Hello, can you please rate my setup? Currently I have the slate connected via cable to the LAN port of my router and configured as follows:
Is this 100% secure against leaks? In the network area I have not changed the configuration, should I pay attention to something there?
I would like to work abroad without my employer knowing: with my work notebook I connect to the vpn of the employer after connecting to slate wifi, on the slate I have set up a vpn (wireguard vpn, europe).
Where is the vpn server? You’d better use your own vpn server because if you use commercial vpn service your employer will know that you are using vpn.
Pls also check ip and dns leak first. Using https://ipleak.net/
Verify your double vpn work ok.
It is a hetzner vps, wireguard installed by angristanscript.
Your next issue become being located by your web browser… aka fingerprinting. Yes, that’s a real term. Do you remember all the noise some years ago about ‘cookies’? Imagine that… but now baked into the web browser itself!
Quick & dirty solution: use Mullvad or Brave Browser. The former is stricter than the latter. YMMV.
… & turn off location, bluetooth on your device(s)
I won’t be able to install other webbrowsers. The notebook will be used only for work, so connect to slate wifi which uses a wireguard vpn. Still risky?
So the device, the notebook/laptop, in this case, is Employer equipment & ‘locked down’? That compounds things. There’s no telling what they’ve got loaded on there that could be for tracking/reporting. I’d only use that computer for work; keeping my personal life wholly separate on a different one.
Make sure location services, Bluetooth is killed/never used. I’d set the clock to UTC of your home timezone & make sure it doesn’t connect to the 'net to get current time updates (eg: time.windows.com , 0.openwrt.pool.ntp.org)
–
Eg:
Be aware the GL router uses NTP by default; you can turn it off after installing LuCI via System → Advanced Settings. Once installed, log into LuCI & navigate to System → System Properities → Time Synchronization → Enable NTP client. Untick, save & apply.
(The goal here is to ‘quiet’ that bit of default network traffic)
–
Regarding what’s ‘flowing’ from your notebook; there’s two options I can suggest, w/ rising complexity costs:
If you GL device has AdGuard Home (eg: Slate AX) found under GL GUI → Applications → Adguard Home, use it. You’ll see why I suggest it by GL’s description of that feature… but I don’t personally use it so it would be an exercise left to you. It looks like a pretty easy to use application IMO.
Subscribe to DeCloudUs DNS’s Premium + service. 12.00USD/year. This is what I use for my devices: mobile, laptops, routers. Like AdGuard Home, you can log what’s happening from those devices directly to them, logging all connections made, then use that info to set custom block lists/profiles on top of their anti-tracking, anti-malware, privacy focused lists offered.
Eg: DeCloudUs offers a ‘deGoogle’ block list. I have that enabled but I also have a Samsung phone. I then logged all the connection made by the default Samsung apps running in the background (even unused!) for a few days. Then I block those connection’s domain names (eg: bixby.samsung.com, aibixby.com, sbixby.com).
Now there’s no more ‘AI assistant’ reporting what I do on my phone, wherever I go!
(This is also how I block TenCent’s TikTok ‘trackers’ on other family member’s phones trying to report back to China… & they never installed TikTok!)
The DeCloudUs method is more complex to initially set up but … & it’s a big but… gives more flexibility to reclaim your privacy when you’re using the 'net away from your GL-iNet router/device.
Let me know what you think; I know this can come across as more than slightly paranoid but these days, well, it seems they really are out to get us all.
I think your input is really great, thanks for taking the time. I have implemented it so far and will keep you up to date if I discover strange queries.
Are there any other settings or precautions I should take?
Are there any other settings or precautions I should take?
Probably. Privacy an ever escalating situation more than a default right… I’d keep a log of whatever software or changes you make on your devices… especially your GL device. It’ll be easier to determine if/when some new nefarious tracker/malware starts tying to ‘phone home.’
Consider encrypting everything you can & using a password manager app like KeyPassDX or Strongbox & 2FA/TOTP whenever possible.
I have it set up now. When I’m on the employer’s VPN, I can’t filter any queries. Will listen to it later times without the vpn and see what it queries.
No doubt your employer is assigning their own DNS IPs, thereby overriding the local AdGuard’s DNS, as all traffic is being tunnelled though them.
