[kwlug-disc] VPN, Proxies, and Security

unsolicited unsolicited at swiz.ca
Sat Aug 13 16:43:24 EDT 2011


Chris Irwin wrote, On 08/13/2011 2:38 PM:
> With the recent security talk going on, I've been motivated to solve my
> laptop security issue.
> 
> I consider my laptop itself to be secure enough (strong passphrase on 
> LUKS partitions). Most of my communication is over SSH (key only) or
> SSLified sites. I'd still prefer to encrypt *everything* outbound to
> another site I control.
> 
> Is anybody else doing this? Did you set up a VPN? SOCKS proxy?
> 
> I'm thinking if I set up a VPN, and hard-code a routing rule to set my
> internal router as the default route, then in theory I should be able to
> get non-vpn routing on my internal network, and have no internet
> connectivity on other networks until I enable my VPN.

Yes.

And theoretically simpler than you make it out to be. (It turns out.)

If you have no gateway (0.0.0.0) stuff ain't going nowhere.
(However, the act of connecting, such as internet wi-fi cafe, will by 
default establish 0.0.0.0. You'll have to remember to kill it.)

If you ssh 'in, and in doing so establish 0.0.0.0, away you go.

You'd also have to make sure you have no open ports whatsoever - else 
you're attackable by the local network. (Guy in next booth.)

Not to say Paul's OpenVPN link isn't more user friendly.


More reasonable, to me, spend less time locking down what's mobile, 
and make the mobile irrelevant. Consider it disposable. Consider it a 
terminal. No work lands on it, all work happens at home base. The 
laptop is just a means of getting to it, remotely. Which is all just a 
slight change in thinking / approach.

Be it screen, VNC, remote X, ssh, vpn (even on vpn, you're operating 
locally, just attaching to resources remotely), if it doesn't land 
locally, it's not at risk. And home wi-fi is right out.



More information about the kwlug-disc mailing list