We just upgraded our home internet into a fiber connection. The privacy policy has some issues, which in the first place isnt really a policy because their choice of words is privacy "notice” which seems to imply that no actual policies are set in place to protect my own privacy.
My main concert is that the optical network terminal the ISP use is Huawei which further fails to inspire privacy in my service provider. Sadly, there is no other reasonably cheap alternative to get fiber. Another concern is that when I recently do a traceroute, most traffic seems to go to Hong Kong/China, to add to my horror.
I want to pull out the antenna out of the Wi-Fi but the design is that you cant remove the antennas at all.
Pulling back to sanity, I dont think the CCP isnt really into me personally. I am more concerned of the surveillance dragnet that is veils the edge of the internet of my country. And the question is can I do more than use a VPN for the entire household? I already have a pfSense in place that routes all traffic through an OpenVPN connection which I think I can reasonably trust.
Until a month ago, I was using a 2mb WISP because all of the ISPs in my area did something that pissed me off. DNS poisonining/hijacking, throttling, et cetera.
It’s a very hard pill to swallow, but there’s a simple truth to market economies; things don’t change until consumers change their buying decisions.
I am more concerned of the surveillance dragnet that is veils the edge of the internet of my country.
The ISP you bought from set this in motion, and it’s going to happen regardless of what you do. You’re one in a million, and if your ISP options are actually as limited as you say, your neighbors all have the same ISP and the same box.
[C]an I do more than use a VPN for the entire household? I already have a pfSense in place that routes all traffic through an OpenVPN
People with the biggest tin foil hats rave about Wireguard, which seems to be favored slightly over OpenVPN these days. OpenVPN is, as far as I know, still intact from a security standpoint though, so I wouldn’t stress about upgrading until you have another reason to tweak the pfSense box.
The fact that you’re concerned about it gives you a better security posture than most. Just remember that your network starts at the pfSense box and not the modem and you’re doing as well as you can.
If you are certain that the traffic is being routed through China, I would treat the communications as likely intercepted. I doubt that China will take any specific action against its other neighbors, before it attempts to take Taiwan, so if you’re not in Taiwan I wouldn’t worry too much at the moment. If they make an attack against Taiwan, which doesn’t seem too far out of the realm of possibility after Hong Kong, it will almost assuredly be a serious international conflict and then all bets are off.
That makes a lot more sense as to why your traffic routes through China, it’s presumably the main backbone for the ISP or the main backbone for your entire country.
That sucks, but also you shouldn’t really trust anything beyond your gateway anyway, so dns over tls and https everywhere should reasonably cover you. If you’re running Linux/BSD just make sure repos, install scripts, etc are all pulling from https and not http or ftp. Or if you have to use http/ftp be vigilant about checksums and get those checksums via https.
VPN also good of course if you want to disguise what connections you’re making (as opposed to the content of those connections which would already be encrypted).
If you don’t trust the terminal - as in I would guess is a media converter (?) - pick it apart and check it.
If you don’t trust the routing and the network your traversing on the way to the internet - change it to terminate on a point you own and control and agree on.
If it is possible, you could get yourself a Linode/Digital Ocean/OVH VPS, one that hopefully has enough bandwidth for your home and site-to-site the server with your home. Making the VPS your exit node for all your internet traffic.
Do you know of anything free/easy to make that would audit network flows for encryption? e.g. something that would tcpdump the first 4k of each flow and analyze entropy to detect non encrypted connections?
I dont know how to do this exactly. I dont really work in the tech industry (I have a healthcare related course) so network packet inspection is beyond me. If the pandemic didnt hit so hard, I would have probably try to study Wireshark functionality but alas, no free time.
Is there a functional difference if I already had the entire traffic of my house go through a VPN provider like Mulvad/PIA/ProtonVPN or the like? How wIll the additional layer of having a Linode/Digital Ocean be of further help?