Hi

I like to know how to setup a Linux laptop for exclusively use in an unsafe network (like free Wifi at fastfood joints or public libraries).

Like if a poor person doesnt have internet service at home. Or you live where internet service is sketchy. But you have to do important online tasks, like accessing social securty and medicare service.

You'll probably want to tunnel as much as possible, including DNS queries.

See WireGuard, OpenVPN, or the OpenSSH client's -D option.

Another option might be to use a distro that loads to ram, such as Fatdog64, no need to even have a disk in the laptop if running it from a pendrive, & once up & running, just remove the pendrive, therefore giving a hacker nowhere to mess with.

There is also Tails, which now has improved, optional persistent storage. It fits nicely on a thumb drive.

Typical home network is connected to the internet via a firewall (usually NAT), devices inside the firewall are considered safe (not quite true, actually, many IoT devices... but let's not digress) - and this is considered safe. The only thing you need to get the same level of security on the public network is the properly configured personal firewall such as ufw if you are on ubuntu. Advice given above, while perfectly valid, targets levels of security well above that of your home network and is frankly speaking is bordering on paranoid. Sorry, but this is true.

Lets say you are in a public space and you trust no one...
Disable all services that listens on both tcp/udp.
If via wireless, then use wpa_supplicant to connect but nothing wrong with Network Manager either.
Once on the network use vpn to tunnel everything.

https://www.mozilla.org/en-US/products/vpn/

1 members found this post helpful.

I would hazard that one should use the same security practices on every network, in other words, every network should be viewed as potentially insecure: Block all incoming ports (I do make an exception to that on non-portable machines my home network so I can use ssh locally), open only the outgoing ports that you need (email, www, etc.), install fail2ban, run an AV, etc.).

Also, on my home network, I block all incoming ports on my router unless I have a positive need for them (which, at this point, I do not).

Just a few thoughts.

VPN is the easy solution for public wifi. It also gets you around the restrictions; some won't let you access certain sites. I use public wifi a lot, and I've seen this happen with torrents, youtube, and google play for example, so now just use openvpn all the time.

I guess if you don't want to buy vpn, tor might be useful?

I installed Opera from slackbuild. It has VPN built-in. Is Opera's free VPN secure enough?

It is kind'a slow.

Opera is owned by a Chinese consortium, so likely no.
https://newsweb.oslobors.no/message/406030

2 members found this post helpful.

It is not recommended to set up a laptop for unsafe networks, as it can put your device and personal information at risk. However, if you must use a laptop on an unsafe network, there are a few precautions you can take:

Use a VPN (Virtual Private Network) to encrypt your internet connection and protect your data from being intercepted.

Keep your operating system and software up to date to ensure that any security vulnerabilities are patched.

Use a firewall to block incoming connections and limit the attack surface of your device.

Use anti-virus software to protect against malware and other malicious software.

Be cautious when connecting to unknown networks or networks that do not have proper security measures in place.

Use a Strong and unique password for your device and avoid using public Wi-Fi networks for sensitive tasks such as online banking or shopping.

It's also worth noting that even with all these precautions, there is no guarantee that your device will be completely safe on an unsafe network. It is always best to avoid connecting to such networks whenever possible.

EasyOS is faster and can forget, just like Tails.
The container option adds more security.

You just use the laptop. You're fine; everything uses HTTPs these days.

This is the one situation I might suggest a ToR based system - if you assume everything is hostile then ToR would make sense to me. I don't know how well ToR would work in China (as example of technical nation with censorship) but something like Tails if you can verify the source should be good.
dugan: I tend to agree but how do we know whether the certificates used by websites are not shared by a state?

It might be worth noting the difference between what I'll call "private VPN" and "public VPN."

"Private VPN" is the case where you're using a company-issued laptop to securely connect to your company's internal network – just as though you were really there. If set up correctly, your laptop is using an individually-issued-to-you secure cryptographic certificate (not a mere "PSK=password") to secure communications to a known, company-provided, cryptographically-identified endpoint. Although to you it's as simple as "click on an icon at the top of the screen, and the company's network now appears to be 'local,'" the communications are secure and can never be intercepted start-to-finish. If the laptop is stolen, its access can be individually killed.

"Public VPN," on the other hand, merely uses VPN to connect to a public subscription service which will then dump your traffic, now unencrypted, onto the public internet for final delivery. This is a great way to protect against "eavesdroppers in your coffee shop." It might get you past a few content restrictions. But it does not, "stem to stern," protect the traffic nor guard against a "man in the middle," because the cryptographic tunnel does not extend all the way to your final destination.

P.S.: "TOR = The Onion Router" has a different purpose. Its aim is to conceal the fact that two parties are communicating at all. (For example, "two spies.") The owner of the network is presumed to be hostile, and would act to disrupt the communication channel if he knew that it existed. It goes without saying that the traffic being passed is encrypted.

1 members found this post helpful.