This is an interesting and complex question and can require pages of answers. I’ve spent a lot of time on this, including a career stint in corporate network_perimeter security (about 15 years ago, so things have evolved) but am no means an expert. Let me give it a shot and give you more of a check list with some examples to work off of. One of the challenges is knowing where to start and based on the general nature of your question, I will answer the general question and that should give enough information to go online as there are plenty of resources online to help set things up once someone knows where to look (which I have found to be the most difficult part of my journey).
Note: None of these are specific to OpenWRT (though the package as I separate my perimeter device and Wireless Access Point (WAP). See detailed comments at the end.
Starting with the obligatory: Privacy is a dial. And how much effort do you want to put into it? And who are you trying to protect the data from?
Something to keep in mind as you turn the dial more are these concepts (we can probably have a philosophical discussion about how these actually apply, but the 4 scenarios are key to understand. I note that I rearranged these quite a bit myself when writing):
⦁ True positive - doing something that actually obfuscates data from target scenarios and allows access to the functionality desired.
⦁ False positive - doing something that actually obfuscates data from target scenarios but denies access to the services desired. See below for point on VPNs often being blocked by content providers and financial institutions.
⦁ True negative - something that leaks data
⦁ False negative - something that “prevents” leaks_privacy data but actually still leaks data. i.e. when you use a VPN provider to prevent the ISP from using_selling your data and the VPN provider turns around and sells the browsing history. This is why it is important to trust everything in the chain.
DNS:
We’ll start here since this is where the discussion has been so far. Being pedantic for the sake of completeness: DNS is clear text and can be inspected and_or Man-In-The-Middled (MITM) at any point in the route. And it can obviously leak (see where the thread starts - if anyone can explain how it leaks, I would appreciate good technical links). And home devices often come with hard coded DNS servers (I have seen many “smart” IoT devices with hard coded DNS servers).
2 steps:
⦁ Encrypt all traffic from the perimeter device to DNS servers.
⦁ Intercept or block all traffic going through the perimeter device to prevent it from leaking.
Options: there are a number of ways I have seen people do this. All require firewall rules to intercept_redirect and block DNS requests. Also, keep in mind that some internet services (particularly cloud) use the IP your request is coming from to refer to a geo local server via DNS trickery. So if the source address the DNS server sees “originates” in a different geo, your web access can be slowed down.
⦁ DNSSEC - does not provide data confidentiality, but does prevent MITM attacks.
⦁ Use DOH or DOT, which you have done. Con: DNS servers can still log IP and queries. i.e. using DOH or DOT to Google DNS servers still allows Google to correlate DNS resolution and source IP with all the rest of Google data mining. i.e. Including googletagmanager_com, etc that exists on tons of internet websites for tracking your browsing behavior and selling. If this option is chosen, make sure the DNS servers meet your privacy requirements.
⦁ Install TOR and use firewall rules to intercept and redirect traffic to TOR’s DNS port. Cons: DNS response times are noticeably long (100ms - 200ms). It will appear as brief pauses as new webpages_URLs load. And it is almost guaranteed to have cloud service redirected to somewhere in Europe (Germany and Netherlands have the highest quantity of TOR exit relays)
⦁ Use a VPN. Con: VPN provider can still log traffic. And other devices behind the perimeter can go through the VPN to other DNS servers. Firewall_interception is still needed.
⦁ Use DNSCrypt - Con: Will be slower than a VPN, but not as slow as TOR. It determines response times at start and will use the lowest response times. Also means your clouds services IP responses will be both more likely to be geographically close. It can also proxy and partially anonymize requests.
What I use: dnscrypt-proxy - dnscrypt.info_ - It will do DOH or DOT. I also like that when using DNSCrypt protocol it can proxy through other DNSCrypt servers so that the server providing the response does not have my public IP. And logs, if they are kept, have to be correlated across multiple servers. There is also a configuration option to only use DNSCrypt servers that do not log. I personally leave it clear text on my network, cause it works and is compatible with everything.
Final DNS note, a DNS caching solution in front of the above will mitigate name resolution delays for frequently accessed sites (i.e. youtube). Many DNS caching servers allow tuning_overiding cache timeouts for Domain Names.
Other Network Services (open to input):
⦁ NTP - www_whonix_org_wiki_Time_Attacks
Traffic Profiling:
By monitoring the destination IP and ports of your traffic, anyone with access to your traffic can determine where you are going. anyone with a database of DNS names to IP addresses (essentially a DNS server) can reverse engineer anything you try to hide by getting fancy with DNS. Though it is a slightly higher cost to them. Your traffic is also subject to MITM attacks unless it is encrypted (i.e. HTTPS, SSH).
