So i am moving soon, and will be setting up a new LAN. A bit of an unorthodox one. Internet in the city im going to school in is pretty expensive so I’ve got an old thinkpad running OPNsense and will use that as my router and just tether my phone to it to provide cellular WAN. Both my PC and Laptop use Linux, Mint on PC, Debian on Laptop. I’m wondering what steps i should be taking security-wise on a setup like this? All my traffic will be going over the open air, and i know highjacking cellular connections is something thats done. Other than just using a VPN all the time which im doing are there any other steps i should take, maybe in my computer, or router firewall, that could help prevent MITM attacks? I’m not super familiar with how router level firewall especially works. Is much tweaking even required?
technically OPNsense is FreeBSD based not Linux but hopefully people still know a bit about it
Set OPNSense default policy
As far as I remember, OPNSense has a default policy rule of “deny all incoming, allow all outgoing”. If not, this should be one of the first steps to take.
Get your own VPN
If you can, you could use your own VPN service. I run a VPS for 6 € / month. If you can get your hands on something like this and install an openvpn server, you could always use that VPN for every connection.
So even if an attacker highjacks your connection somehow, he would only be able to see encrypted content and all content will be encrypted by a server you own and can verify / trust. You could also integrate this VPN into your OPNSense, so you’ll be connected as soon as OPNSense starts up and has internet.
Regarding MITM attacks
Please someone correct me if I am wrong, but MITM attacks should generally be impossible when connecting to SSL backed connections, right?
These certificates (or rather the certificate authority the HTTPS certificates have been issued by) are generally trusted by your own operating system. Therefore, if someone wanted to highjack your connection without you getting some kind of certificate error, he would have needed to get his hands on a certificate issued by a worldwide trusted certificate authority and the address name matching the certificate.
My MITM attack concerns mainly regard stingray use. Since ill be routing through cellular for everything.
I don’t know what stingray is, but if it needs a connection to somewhere and the protocol to connect verifies os-trusted certificates, it should be safe.
I would distrust my carrier well before I distrust the encryption. Even when roaming, your Internet is tunnelled through your carrier using an internal VPN. It even works in China, that’s a fairly common way to get around their firewall.
Huh? Distrust the encryption? I never said i didnt trust my encryption. Im confused lol. Im looking to make sure my local network is secure. The VPN i have is fine for security on the internet.
I had asked Chat GPT about it and got some suggestions for my firewall settings, and about making sure the router management interface is not accessible remotely etc.
