I understand VPN is probably the answer to my question but still want to ask these scenarios. Both scenarios are WITHOUT VPN.
Scenario 1: If I am sitting at StarBuck and using its PUBLIC WIFI through my router on repeater mode, does the router (GL.iNet Beryl GL-MT1300) serves any protection?
Scenario 2: If I am at a hotel room and using an ethernet cable to connect to WAN, does the router (GL.iNet Beryl GL-MT1300) serves any protection? Keep in mind the people on WIFI to the hotel can access the network right?
The reason is because you are behind another NAT firewall, a intruder first has to hack your router to reach your device.
However and here comes the vpn story, you have no control upstream, so a man in the middle attacker could arp spoof, or do dns poisoning, meaning he can act as the middle person in your queries and may sent you to forged servers.
He can also sniff data, so if a password was submitted over plain text, he could read it.
A vpn tunnel would make it unreadable for the attacker, if he tries to mitm it fails because the encryption needs to match.
Protection like somebody tries to access your devices? Yes, it protects against it.
Protection like reading your traffic, sniffing for plain passwords and so on? No. *
*) TLS / SSL makes it nearly impossible to read traffic and DoH or DNS-over-TLS will make it impossible to sniff for domains. But if you surf to a plain website without HTTPS everyone can see and read it.
I think I understand both of your replies. As long as I am not sending out anything sensitive, then the router protects intrusion or uninvited guests from entering even when they are using Public WIFI.
Nah, it’s not about sensitive or not. It’s about encryption or not.
So as long as you use encrypted DNS (so DNScrypt, DNS-over-HTTP, DNS-over-TCP, bla) and you use TLS (so https for web surfing) you get enough security to say it’s “OK”
But unfortunately, there might be applications on your device that don’t honor this and use unencrypted traffic - these will punch a hole in the security.
One thing I would add to what @admon said, do not accept any certificate warnings while you are connected to any public wifi unless you absolutely know what you are doing. If an attacker were performing an attacker-in-the-middle attack using a malicious access point, you might see these messages in your browser because the attacker is trying to decrypt your session to sit in the middle. Just be aware, and if you are seeing these, be very careful about just clicking through.