Hey everyone,
I use the ‘Block Non-VPN Traffic’ option on my router as a Wireguard client, but am worried about it’s reliability (ie, real ip address leaks).
I apologize as I’m a novice, but do I need to worry? Is there a way I can monitor the IP address history to look for leaks?
Note - my router is up to date version 4.4.6
Thanks,
Greg
@hansome That doesn’t really answer to the overall reliability of the VPN filter, just the results at a given point in time. Did you try to cause leaks during testing before release?
I doubt that this will be tested. You would then have to test with different VPN providers and that increases the complexity of testing.
Basically, the reliability of the VPN filter is sufficient for the normal user. Would I trust the VPN filter to hide me from Facebook and Google? Absolutely!
Would I trust it with my life by circumventing government censorship measures or engaging in illegal activities? Probably not.
To prevent DNS leaks, the most common form of leak, you should always use a DNS other than that of your ISP. And of course DNS-over-TLS or similar.
But surely if it leaks for one provider then it would leak for all?
I don’t really feel overly happy about that as it comes with no warning of possible flaws so basically provides a false sense of security. In my opinion it definitely should be tested to the highest extent reasonably possible.
Also; what would you trust for such situations, hypothetically.
Would using VPN provider DNS be safe enough? That is what I do and its never failed a DNS check.
@hansome wake up
VPN is just one component of security. If you need high amount of security you need completely different solutions.
So I would say that the quality of the embedded VPN is more than enough.
Such as what though?
That depends on who you want to protect yourself from. From the ISP or someone who controls the network? Then DNS and VPN are enough.
From the law enforcement authorities or the state?
Then you’ll have to go bigger than that. Spontaneous ideas on my part:
The VPN client on the router is not bad either.
And yes, “Block Non-VPN Traffic” works. I just want to say: If that’s not enough security for you, you need to take a few extra steps.
I like your style… & you’re right; OP needs to define his threat model.
ps/ Mullvad now has untraceable gift cards.
Generally, we trust the reliability of our VPN filter. We have covered most of the time, most of the scenarios.
In our previous firmware, we found leak while system booting,
leak while the vpn went offline with certain combo of settings.
We were impacted by the Tunnelcrack ServerIP attack.
These issues were all addressed in firmware 4.4.6.
To date, we judge VPN filter is working by dnsleaktest.com, traceroute, etc. Obviously, that’s not enough, there are always some corner cases.
That’s why we’ve set up a ‘VPN, DNS, leaks’ category in our forum, hoping the community can collaborate to boost overall reliability.
We will strengthen the use cases in our testing process, including all the cases of users encountered.
One of the most important aspects to improve test is to
use packet generator and traffic capturer in the whole process of our testing to identify any leak.
I use a VPN which has been court proven to not keep logs and protect users, they publish transparency reports stating how many legal requests they get per month. They never furfill a single one of them.
I paid by mailing physical cash and no email address is required during sign up, I also use multi hop wireguard servers by default.
For browser I either use a ‘hardened’ Firefox config with uBlock and enhanced tracking protection set to strict or Brave with tracking protection set to aggressive and anti fingerprinting set to strict. Sometimes I use Tor Browser but not often due to how slow it is and the fact its controlled by random strangers.
I always use encrypted email services (such as Proton and Tuta) which I never give a secondary linked email address or mobile number for any reason.
I use different usernames, passwords and linguistic styles for each site and never mix two together.
There are 0 photos of me online.
Would you say that is a good security set up?
Even though we both know this is a trick question: it depends. If I cared that much about my security - which I don’t - I would probably only use routers and modems from companies I trust.
Even if I don’t want to offend GL.iNet, I would stay away from their firmware - because I can’t judge whether any data is being leaked. But you will have this problem with any manufacturer that you haven’t scrutinized yourself. I think that I would at least go for OpenWrt only.
I use different usernames, passwords and linguistic styles for each site and never mix two together.
To further increase security, you should also use individual e-mail addresses for each service.
I get what you mean and don’t think the GL people will be offended about anything, they’ve had more pressing questions in the past. I don’t have the ability to audit OpenWrt for leaks and I believe its much more difficult to use than GL software. Since people are actively probing their devices for leaks I feel that its probably safe enough for my use. I could connect 1 physical VPN router through another physical VPN router to reduce likihood of leaks but even that could fail.
I should have added that I do that too, I use “10minutemail” services for throw away use when regestering to services.
Sure you can. Throw another router running OpenWrt upstream & logwalk the pcap: opkg install tcpdump.
… & to further secure incoming in transit, you can add your PGP pubkey to:
(There’s a Chrome extension & Android app for ‘on the fly’ generation/management, too!)
That’s a very solid start. Now get a DNSSEC endpoint for your forward facing DNS… dnscrypt-proxy v 2.x is the way to go here. I can’t recall if it’s v 1.x or v 2.x in the latest GL stable firmware. Everyone forgets about MITM until it happens to them (eg: TunnelCrack) & my paranoia dictates I keep DNS out of my VPN provider’s control.
Also:
I will look into this for better potential hardening but I will need to research first as its not something I’ve ever messed with before, I have always left my VPN fully in control of all DNS info since I trust them with my traffic anyway. By moving from your VPN DNS to Quad9 you are just putting one company in control instead of the other, its been YEARS since I looked into secure DNS but if I recall correctly at the time it turned out that most secure/private DNS is actually just Google under a different name. Hopefully things have improved since then.
Most of the people I speak with don’t use PGP so it would be useful but not for my personal use case. We usually speak through encrypted apps like Signal. PGP is more toward the advance end of things in my uninformed baseless opinion. 
@hansome could this be added to your pre release testings?
You’re also removing control of one of two key/critical services in the hands of one organization. Call it a difference in philosophy but I want my VPN provider to provide just that; a VPN.
Quad9 is based in Switzerland. Given you already know about the need for no logs, auditing & fighting State warrants, then I’m sure you know CH is the best case scenario for judicial jurisdiction in your favor.
Ask anyone using Proton {Mail,VPN}.
… at least until ODoH gains more traction & can match performance, that is.
Re: PGP. If you use Proton Mail, you’re already using PGP.
Yes, of course you can. But then you would have to do this for a long time and check to see if any backdoors are installed. That is … impractical.
Personally, I trust the OpenWrt community here more overall, even if this is rather subjective. As I said, I like GL.iNet’s products and use them myself - but if I placed as much emphasis on security as the OP, I would think again.
Yep, that’s also why NordVPN is on my blacklist. They now even offer a password manager - unbelievable and incredibly creepy. They’re probably cross-financed by some secret service; at least that’s what I heard once.
Unfortunately, this has not been the case for a long time.
Switzerland is a good location, but not as golden as people always think.