Defense: Tunneling - all tunneling options have the Con in that they are well known exit addresses and are often blocked by content providers, banks, etc. Firewall and routing rules to bypass an always-on VPN can be used to allow just what you desire out. One example is if you use a VPN at home, then you should use a VPN on your devices when you leave the house (i.e. cellphone) so you might need to setup firewall rules to allow an always-on VPN from the phone out rather than trying to remember to turn it on every time you leave the house. It can become a lot to manage and opens the opportunity for human error. There is always toggling the VPN but then data leaks from other devices_apps_websites while the VPN is down.
Options:
⦁ VPN - VPN provider can log_traffic profile_potentially resell said information
Pros: Less likely to be blocked by banks and_or content providers
Cons: Encryption overhead will slow down internet access. Enter discussion on which VPN protocol is best. Also what comes into play is that many chipsets can have logic that accelerates encryption_decryption. But not all have it. For example ARM architecture supports AES-NI, but Raspberry PI 4 chose not to pay for the additional license to include AES-NI in the chipset. forums.raspberrypi_com_viewtopic.php?f=63&t=207888
⦁ TOR - Cons: Slow due to multiple hops and encryption overhead. only supports TCP (big limitation as many games, chat apps, etc. use UDP) Also technically Dark Net so gets special attention on outbound in many countries. And it’s exit relays are often blocked. TOR can be “obfuscated” (for lack of a better word) from your ISP via bridges, obfs4, snowflake, meek-azure.
⦁ SSH Tunnel - basically think VPN
⦁ Anonymizing Proxy - same limitations as VPN. These were a thing at one time, but really only help with web traffic. Yes there are anonymizing SOCKS proxies, but application SOCKS support is erratic at best.
⦁ Lokinet - kind of like TOR, but faster. Exit nodes are supported, but hard to find. I would still classify this as hobbyist level, but still interesting to watch.
⦁ There are bunch of other things in this space like torify and OnionCat which attempt to turn TOR into a VPN (technically imprecise, but hopefully a useful analogy).
What I use:
⦁ ProtonVPN - Using their directions and OpenVPN went in like a charm. I was unable to get their Linux VPN client to route all my internal traffic through the perimeter device. I also didn’t have luck setting up WireGuard. That said, highly likely that was user error_configuration issues. I have relatively complicated firewall rules and was most likely a victim of my own over-engineering. With time and effort I am pretty confident I could eventually figure it out.
⦁ TOR - I send a subset of my traffic over VPN. Without going into great detail about the specific rules… I redirect a lot of companies who have the business model of selling you as a product over TOR in hopes that it will mess up the data (i.e. Facebook, Google, etc.) See proxy discussion later on.
(Meta) Data Inspection (kind of a catch all - not exhaustive with some overlap above. But mostly these are inspecting higher levels in the application protocols. Which is true of everything above about DNS, but broken out separtely as DNS is more of a network service):
Even with encrypted traffic, there is still some information that can be gathered. This is separated from Traffic Profiling as they do tend to be more at an application level then a network_network service level. But there is nothing you can do about these, except limit who gets to see it and obfuscate it by grouping your traffic with other traffic and not allowing traffic out that you don’t want to get out.
Much of this can not be protected from anyone except your ISP because once it exits a VPN tunnel router it transits can inspect it. A good resource for this is the revelations about PRISM - en.wikipedia_org_wiki_PRISM
Risks (multiple may be required to get the level of privacy you desire and this list is not exhaustive):
⦁ HTTP issues:
⦁ SNI - mentioned before. VPN hides it from your ISP and obfuscates your IP address with all the rest of the VPN Provider. ESNI_ECH
⦁ Referrers - web sites tracking where you come from (www_refererheadersettlement_com_).
⦁ URL hygiene - links from one website can include a unique identifier. And many other tricks in this department. Feel free to dive deeper. noscript.net_ and all the defenses it has is a great place to start.
⦁ Background traffic - block unwanted. This is aligned with Traffic Profiling, but if you don’t need the application to exit your network, don’t let it. Setup default rules of deny on the firewall and allow as needed. So even if your VPN provider is logging, this minimizes information outbound.
⦁ Other clear text internet traffic
⦁ E-Mail: All e-mail transits in clear text so everyone in between your e-mail server and the destination can see everything in the e-mail.
⦁ Encrypted e-mail (i.e. PGP) still has your and the receiver’s e-mail address in clear text. Keep in mind your data is being mined not just for the people you talk to, but the businesses you interact with. And the types of businesses you interact with is a more valuable commodity to other businesses in the same market.
