off your cell phone all together). If you work for the government/military, they MAY go the extra mile with some of these techniques. But as someone who works in IT security, MOST corporate security tools are just using your public IP address and/or GPS signals only. So for your laptop, hiding behind a properly configured router should be sufficient. For your cell phone, keep corp stuff off your phone if possible. If not possible, get a 2nd phone, enable GPS spoofing (look up on the internet on how to do this) + Zerotier app (which has the ability to funnel all traffic). Additionally, you can “block non-vpn traffic” and enforce the VPN connection in Android so your internet connection drops instead of IP leaking (in case your phone reboots, or the app crashes). I am on call, but generally, I keep corp stuff off my phone, and when on call, I just use the call forwarding option only.
Is the site to site vpn good enough? Mostly yes. I use Wireguard, so ensure “Block non-vpn traffic” is enabled. When remote, your internet can blip and the VPN can drop. You need to ENSURE that traffic doesn’t leak when the VPN/internet blips, otherwise its game over for you. By enabling this Wireguard configuration, you ensure your connection STAYS DOWN until the VPN is re-established. This is critical. My other recommendations are as follows: Hardwire into your travel router (ethernet into LAN port), and ensure wifi on your actual laptop is disabled. This will prevent the possibilility of your location being determined via Wifi mapping. MOST companies don’t use this to locate you, but its still a possibility. Additionally, disable bluetooth as well if you can, for similar reasons. Doublecheck your laptop doesn’t have a GPS in it (most don’t). If it does, disable it if you can. If you do these things, your laptop should be fairly bulletproof when it comes to your company determining you are out of country. And just for kicks, on your travel router, under Network → DNS, I would setup Encrypted DNS/DNS Over TLS and set it to Cloudflare. Additionally, I would ensure “override DNS settings for all clients”. That way you are guaranteed to use an “agnostic” DNS service on your laptop, and is a good security practice anyway. This is what I do on my travel Beryl AX.
I don’t think I can disable Bluetooth or gps, since I don’t have admin rights.
By Blocking non-VPN traffic you mean the kill switch feature in WireGuard ?
Another consideration: when exporting a WireGuard file, the default DNS is set to 64.6.64.6, which I believe is from Germany. when I tested on whoer.net, i can see Germany ip address under dns. To mitigate this, I have replaced the DNS in the WireGuard file with my router’s address, effectively now I have n/a under dns which mean I don’t use any DNS.
Now, the question is: is it advisable to maintain my router’s address for a home ? Or keep the 64.6.64.6 ?,
And if I opt for encrypted DNS/DNS over TLS and set it as Cloudflare, which may alter my DNS and potentially be detected by my company as an attempt to conceal my location?
Additionally, regarding my home setup, Iam considering whether to retain my ISP router and connect it to another router to establish the VPN server ?, or replace the ISP router entirely with a new one ?
Then What your recommendations for the type of routers, and on a router suitable for travel.
Thank you
I didn’t modify the DNS in the Wireguard file. But my “home router” is also set to Cloudflare with Encrypted DNS. No, you employer won’t care what DNS you set, and you are allowed to set whatever DNS you like. I use Cloudflare with Encrypted DNS on all my routers since A) Encrypted DNS is good, and B) Cloudflare has a very fast DNS, so it (slightly) increases performance.
For your home setup, I generally advise two options. Either A) keep your home router, and connect a Brume2 behind it or B) replace your ISP router with a Flint 2. By doing B), you are eliminating a “hop” and just consolidating everything to one box. I personally did option B and power my whole house network with a Flint2, plus having it host the VPN config. It works perfectly fine for me. I lean towards B if you want to keep everything on one device, and are thinking about replacing your home router anyway. Otherwise, option A is perfectly fine. I tried both configs, and honestly didn’t notice any significant performance differences in terms of speed or ping times so both will likely meet your needs. For the travel router, I use the Beryl AX. Though a Slate AX would also work well depending on if you need an extra Ethernet port. You can look up the specs, but regardless of where you end up, you want to use Gl-inet’s newer hardware simply because they have newer chipsets and higher throughputs for VPN. No reason to cheap out on hardware if your job depends on it…
Thank you for your response.
Alright, I will stick then with the default DNS provided by WireGuard (the one from Germany) while also enabling encrypted DNS through Cloudflare.
I’ve purchased Flint 1, but I’ve noticed suggestions to directly set up Brume 2 with my ISP router rather then replace the ISP router. However, I’m puzzled because when I compare the specs, Flint 1 seems to be more powerful than Brume 2, so I’m not sure why this recommendation is made!
Because the Flint 1 is a wireless router, and you won’t need that. Brume2 has “lower specs” since its more dedicated to serve either as a firewall (or in this case) a dedicated VPN gateway. You CAN use a Flint1, then turn off the wifi, but honestly its just overkill. If keeping your ISP router, the Brume2 is the way to go.
Im not really sure if I would keep the ISP router or replace it with the flint 1.
so basically if I link it to my ISP router, I will get better performance then the brume 2 right ?
And buy the beryl for traveling.
I really can’t answer this too well. Personally, if you were to keep the Flint 1, I would probably replace your ISP router (since those are usually garbage anyway). You might want to compare the specs to make sure its an upgrade. Though if your goal is to maximize performance, I am not sure why you would keep the Flint 1 when the Flint 2 just came out. You may want to look at this comparison chart and look at the Wireguard MAX speed: Product Comparison - GL.iNet since that is probably what matters more than CPU or memory (at least in this use case). Realistically, you are likely to be hindered by your remote internet speed before you hit any theoretical limits of the router, so I would be less concerned about individual specs, and more concerned about how you want your “layout” to be. If you want to do a smidgeon extra configuration, I would replace the ISP router and replace it with a Flint 2. ISP routers are typically mediocre, and if I am going through the effort, I might as well get the “best” home router Gl-inet offers. If you are happy with your ISP router, a Brume 2 probably makes the most sense since you really do NOT need two wireless routers. Your ISP router will serve up your wifi to your home, and the Brume2 would be a dedicated VPN endpoint basically. Though you CAN place your Flint 1 behind your ISP router, and just turn off the wifi on it. That’s not “wrong” either (especially if you don’t want to return anything and buy something new), its just a little goofy from a hardware choice perspective. None of these options are “wrong”, its just more of what you prefer, how much you want to spend, and what your comfort level is with configuring/re-configuring your home wireless on the Flint 1/2 (or not). And in the real world, I suspect the performance will be nearly identical across any configuration.
Okay I see, I think for the moment i will stick with the flint 1 that I bought and replacte my ISP rouer.
also on last think the Encrypted DNS and set t up in cloudlare, should be donne in the travel router (wireguard client) right ? or the wieguard server ?
Okay perfect,
one last question : in wierguard configuration I see the IP Masquerading enabled.
what is this actually mean, and is it useful for my use case ?
Thanks
No, you don’t need that. The settings described should protect you completely. Anything else you need/want to do would be outside of the router such as:
Hardwire from your laptop to the LAN port of the travel router, and ensure wifi is disabled on your laptop. You will be using the travel router to connect (wirelessly) to your local wifi connection. This will help reduce the chance of getting located via wifi mapping.
Same for bluetooth and GPS (if there is a GPS on your laptop, but highly unlikely). But the router config described above should completely shield your IP address.
The recommendation is made because the Brume 2 is good enough (Wireguard throughput-wise) for most people and is the most affordable because it doesn't have Wi-Fi.