Not intended to be a politics post, and definitely not a place to sling all manner of shit at people.
What this thread is for, is to discuss and advise on securing a home network and retaining as much privacy as a person could want, in connecting to the internet from their home.

Article today/yesterday about US Govt prohibiting importing or sale of “foreign made” routers for consumers. Obviously this is another in a long line of encroachments into online privacy - the citing of fears from spyware are (given the intelligence level and manipulative nature of the current admin) cover for shoehorning more surveillance into everyday life. We already know about the insane data collection going on…

Which got me thinking - prior to this were the state bans, then VPN bans making their ways around. Many of us (myself included) beefed up security at home in ways we - general consumers and not network specialists - know how. Using our own modem/router instead of ISP’s lease, quality VPN, setting up Pi-Hole for DNS, and other adjustments to improve upon “nothing” as security. But this is definitely not enough, I’m not naive to think all my data isn’t in Theil/NSA hands already (but I did delete FB/IG in 2020, never used twitter, and “look but don’t touch” reddit).

I’ve come across HomeLab, OpenVPN, Tailscale and heard a little about Opnsense. I’m not a total neophyte even if I’m pushing 50 - I know a bit about physical routers and networking gear, but the virtual stuff is new to me.

So I am asking you folks - presumably there are people in this forum who are well-experienced in cybersecurty, who can offer reasonable, practical, and Everyman-friendly methods to retain some semblance of privacy in the face of a hostile government and happily complicit ISPs… What say you?

Does a “software router” offer a greater or more flexible option to improve a home network’s security? Is it worth setting up something like Tailscale and a whole lab - some of what I’m coming across are entire home automation suites and crammed with all manner of apps and sorting tools - that’s not me.

My user case: I run a small business, sales and marketing agency, from my home office. I do travel, ~30% (this is relevant). OSX desktop, iDevices for both adults in the home, SurfacePros for tablet/laptop. AppleTV handles streaming, PS5, got a Roku in the workout room. Vizio tvs are blocked at the router, and we have a Reolink securty camera setup on the regular network (getting a NAS and HomeAssistant hub for controlling this, Nest thermostat and some lights). We’re on 1 gig dynamic service from a cable ISP, runs into an Arris and Nighthawk that supports the speed. Heavy-data-use devices are ethernet connected (desktop, ATV, PS5). About a dozen devices on both wifi bands.

Because I travel, it has to work without maintenance and the other adult is not as tech-inclined. Their chief concern is making sure the cameras work when they need to, and streaming speeds are stable. I want to go further - drop all our subscriptions and sail the seas, set up a Plex or similar for all our media, and have it work as seamlessly as it does now. Ensuring our own privacy is the driving force behind this - both from outside agencies, and from a psycho neighbor with all the time in the world. (If anyone knows the process of getting someone else’s mortgage canceled, I’m all ears)

Budget is tight but not miniature - I can write everything off and intend to (yay SMB), but I gotta pay for it first…between getting a NAS to handle NVR and Plex, plus another device to run it, it’s a fair bit of spend. Do I need to get a static IP from my ISP? Is it enough to set up a DNS hole with a Pi Zero W, or does it even work (or just break lots of sites)?

Hopefully someone has some ideas, and it will help other folks looking to improve privacy, given, ya know, we’re watching lots of porn 'round here…

I have a lot to say so I’m just gonna mention here I’m building a post to respond more in-depth

A quick couple points.

The government is unfortunately right to be wary of foreign routers. Tplink is know for having suspiciously common and similar vulnerabilities that look like back doors.

A while back:

It’s often misconstrued as racism but Chinese manufacturers are often forced via the government to embed backdoors and spyware. This has nothing to do with them being Chinese. It’s the CCP.

The facts about surveillance is its impossible to escape without rigorous digital hygiene. Most will not have the skill or patience to do so. (Myself included)

The most useful things you can do to get 90+% there

• Open source firewall/accesspoint (opnsense/openwrt)
• Linux based home computer
• Rooted and modded smartphone
• DNS Sinkhole (pihole/opnsense unbound)
• reliable adblock

I will make a more detailed post later.

But supermicro is a US company, unless there is another supermicro, or you meant the aspeed BMC chip, but that is from taiwan. Supermicro usually does bare minimum for their ipmi firmwares.
I know that their older motherboards had hardcoded private key used for ipmi licenses so there was probably some low security in auth too, I think that has changed since X12 boards.

I went and re-investigated this and you’re right. I was mistaken.

Supermicro is an American company who bought chips from a Chinese manufacturer that contained backdoored firmware. Will need to re-read on that to get the details right.

