Today we'll show you just how to encrypt all your home traffic therefore making sure you're ISP can't easily track your every move.

First off, there multiple ways to encrypt your traffic all with varying levels of anonimity and performance penalty. Usually the trade-off is anoniminiy vs performance.

It's equally important to note that anonimity doesn't come out of the box. Therefore this is not a post about how to remain anonymous on the web, I'm simply showing you a way to shield your browsing activity from your ISP and prevent personal profiling.

I therefore would like to narrow the scope of this article to the following:

  • Main focus on VPN's
  • Router based (no per-client setup)

Why router based you may ask? Well since a chain is only as strong as it's weakest link it makes sense to not let every client decide their own level of security but rather ensure from a router-level that every client is routed through the VPN. Besides having each client run a dedicated process in order to be secure is way more labour intensive and quite frankly annoying.

"Since a chain is only as strong as it's weakest link it makes sense to not let every client decide their own level of security"

The added benefit of a router-based approach is the fact that most VPN services allow for a maximum ammount of simultaneous connections (mostly 3-5). This means only 5 of your devices would be able to connect securely at the same time. Since an average household exceeds this number greatly a router based solution starts to make even more sense.

Make sure you're using Open Source router firmware.

Most (if not all) consumer routers are shipped with proprietary firmware and in many cases these firmwares have been shown to expose backdoors to assist both governmental and commercial surveillance.

"we need to eliminate security based on trust"

In order to reliably determine the safety and privacy of your router we need to eliminate security based on trust and start to use Open Source firmware that can be validated and checked for malicious code.

When it comes to picking a firmware you'll find you have quite some projects to choose from, pick whichever suits your needs. This article will mainly focus on Tomato by Shibby but the implementation doesn't deviate much between the major projects.

Picking the right VPN service

I have to be honest, this is the part where I start to contradict my previous statement on trust. I like to use a third-party VPN service like ExpressVPN. Of course depending on your threat model you may choose to host your own OpenVPN server instead.

The benefit of using a third-party shared VPN is the fact that you then share an IP with many other users so it's even more difficult to profile your exact behavior based on IP. When hosting your own VPN you are probably using a single or very few IP addresses, making it easier to profile your online behavior.

Besides you often leave a trail either to your own home, office or VPS. Of course there are ways to get around all that but those require way more technical insight and planning than the average user can or is willing to handle.

I have long-term firsthand experience with these trusted providers: ExpressVPN, BlackVPN and ProtonVPN. The main benefits of ExpressVPN are it's speed and the fact that they still have some servers that are whitelisted to allow Netflix streaming.

OpenVPN protocol

The only truly secure VPN protocol. Even though there are several other VPN protocols most of the protocols have been compromised in the past. OpenVPN as of now is still going strong.

NOTE: Avoid using the PPTP unless there's really no other option available. PPTP is a very dated protocol and is deemed insecure.

OpenVPN client

This is the software you use to connect to the OpenVPN server. Ideally you'd want to use a client that is both Open Source and supports a software kill-switch.

Since in this guide we're only focussing on router based encryption and as previously mentioned are using soley Open Source firmware we've got you covered! As for the killswitch we'll be using the router's built-in software firewall to set the appropriate rules.

DNSSEC

Encrypt and proxy your DNS requests

About TOR and I2P

As I've stated before there are many ways to acchieve an encrypted connection. A very popular and controversial one is TOR (The Onion Router).

TOR is an incredibly powerful protocol and is very easy to set up both on a router and a client level.

The setup

Now it's time to get our hands dirty and actually get your ass behind that VPN.

Depending on the chosen VPN you have some implementing to do.
Most providers however have detailed instructions for all of the before mentioned Open Source firmwares.

Killswitch

WAN_IF=`nvram get wan_iface`
GATEWAY=`nvram get wan_gateway`

iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset