You encouraged me to up my game a bit and get my Wireguard VPN working on my phone as well. Before I was just using it on my laptop. This post is from my phone, through the VPN tunnel. Yay!
Strangely, the internet service on my phone now feels even snappier than before I used the VPN. Not slower-feeling, as you might expect. Go figure!
PS: The Wireguard app for Android (current ver. 0.0.20190708) was as smooth as gravel to understand and configure, but after about the 7th try I managed to get it together.
PPS: with version numbers like that (starts with 0.0), it’s not surprising that the mainline Linux kernel doesn’t feel ready to merge Wireguard.
Yes, agreed. Rolling your own VPN server is very difficult. I’ve set up both OpenVPN, and now Wireguard too. Both were gruelling experiences, which took huge amounts of tinkering to get right.
You would do well to have networking skills like a professional Network Administrator, if you dare.
If you just need a Peer-to-peer VPN (with automatic firewall-punching goodness), I recommend Zerotier. Zerotier is one order of magnitude easier to set up than a Wireguard server, and Zerotier is two orders of magnitude easier to set up than an OpenVPN server.
In addition to those above, I’ll add that there is a configuration you can add to Thunderbird that will remove links from all emails. It allows the text to be displayed, but it will no longer be ‘clickable’.
That is what I am considering doing because I use ProtonMail and want to use its VPN service, too. Though I have probably to tinker with Proton and OpenVPN.
VPN is installed on the router. I’m in the process of setting up a new pfsense router soon as I can figure out how to get it to connect. I’ll use that to block a lot of ads and crypto-mining sites. And the hard drives in the desktop are in a just installed Icy Dock for easy ejection so they can be locked up when I travel. I’ve also got to figure out how to encrypt the OS drive since that was not done during installation.
The thing about Wireguard is that all by itself, it just makes secure tunnels between hosts. That’s all it does, strictly speaking. To make a VPN solution out of these secure peer-to-peer tunnels (as is commonly expected from a VPN) you also have to combine iptables or other such firewalling rules with those secure tunnels (which wg-quick makes possible, but not in a simple way).
In essense, Wireguard is a framework, not a solution. I think it’s misleading for it to be called a VPN. Wireguard is a framework that a VPN solution could possibly be constructed out of, if you really know what you’re doing. Even wg-quick wasn’t solution-enough for me. I had to write a bash wrapper script to make it more user friendly for myself for day-to-day use. So it’s just barely a VPN “solution” for me, on the desktop.
If you followed some 3rd-party guide for Wireguard, and that made Wireguard easy for you, then I say great. But that 3rd-party guide was not an upstream, integral part of Wireguard.
I finally set up ProtonVPN. Was straightforward with protonvpn–cli. Thank you @mrgfy for mentioning the Github site.
So, some of my hygiene is using obviously a VPN when I want anonymity. Other things I do is having strong and individual passwords for everything including the login to my laptop. I use a master password for Firefox, too. A lot of things are adjustments in the browser like an ad-blocker, no tracking, blocking of cookies and avoiding Google and its products as much as possible including the search, though I am addicted to Youtube. I also use Firefox containers and for email I use ProtonMail.
There are a lot of things I still should do but that is it for now.
PS: Regular updates of the operating system, that is also very important especially if you have to support other people’s machines, like my wife’s.
Gotcha, I find it usable for my limited needs; connecting to my home network from the internet. For that, the documentation available on the projects website was enough.
I don’t think it’s fair to claim it’s not a viable VPN though. Since it stands the test of the definition for it.
First and foremost, using Linux at all is my first security practice.
Not installing software from companies I don’t trust (especially ‘free’ software coming from a company that is probably scraping my data for it’s value instead).
Hosting my own stuff (work in progress).
Lots of the simple practices (like not enabling login for root at all, SSH keys or installing updates) we all do, right? So I won’t list those.
Firefox plugins Forget Me Not and Ghostery.
AirVPN to avoid profiling or to circumvent my ISPs opinion.
A simple iptables firewall on any internet reachable machine to filter out malformed, unneeded or excessive network traffic.
I don’t know if it counts but I tend to disable history and suggestions wherever I can, perhaps that’s a good thing for web browsing, stating explicitly what I want not clicking the first thing that comes up, but the intention is just that I like a clean computing experience that isn’t cluttered with helpful advice.
I use a paid VPN, and switch the egress everytime, when I’m doing anything related to banking or personal information.
All my systems use luks encryption, desktop systems require my yubikey for authentication and authorization.
I will soon be getting a dedicated network firewall, and enforce firewall rules on all my machines. Ssh requires pubkey auth, and my keys get cycled out regularly.
I use password-store (standard Unix password manager) for password management. It’s simple, relies on gpg for encryption, and is integrated with git for easy sharing.
I run “track this” every once in a while, just to screw with data collection that can’t be avoided. I’ve started getting ads for all sorts of crazy stuff (like I’m apparently in the market for new breasts), but it’s worth it to see the trackers thrown off so much.
I run an ad blocker for most sites, but some I let the ads through.
The majority of my software is managed using containers and flatpaks, keeping the amount of data that can be accessed to a minimum.
Even with all my restrictions and self imposed paranoia, it’s not inconvenient to use Linux. Doing these same things on MacOS or Windows still leaves you unable to control where your data goes. Linux lets me lock it all down without making my system a pain to use!
I have a large desk that accommodates two laptops side by side.
A new security practice I’ve taken up: I have 2 linux laptops now - the one that I “trust” (the newer, faster one), and the laptop that I “don’t trust” (the older, slower one).
On the laptop that I “trust” (the trust is not an absolute trust, mind you, as I know I can never get security absolutely perfect), I have all my personal information, and my password safe.
On the laptop that I “don’t trust”, I have no personal info to speak of, and I’ll use very few user accounts there. It’s here where I run the sort of slimy corporate proprietary software that I don’t trust (and can’t get away with not using, as my organization demands its use), such as Zoom. I fully expect said proprietary software will scan around my disk for personal info to send back to the mother ship, so I leave as little of that information around as possible, to be found.
I moved all my “work” to VMs on desktop and laptop. The Host and all VMs, except one, are blocked for inbound traffic. I have one VM, that I exclusively use for banking and that one is encrypted by Virtualbox.
I use two routers, the first one is managed by the Internet provider and the second one is used to connect all my computers and that router is also blocked for all inbound traffic. Of course I changed user and password of that router.
My laptop and backup-server are used for ZFS send/receive backups through SSH and its keys. Both do support file sharing over the network to allow to reload files, but:
They are almost always powered-off, except during the weekly backups.
They are connected to the second router, that is closed for all inbound traffic.
I will always be able to reload one of the snapshots from host, laptop or backup-server in case of hacks. Worse case I re-install the Host or VM. The host is a minimal install of Ubuntu and the VMs save many weekly and monthly snapshots on the system itself and on the backups.
I’m not interested in paid VPNs, since Google, Microsoft, Amazon and others are anyway selling my data for profit and giving it to the US government.
