Ideally you would want a blob free coreboot system with no Intel ME or
AMD PSP type backdoors.
https://www.coreboot.org/Binary_situation
Intel is actively trying to nerf free software with Boot Guard/ME, if
you buy a computer with those features it isn't really your computer.
A backdoor in a modem is irrelevant, it is post WAN and should be
considered part of the "internet".
You need a computer with more than one server grade pci-e interfaced
nics if you want real LAN>WAN performance, 25Mbps is simply a pitiful
amount to settle for - the newer "server" grade ARM chipsets can do much
better than that.
On 11/13/2016 08:22 AM, hed...@tutanota.com wrote:
13. Nov 2016 08:48 by amad...@riseup.net:
We see much correspondence in these forums about installing a VPN within Qubes.
Surely, the most secure place for VPN is to install on a Router?
I say these things after reading the following paper [ >
https://cryptome.org/2013/12/Full-Disclosure.pdf> ] in which a group of hackers
demonstrate that the majority of routers (in-particular those provided by ISP's] have
backdoors to government agencies. These adversary's are able attack our LAN and its
devices; including the ability to intercept VPN and Tor traffic.
The solution they say is to isolate these rogue routers in the Militarized Zone
by creating a DMZ [demilitarized zone]. Achieved by installing a 2nd router
[flashed with open source firmware such as OPenWRT]. It is here, on the router,
that we should enable and run OpenVPN.
Thoughts on this paper and it's conclusions are welcomed
An always-on VPN connection on the router works well but can be a bit slow
since the processing power of router CPUs is generally quite limited. If
choosing a router, I'd suggest a dual-core ARM-based device. Although openvpn
is only single-threaded you can usually configure cpu-affinity to place it on
one core and the other routing tasks on the other core.
For those who want to go beyond around 20-25 Mb/s, which is where an ARM router
will start to reach its limits, a fine alternative is a small fanless PC, such
as the Intel NUC or Gigabyte Brix, and run an open source firewall on it,
instead of a router. I'm using IPFire. If the processor supports AES-NI, the
limiting factor will be your network speed, not the firewall's CPU.
Finally, I've always felt that running a vpn on Qubes and having an always-on
vpn running on a router/PC complement each other.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ea5142fa-fced-8bca-f83d-5af25ac3624c%40gmx.com.
For more options, visit https://groups.google.com/d/optout.
