Table of Contents

2016-02-29 - green light for mass-invigilation in poland (and how to deal with it)

around the christmas/new year's eve time 2015 was an interesting time for PL citizens. new regulations, that allow widespread invigilation, have been accepted. it came live earlier this month. this is quite a problem for at least several reasons – just to quote few interesting opinions here:

thus having said, i must admit i'm a bit shocked by how few ppl do really care about their privacy. “i have nothing to hide” is probably the most widespread argument. i usually reply with something like: “so why do you have curtains in your windows?” or “i do not recall seeing you running naked on the streets – are you ashamed of something?”.

my observation is that in general tech ppl are more aware and do “fight back”.

dealing with the problem

OpenVPN logo (https://upload.wikimedia.org/wikipedia/commons/8/88/Ovpntech_logo-s_REVISED.png)

i'm using full-disk encryption for over a decade now. since sometime i'm also using Signal (software) for texting (unfortunately not that many ppl i know use it as well). recently i've setup VPN on my router, to access the internet. there is an interesting comparison of VPN providers you can filter to find your best match. what is worth checking making sure of?

configuration

configuration of OpenVPN is nowadays simple, since most providers offer ready-to-go configuration files. just download it, put in your user/pass, and you're good to go. this should be set on your router, so that all networked devices do use your VPN. having OpenWRT or other linux distro, means this is a piece of cake – just setup OpenVPN client on that device and you're done!

there is however one more problem, that is not commonly mentioned, when talking about VPN. VPN does work over an actual network, that is by itself, fully operational as well. now if you loose your VPN connectivity in a background (say – due to a malfunction of router) you're connection becomes wide open, and most likely you will not even notice it!

it actually gets worse. if some1 wants to eavesdrop your traffic, and has an access to, say ISP's network, then she can block your VPN traffic, forcing its disconnection and kaboom! you're now being watched again!

in order to prevent it from happening, your router must be configured, so that it does NOT allow any “open traffic” to happen directly. you can play around with blocking DNS' access, but it will not make a trick for connections to IPs that are already cached. what you should do instead, is to block ALL forwarded traffic, that is not directed to your VPN access node directly. for OpenWRT this means adding custom rules like these:

iptables -A forwarding_rule -o your_wan_dev -d 1.1.1.1 -j ACCEPT # 1st VPN access node from a list
iptables -A forwarding_rule -o your_wan_dev -d 1.1.1.2 -j ACCEPT # 2nd VPN access node from a list
iptables -A forwarding_rule -o your_wan_dev -j REJECT # nothing else is allowed

this way, if VPN goes down, internet traffic is blocked as well. if you are using multiple gateways, OpenVPN will automatically switch between them, if connection is lost.

technical downsides

aside from an obvious point, that VPN, even if cheap, it's still not free, there is more. using VPN means at least 2x longer RTT (one extra point along the way). in real live however usually 4-6x longer RTTs are to be assumed (4-5x is a good result you should aim for). assuming you have reasonable “raw” network connection, this won't be a practical problem even for gaming. the real challenge is encryption – or the CPU power of your network access point. if you have over 8Mbps connection, pretty much none of the off-the-shelf home routers will deal with OpenVPN using 4096 bit encryption, effectively limiting out bandwidth.

there are many mini-ITX motherboards available, that have x86/amd64 CPUs on board, without any moving parts. this should do for encryption. putting such a mini-PC with two ethernet cards in a closet can be a nice way of dealing with CPU-power loss. while it is more expensive than even a very good router, as a free bonus it can serve as a high-speed NAS (cheap ones don't usually go beyond ~20MB/s and more expensive ones are usually just not worth it).