Return to

I dont trust my ISP and their provided fiber optical network terminal

We just upgraded our home internet into a fiber connection. The privacy policy has some issues, which in the first place isnt really a policy because their choice of words is privacy "notice” which seems to imply that no actual policies are set in place to protect my own privacy.

My main concert is that the optical network terminal the ISP use is Huawei which further fails to inspire privacy in my service provider. Sadly, there is no other reasonably cheap alternative to get fiber. Another concern is that when I recently do a traceroute, most traffic seems to go to Hong Kong/China, to add to my horror.

I want to pull out the antenna out of the Wi-Fi but the design is that you cant remove the antennas at all.

Pulling back to sanity, I dont think the CCP isnt really into me personally. I am more concerned of the surveillance dragnet that is veils the edge of the internet of my country. And the question is can I do more than use a VPN for the entire household? I already have a pfSense in place that routes all traffic through an OpenVPN connection which I think I can reasonably trust.

The community’s input would be much appreciated.


Until a month ago, I was using a 2mb WISP because all of the ISPs in my area did something that pissed me off. DNS poisonining/hijacking, throttling, et cetera.

It’s a very hard pill to swallow, but there’s a simple truth to market economies; things don’t change until consumers change their buying decisions.

I am more concerned of the surveillance dragnet that is veils the edge of the internet of my country.

The ISP you bought from set this in motion, and it’s going to happen regardless of what you do. You’re one in a million, and if your ISP options are actually as limited as you say, your neighbors all have the same ISP and the same box.

[C]an I do more than use a VPN for the entire household? I already have a pfSense in place that routes all traffic through an OpenVPN

People with the biggest tin foil hats rave about Wireguard, which seems to be favored slightly over OpenVPN these days. OpenVPN is, as far as I know, still intact from a security standpoint though, so I wouldn’t stress about upgrading until you have another reason to tweak the pfSense box.

The fact that you’re concerned about it gives you a better security posture than most. Just remember that your network starts at the pfSense box and not the modem and you’re doing as well as you can.


What country are you located in?

I’d rather not say but I am in a country that is China’s immediate neighbor in Asia.

1 Like

If you are certain that the traffic is being routed through China, I would treat the communications as likely intercepted. I doubt that China will take any specific action against its other neighbors, before it attempts to take Taiwan, so if you’re not in Taiwan I wouldn’t worry too much at the moment. If they make an attack against Taiwan, which doesn’t seem too far out of the realm of possibility after Hong Kong, it will almost assuredly be a serious international conflict and then all bets are off.

That makes a lot more sense as to why your traffic routes through China, it’s presumably the main backbone for the ISP or the main backbone for your entire country.


Is there no other choices for a ISP in your area, or is it that there isn’t another “cheap” provider?

China has their tentacles in every pie, everywhere. We all love a bargain, unfortunately it will come at a price later.

I hope you find a solution


1 Like

This is kind of why dns-over-http / tls1.3 esni/ech / quic and others exist.

Most of your traffic should be end-to-end encrypted already, is it not?


It should be. There is also a VPN inside my router with a “killswitch” feature. If the VPN fails, I dont connect to anything.


That sucks, but also you shouldn’t really trust anything beyond your gateway anyway, so dns over tls and https everywhere should reasonably cover you. If you’re running Linux/BSD just make sure repos, install scripts, etc are all pulling from https and not http or ftp. Or if you have to use http/ftp be vigilant about checksums and get those checksums via https.

VPN also good of course if you want to disguise what connections you’re making (as opposed to the content of those connections which would already be encrypted).


A lot of small websites are behind cloudflare, or fastly or some other CDN. This obscures the connections somewhat.

1 Like

If you don’t trust the terminal - as in I would guess is a media converter (?) - pick it apart and check it.

If you don’t trust the routing and the network your traversing on the way to the internet - change it to terminate on a point you own and control and agree on.

use a trusted encrypted dns, and only use ssl.

They can still watch where you go (based on ip adresses) but since alot of this stuff terminates to the same datacenters it will be hard for anyone to pinpoint what you do.

If you want to go full schizo like me.

  • disable all wireless devices you have (phone wifi, cellular, gps, etc).
  • get a open firmware router box and put that between you and the isp modem
  • block all traffic by default (whitelist only) on your trusted router
  • have ports on said router route all traffic through tor (and switch to that when you want to go dark)
  • have a raspberry pi generate noise (random internet traffic to obscure when you are home/online)
  • anything you connect to the isp controlled hardware should randomize mac adresses
  • if possible remove all wireless options from your network, or atleast make them hidden (prevents ssid based tracking trough phones, etc)

keeping this one short. but if you want the full schizo guide to personal opsec just ask.


What app/distro do you use for this?

Just basic python. Distro agnostic. Security of that device is not important.

Levelup use your browser history to feed it urls and have a cli yt downloader to mimic video consumption. Etc

I dont go overkill but try to make it look relatively similar to my behavior.

1 Like

If it is possible, you could get yourself a Linode/Digital Ocean/OVH VPS, one that hopefully has enough bandwidth for your home and site-to-site the server with your home. Making the VPS your exit node for all your internet traffic.

Do you know of anything free/easy to make that would audit network flows for encryption? e.g. something that would tcpdump the first 4k of each flow and analyze entropy to detect non encrypted connections?

I want… Thread Please.

1 Like

@doYouEvenLiftBro I’ll fuckin help

1 Like