VPN Solution - Best Applied On Router Or Individual Machines?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
VPN Solution - Best Applied On Router Or Individual Machines?
I've been interested in implementing a VPN for some time, and my concern over privacy has finally reached Critical Mass. But in learning about how to implement it, I've come up against some questions and I hoped the wise heads on our forum might have good answers!
My home network consists of a Linksys 1900AC router with Linksys firmware (though I'm planning to upgrade it to DD-WRT). I'm using OpenDNS. Occasional trips to ShieldsUp!! seem to indicate that it's pretty well secured - no red flags. But I'd like more privacy, especially RE: my ISP (Verizon), thus the interest in a VPN. I've identified several good-looking providers and am most interested in ExpressVPN, as it's highly-rated and works with Macs, PCs, Chromebooks, and Linux, along with mobile - so it could cover every computing device I've got.
My devices: 1-Windows 10, 1-Mac 10.12.3, 3-Ubuntu 16.04, 1-Chromebook, 1-RaspberryPi. In addition, other networked devices: 1-iPhone, 1-iPod, 1-Android tablet, 1-Chromecast, 1-AppleTV, 1-Samsung Blu-Ray player, 2-printers.
One question I have is whether to install the VPN on my router, to protect everything on the network - that sounds like an efficient way to do it. But I wonder about unintended consequences, like having some streaming sites blocked. I also don't want to use ExpressVPN's firmware on my router - haven't been able to learn too much about it - would rather run DD-WRT. But VPN on the router does cover a multitude of bases otherwise!
So that leaves individual VPN installations on the various computers, leaving things like the AppleTV unencumbered and running at full speed. I don't care too much if the government knows that I'm watching Doctor Who or CBS News! But I want my surfing protected. Having the software on each individual computer might have other advantages, like protecting laptops (I have a bunch) during time out of the house, or ease of changing VPN servers or turning VPN off entirely if need be. I'm tending toward this approach, but maybe there is something I'm missing here, too.
Any thoughts about this from those who've already navigated this terrain? I'd appreciate your lessons learned. Thanks!
Perhaps you are mistaken in what a VPN provides for you. Running a VPN on your router or another machine on your home network is not going to keep your ISP from knowing your surfing habits. If you connect to the VPN from outside your network, say from a public wifi or from your phone's carrier, they will be unable to read your traffic, because it will go through the VPN, but the VPN still has to go through your ISP to the sites of interest. If you're clear on all that, never mind. I'd recommend a separate machine for the VPN with the port forwarded through the router.
Routers can be both a VPN client or a server. The server in this case being a VPN service provider like ExpressVPN. The OP is asking whether it is better to run the client on the router or on each individual computer.
ExpressVPN does support several protocols so you could use any router that has an openvpn client with the only real difference as far as I can tell being that you do not have all the options that their firmware or OS client provides.
Not sure about AppleTV but I understand that Netflix is working on being able to detect if you using a VPN so as stated a router based client might be a problem if you use streaming services. You can always install a client on the laptops or other mobile devices if one exists but not use it at home (I assume you can on mobile devices).
Thanks michaelk, mostlyharmless - appreciate the info! Confirms my sense that installation on the computers might be better. Will keep learning and listening. Learned a lot from this site, which I believe I heard about on this forum: http://routersecurity.org/ This guy really gets into the weeds - has videos too. Thanks again!
It sounds like you really would like to have [i]"everything that I send from this computer" to be sent through OpenVPN. In this case, it's probably more expedient to install a client directly on that computer. The client can issue routing-rules affecting your machine which will cause everything to be sent through the tunnel while the tunnel is connected, and to remove those rules when you drop the tunnel. No other computer would be affected.
OpenVPN certainly can act as a router for your network, but if the main thing you're looking for is "an everything route, easily set-up and then easily removed," running the client software directly on the box-of-interest is probably easiest for you to set up and to understand.
Last edited by sundialsvcs; 03-30-2017 at 09:27 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.