Re: VPN ideas
On Wed, 9 Dec 2020 12:49:44 +0200
Andrei POPESCU <email@example.com> wrote:
> On Mi, 09 dec 20, 10:21:46, Joe wrote:
> > On Wed, 9 Dec 2020 11:49:45 +0200
> > Andrei POPESCU <firstname.lastname@example.org> wrote:
> > > On Ma, 08 dec 20, 12:27:40, Joe wrote:
> > > >
> > > > This application is also useful with a home VPN server, if
> > > > you're not trying to hide anything, but just want to use the Net
> > > > reasonably safely from an unsafe location e.g. Internet cafe.
> > > > You can tailor a set of firewall rules to allow nothing in or
> > > > out except DNS, DHCP and HTTP (normally a local web login is
> > > > required), not forgetting the tunnelling protocol port out. A
> > > > VPN client will normally have a switch to route everything
> > > > through the tunnel to achieve this.
> > >
> > > Sorry, I must be dense. How is this improving safety compared to
> > > accessing the internet from my home network?
> > >
> > It isn't. It's improving safety compared to surfing the web from
> > public wifi or other untrusted network. It then uses your home
> > Internet connection for surfing the web, etc., which should be
> > safer.
> Let me rephrase that: how is connecting to the internet from some
> public hot-spot decreasing my security?
> I can think of possibly messing with DNS queries (use "own" DNS
> server instead, maybe with DNSSEC) and possible some attacks are
> easier via the local network (e.g. by other hot-spot users or local
> Other that that, as far as I'm aware, the biggest threat are the
> servers I access with my client software (typically web sites
> accessed with a browser), in which case it doesn't make any
> difference whether I access them via some VPN and/or (home) firewall.
> (Assuming one doesn't run NFS, Samba, etc. *listening* software on
> the laptop in which case stopping those and/or running a firewall
> would be indicated.)
I suppose it may depend on where you are. In the UK, public wifi
normally uses no encryption, because there are no local staff who can
help with problems. So any unencrypted protocol you use can be