⦁ I’m sure there is more… Again not exhaustive
⦁ Cloud providers - These are massive consumers of metadata and leverage graph theory heavily en.wikipedia_org_wiki_Graph_theory. They use your identity to track how close relationships are to based on how much communications go between two identities. Note: you don’t need to login, see statement on Google DNS matching your IP to Google Tag services, and then phones_gmail_drive on the IP can be match to an IP. Between all that data and their algorithms, they have a really good idea of who in a household is using what sites. Facebook Like, Pintrest, LinkedIn, buttons on websites are the same. They don’t need you to login, just by loading the image on the page, they got you. These are basically tracker pixels and web beacons (research these for more depth)
Defenses:
⦁ Proxies - i.e. Squid and Privoxy (maybe pfSense, etc.) - Note: this can be either some simple stuff or get really complicated.
⦁ These can be used to remove referrers and do some other tricks on HTTP headers to remove them
⦁ These are pretty powerful for blocking web beacons_tracker pixels as those are pretty easy to put in from ad blocker list.
⦁ These can also be used to redirect specific web sites over TOR (i.e. Google) so that the correlation using IP addresses mentioned above is harder. I’m not positive they can’t work around it, but hey, why not.
⦁ E-mail
⦁ ProtonMail and Microsoft e-mail (there may be others, I have not done and exhaustive survey) both send a link to the recipient and have them enter a password to look at the e-mail on their servers. However, the header of the e-mail still contains your e-mail address and the recipient’s e-mail so can be inspected. While leaking metadata, this still prevents the data from being indexed_mined in multiple places. i.e. if someone with an Outlook account sends an unencrypted mail to someone with a G-Mail account, both Microsoft and Google can mine that data. With the above described approach, only Microsoft is mining the mail.
⦁ Use unique e-mail aliases for every contact to prevent metadata correlation.
Ad_Telemetry_etc Blocking:
This is where I would put the previous mentions of PiHole_AdGuard_etc. (I have seen some other DNS blackhole projects out there as well). Don’t get me wrong, I am a big fan of PiHole and use it myself and find a noticeable improvement in webpage load times as unnecessary junk isn’t downloaded. But at this point, you really are dealing with a completely different aspect of Privacy (and Security) than what you are talking about with securing network level communications (i.e. DNS_VPN_Protocol_e-mail). And network_network service level is where mass surveillance can happen. As much as it would be nice to put all of this at the perimeter, it really isn’t feasible.
That said, there is a constant back and forth between advertisers and blockers. To start this conversation, many websites (i.e. YouTube) stream their ads directly from their servers so PiHole won’t block those, you need browser plug-ins so that the HTTP data can be inspected and handled. I’m sure that this can be done between Squid and Privoxy, but there aren’t enough users who are going to set those up, so there isn’t really anyone investing in these as perimeter solutions. There are definitely enterprise solutions in these areas, but you know $$$.
The same is true of telemetry. Some telemetry can be blocked (i.e. domain name). Some can’t. Either the telemetry gets sent to the same domain name, but different URL (can be blocked via proxy_URL inspection), or are required for the application to work. I have seen web sites (only a handful) and android apps that will not load if the trackers are blocked. So these are specifically coded to fail to load if an HTTP 200 response is not received.
The only think I can say here is: PiHole, AdGuard, proxies, etc. are great for all the OS level junk that Windows, Android (and Samsung Android), and iOS send; as well as at the application level. And the only solution at the browser level is (Note: I am not an expert on all browsers, so I can’t tell you which have what, just sharing what I know):
⦁ Choosing the right browser: Chrome and Edge (for sure) send tons of telemetry data about what web sites you visit back to their respective companies. They do use that for beneficial purposes that are truly anonymized (i.e. make sure the browsers remain compatible with the top visited websites), but they also store that in your personal history which is intentionally not anonymized, but neither is the rest of the data you give them with a Google_MS Account so no big deal.
⦁ I have seen news where browsers have started implementing features where each website is a “container” so that cookies can’t be seen between websites. Like when you search for Combine (farm equipment) on Google and all of a sudden Amazon is proposing farm and gardening equipment when you’ve never been near a farm. I like that FireFox allows you to have containers, so you can put Facebook in a container and it can’t cross-pollinate with Google cookie tracking (But then these guys are so embedded in everything, one could argue it’s kind of pointless).
⦁ Configure the browser correctly: Many have the following items that call home
⦁ Captive portal detection where they constantly ping home to see if DNS is MITM to detect if you are on a network that requires sign-in (think coffee shop). Google, MS, and Firefox phone home respectively
⦁ Malware screening. Google and Microsoft phone home respectively. Firefox uses Google’s malware screening (think in terms of this is one more opportunity to scrape your IP for Google). I call this out just as FireFox (which I currently use) doesn’t specifically get you out of leaking to Google.
