Salute to all, dear friends!
Today we will talk about how to make a router out of a regular router that will provide all your connected devices with an anonymous Internet connection.
Have driven!
How to access the network via DNS, how to set up a permanently encrypted connection to the Internet, how to protect your home router - and you will find some more useful tips in our article.
To prevent your identity from being tracked by the router configuration, you must disable your device's web services to the maximum and change the default SSID. How to do this, we will show on the example of Zyxel. With other routers, the principle of operation is similar.
Open your router's configuration page in your browser. Users of Zyxel routers need to enter "my.keenetic.net" into the address bar to do this.
Now you should enable the display of additional functions. To do this, click on the three dots in the upper right corner of the web interface and click on the radio button for the "Advanced View" option.
Go to the menu "Wireless | Radio Network" and in the "Radio Network" section enter a new name for your network. Along with the name for the 2,4 GHz frequency, don't forget to change the name for the 5 GHz frequency. For the SSID, enter any sequence of characters.
Then go to the menu "Internet | Permit Access". Uncheck the boxes in front of the "Internet access via HTTPS enabled" and "Internet access to your storage media via FTP/FTPS enabled" options. Confirm the changes made.
Building DNS protection
First of all, change the SSID of your router
(1). Then, in the DNS settings, specify the Quad9 server
(2). Now all connected clients are safe
Your router must also be using an alternate DNS server such as Quad9. Advantage: if this service is configured directly on the router, all clients connected to it will automatically access the Internet through this server. We will explain the configuration again using the example of Zyxel.
In the manner described in the previous section, section "Changing the router name and SSID" in the manner, go to the Zyxel configuration page and go to the "Wi-Fi Network" section on the "Access Point" tab. Here, check the "Hide SSID" checkpoint.
Go to the "DNS Servers" tab and enable the "DNS Server Address" option. In the parameter line, enter the IP address "9.9.9.9".
Setting up a permanent redirect over VPN
Get even more anonymity with a permanent VPN connection. In this case, you no longer have to worry about organizing such a connection on each individual device - each client connected to the router will automatically access the Network through a secure VPN connection. However, for this purpose, you will need an alternative DD-WRT firmware, which must be installed on the router instead of the firmware from the manufacturer. This software is compatible with most routers.
For example, the Netgear Nighthawk X10 premium router has DD-WRT support. However, you can also use an inexpensive router, such as the TP-Link TL-WR940N, as a Wi-Fi access point. After choosing a router, you should decide which VPN service you prefer. In our case, we settled on the free version of ProtonVPN.
Installing alternative firmware
After installing DD-WRT, change the device's DNS server before setting up a VPN connection.
We will explain the installation using the example of a Netgear router, however, the process is similar for other models. Download the DD-WRT firmware and install it using the update function. After the reboot, you will be in the DD-WRT interface. You can translate the program into Russian by selecting βAdministration | Management | Language" option "Russian".
Go to "Setup | Basic setup" and for the "Static DNS 1" parameter, enter the value "9.9.9.9".
Also check the boxes in front of the following options "Use DNSMasq for DHCP", "Use DNSMasq for DNS" and "DHCP-Authoritative". Save the changes by clicking the "Save" button.
In the "Setup | IPV6" disable "IPV6 Support". This will prevent deanonymization through IPV6 leaks.
Compatible devices can be found in any price category, for example TP-Link TL-WR940N (about 1300 rubles)
or Netgear R9000 (about 28 rubles)
Virtual Private Network (VPN) Configuration
Launch OpenVPN Client (1) in DD-WRT. After entering the access data in the "Status" menu, you can check whether the tunnel for data protection has been built (2)
Actually, to configure the VPN, you need to change the ProtonVPN settings. The configuration is not trivial, so strictly follow the instructions. After you register on the ProtonVPN website, in your account settings, download the Ovpn file with the nodes you want to use. This file contains all the necessary access information. With other service providers, you will find this information elsewhere, but most often in your account.
Open the Ovpn file in a text editor. Then, on the router configuration page, click on "Services | VPNβ and on this tab, use the switch to activate the βOpenVPN Clientβ option. For available options, fill in the information from the Ovpn. For a free server in the Netherlands, for example, use "nlfree-02.protonvpn.com" in the "Server IP/Name" line, and specify "1194" as the port.
Set "Tunnel Device" to "TUN" and "Encryption Cipher" to "AES-256 CBC".
Set "Hash Algorithm" to "SHA512", enable "User Pass Authentication" and in the "User" and "Password" fields enter your Proton login details.
Now it's time to tackle the "Advanced Options" section. Move "TLS Cypher" to "None", "LZO Compression" to "Yes". Activate "NAT" and "Firewall Protection" and for "Tunnel MTU settings" enter the number "1500". "TCP-MSS" must be disabled.
In the "TLS Auth Key" field, copy the values ββfrom the Ovpn file, which you will find under the line "BEGIN OpenVPN Static key V1".
In the "Additional Configuration" field, enter the lines that you will find under "Server Name".
Finally, for "CA Cert", paste the text you see in the "BEGIN Certificate" line. Save the settings by clicking on the "Save" button and start the installation by clicking on the "Apply Settings" button. After the reboot, your router will be connected to the VPN. For reliability, check the connection through "Status | openvpn.
Tips for your router
With a couple of simple tricks, you can turn your home router into a secure host. Before proceeding with the configuration, you must change the default configuration of the device.
Changing the SSID Do not leave the default router name. Using it, attackers can draw conclusions about your device and conduct a targeted attack on the corresponding vulnerabilities.
DNS Security Set the Quad9 DNS server as default on the configuration page. After that, all connected clients will access the Network through secure DNS. It also saves you the hassle of manually configuring devices.
Using a VPN Through the alternative DD-WRT firmware available for most router models, you will be able to build a VPN connection for all clients associated with this device. There is no need to configure clients individually. All information is sent to the Internet in encrypted form. Web Services will no longer be able to figure out your real IP address and location.
If you follow all the recommendations outlined in this article, even data protection specialists will not be able to find fault with your configurations, since you will achieve maximum anonymity (as far as possible).
Thanks for reading my article, you can find more manuals, articles about cybersecurity, dark web and more on our [Telegram channel](https://t.me/dark3idercartel).
Thanks to everyone who read my article and got acquainted with it. I hope you liked it and write in the comments what do you think about this?
Source: habr.com