Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday October 02 2017, @02:35PM   Printer-friendly
from the we're-not-out-to-get-you dept.

I'm about to move and at my new address I'd like to start out more secured against my ISP and doxers/stalkers. Basically I think I should use a VPN/VPS for personal related traffic (email, shopping), another VPN/VPS for online communities, and then regular net access for random browsing (is all that overkill?). There's been articles in the past about VPN providers (feel free to recommend someone), but there's less about how to configure your network and computer to use them. I'd prefer to be able to use all three at once, but I've heard most people recommend configuring their routers to a single VPN to prevent leakage. But then one company could be logging all your traffic again or it would be easy to forget to switch to/from the VPNs. Is that necessary? Is there Linux-based software which completely restricts applications to certain networks or is that something I should manually setup through iptables and /etc network scripts? My primary OS is LMDE (Linux Mint Debian Edition) and my current router runs DD-WRT, though that might change with the new ISP.

In summary, what's a good strategy to keep the different parts of your online life segregated from each other other than simply using different user names?

Thanks for your insights.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by Anonymous Coward on Monday October 02 2017, @02:59PM (2 children)

    by Anonymous Coward on Monday October 02 2017, @02:59PM (#575917)

    If you want to restrict applications to a specific network interface, you should read up on network namespaces.
    You could run a VPN in one network namespace and any applications you start in that namespace, can then use that VPN, while the rest of your network works as before.

    Starting Score:    0  points
    Moderation   +3  
       Informative=3, Total=3
    Extra 'Informative' Modifier   0  

    Total Score:   3  
  • (Score: 1, Informative) by Anonymous Coward on Monday October 02 2017, @03:54PM

    by Anonymous Coward on Monday October 02 2017, @03:54PM (#575941)

    Good call! I was going to wonder if routing traffic to the NIC vs. VPN could be done based on port number, but that would be clumsy anyway. Namespaces sounds like the correct answer.

    I found Per process routing take 2: using cgroups, iptables and policy routing [evolware.org] with an intro to using cgroups and iptables to accomplish this on Linux. More stuff on the Arch Linux forums [archlinux.org] and also ServerFault [serverfault.com]. Didn't give an extensive read, but looks good at first glance.

    cgroups looks to be the key, and it looks like systemd is not needed. BSD have similar?

  • (Score: 2, Informative) by Anonymous Coward on Monday October 02 2017, @04:42PM

    by Anonymous Coward on Monday October 02 2017, @04:42PM (#575964)

    If you want to reduce the amount of manual steps when setting up network namespaces, check out "firejail" [1] . Personally, I use it somewhat similar to what OP is looking for, by configuring different application profiles to bind to different network interfaces. For example, one firefox profile to bind to the vpn tap interface. If you have several VPNs set up, you could easily use firejail to restrict which networks are visible to each process by using different profiles. Firejail can also somewhat protect you from the browser cookie-leakage, by emulating a new $HOME per profile.

    [1] https://firejail.wordpress.com/ [wordpress.com]