⦁ Maybe delete cookies and other data. Beyond cookies there are several ways that websites can persist data on the computer.
⦁ I’m sure there are more items, these are the examples I have. I’m on a journey too. And browsers are next…
⦁ Add-Ons: These can both be potentially helpful and harmful. At a minimum add-ons can see what you are browsing and phone home with that data, just like the browser can if the add-on developer chooses to write that code. Also, the more add-ons you pile on, the more you start running into “False Positives” Some examples to look at (I’m sure there are more, open to input):
⦁ Electronic Freedom Foundation (Privacy Badger - www_eff_org_pages_tools)
⦁ DuckDuckGo Add-On - duckduckgo_com_duckduckgo-help-pages_privacy_web-tracking-protections_
⦁ Privacy Possum - github_com_cowlicks_privacypossum (blocks referrers and etag)
⦁ Decentraleyes - proprivacy_com_privacy-news_decentraleyes
⦁ Noscript - noscript.net_
⦁ Cookie Autodelete - I don’t know how much this helps at this point given how much more advanced tracking techniques have become. This is still a very easy and cheap way for other non-internet behemoths to survielle you For me much like routing all my cloud provider traffic over TOR, why the heck not.
⦁ uBlock Origin - I am including for the sake of completeness
⦁ Get the right block lists (whether PiHole, uBlock, Privoxy, etc.) - this is hard, but the defaults are better then nothing. More block lists, more false positives.
Applications:
Realizing that here we move outside of the perimeter device Here I will just include a few references to get you started:
⦁ Surveillance Self-Defense - ssd.eff_org_
⦁ United Nations - iimm.un_org_iimm-recipients-of-illegal-orders-should-contact-us_
⦁ The Guardian Project - guardianproject.info_apps_
⦁ These content creators are good to follow (no association - I am sure there are more, open to input. Their content is great for general awareness, I would particularly appreciate references to folks who do deeper dives on privacy stuff):
⦁ Techlore - odysee_com_@techlore:3
⦁ Rob Braxman - odysee_com_@RobBraxmanTech:6
⦁ Apps can leak data to other apps - I link this not as a solution, but as a start to read about the problems they are trying to solve
⦁ www_qubes-os_org
⦁ www_whonix_org_
⦁ www_kicksecure_com_
⦁ privacytests_org
⦁ Edit: Happened to find this the day after I wrote all this. openbsdrouterguide_net
Out-Of-The-Box solutions (no association, just the ones I know of. Open to input):
These are WAPs that have built-in VPN perimeter security_privacy builds. I know it is a little late in this case, but for future reference and others who might find this thread
⦁ Invizibox - www_invizbox_com_
⦁ GL-iNet - www_gl-inet_com_
Comments:
⦁ Summary of my setup:
⦁ I intercept all network service traffic (DNS and NTP) and redirect to perimeter device
⦁ VPN outbound to what I hope is a trusted provider
⦁ Squid to do deep inspection of HTTP URLs and block the telemetry I can
⦁ Privoxy to redirect companies who track IP addresses for unique identification to TOR
⦁ As suggested elsewhere, I also like to separate my perimeter device from my Wireless Access Point (WAP). Wendell has also mentioned other benefits of doing this on his networking 101 series. Personally I use a Raspberry PI (see notes at end) as it has a decent price point and a great support community. But this or any Single Board Computer (SBC) will likely work well and has very low power consumption (I work off-grid_on battery quite a bit and it’s solid). Also SBCs do allow you to turn them in to a WAP, so you could still hypothetically do this with one device, if concerned about appearance or power consumption. In this case, probably to late, but for other readers or future upgrades an option to keep in mind.
⦁ I agree, old laptops aren’t always the best option. I prefer small devices as it’s easier to find some place to put them then a laptop. There are also used mini or small form factor PCs that can be gotten used at very close to the same price point as a WAP. Some of them idle at very low power ( < 10 Watts), which isn’t to far off from buying a WAP or SBC.
⦁ Regards the out-of-the-box items. I build my own because that help me learn about these things. Trust me, when you are looking at firewall and proxy logs and trying to figure out why things are doing what, you only end up with more questions that take you deeper down the rabbit hole.
⦁ Apologies for any spelling, grammatical, editorial errors. I may have used “thier” instead of “there”. And other grammatical travesties. Cursory proofreading to ensure coherence and readability only was done. My editor is still on holiday vacation.