Excellent, I look forward to seeing it.
for your points: Foreign routers - yep, no arguments from me, any country trying to stay on top of advancements is going to find any way to peek at others’ homework. Two things can be true - chinese govt mandating backdoors and a US admin finding ways to identify and grab people they don’t like.
Defintiely understand the hygeine and surveillance problem. I think of it like stepping on a toothpaste tube - you’re not going to get it back in, but putting the cap on before someone else stomps on it isn’t the dumbest idea.
90% there is - in my uneducated opinion - probably enough to stay off radar and retain anonymity. A black hole of data on an ISP’s node is probably going to get noticed, is my thinking. “What’s that guy doing? Let’s check…”

regarding Linux and modding smartphones… yeah no, I’m not that guy and it’s well outside my skillset. I can “monkey-see, monkey-do” just fine like anyone who can ctrl-C, ctrl-V, but I frankly do not have the bandwidth to learn a new OS, and I absolutely will brick a smartphone inadvertently…plus my partner has stated “do not fuck around with my smartphone, it works fine and I don’t want/need .”

Security is only as good as the users practicing it, and one of the users here is more concerned with everything functioning as it has, than privacy. You only get to 25+ years if you learn to pick your battles. So I’m navigating around - privacy is a higher priority for me, but they also know me well enough to insist on guardrails… Cabin in the woods off the grid and no tech? I’d say I’ll miss watching PL soccer, but I’m Spurs so…

I’m going to format this in 3 sections.

1. The every-man - Someone who just doesn’t want the government to know about their kinks.
2. Privacy conscious users - Users who know the level of surveillance that happening and maybe a little technical
3. Deep paranoia - people who are hypervigilant against surveillance threats. Deep technicality is required here.

Users who are technical I will skip simply because, they know how they would protect themselves but for the fun of the exercise, I will do a hyperdepth privacy profile under deep paranoia.

The Everyman

Most people who aren’t very privacy conscious are at least aware that the government isn’t someone they can trust. Particularly with digital ID being a more commonly pushed idea.

1. Change your router

The router given to you by ISP is more than just a router. It’s a router/switch/access point/firewall/modem combo device.

Purchase a router from a reputable company that maintains the firmware. Unfortunately I think the only reputable companies are ubiquiti and netgear. You can research for more. I personally recommend Gli.Net (this is a hong kong based company but the firmware is openwrt based, you can re-flash it with the fully opensource openwrt), This is the AP I use.

If your router is also a modem (your coax/fiber/DSL connects directly to the wifi device), you’ll need to put it in bridge mode. Google “{{your router model}} bridge mode” This will guide you on how to make your router only a modem and pass along all the gateway functionality to another router.

When you have these in place you should be able to plugin in your router and configure it based on the automated setup guide. It should connect you to your ISP. If your ISP is DSL you may need PPPoE credentials from your ISP to configure your new router.

2. Stop using google/apple/microsoft/proton services

Yes I included proton in that list.

This is a repo I frequent for recommendations for various services and tools: GitHub - pluja/awesome-privacy: Awesome Privacy - A curated list of services and alternatives that respect your privacy because PRIVACY MATTERS. · GitHub
This is a website I use to find alternatives to software and services: https://alternativeto.net

3. Use a reputable VPN

This changes all the time but currently the most consistently proven company to retain your privacy is mullvad

Do not trust most articles on what the best VPNs are.
firstly, most VPNs are datamining operations. Most are not trustworthy.

Mullvad is the only one that has remained trustworthy over a long period of time.

6. Adblock (DNS and content filtering)

uBlock Origin is the only adblock that is trustworthy. Don’t confuse it with ublock (not origin).

Most adblocks are owned by advertising networks and use adblock itself to datamine. uBlock Origin is opensource and is more than just an adblocker. It also blocks trackers and malware.

If you want to block ads/trackers/malware over DNS without going the full mile of configuring a DNS sinkhole, use public adguard (Option 2)

7. Don’t buy IoT devices

Unless you’re highly technical and know what to look for, buying an IoT device like a smart pet feeder is very akin to buying a teleporter that everyone can use to get into your home. This is basically always a bad idea. But if you already have one, or you still plan to get them.

Do these things:

1. Disable uPnP on your router - universal plug and play allows internal devices to open your firewall and bring in traffic from the outside.
2. Block them from the internet - (requires some technical skill/google)
3. Isolate them in their own network - (requires some technical skill/google)

Privacy conscious users

Basically everything in the everyman applies here as well. But if you’re a bit more technical there’s some things you should do:

• Put IoT devices on a VLAN, block internet access
• Use a Linux based OS
• Replace Android with GrapheneOS or LineageOS
• If you have an iPhone. Buy an android that can be rooted.
  • I personally recommend fairphone, nothing phone, or a google pixel that grapheneOS supports

Before I hear about it from the apple fanboys. Apple products cannot be trusted ^{[1] [2]}

• Replace your online services with self-hosted solutions
• Replace social media with RCS/Signal
• Use Grayjay/newpipe/revanced for youtube
• Replace chromecast with Fcast/Miracast
• Sail the high seas

It would also be useful for you to know the tools/services I use to give you a better idea:

Infrastructure

Firewall - opnsense hardware
AP - openwrt hardware
OS - Linux (NixOS) hardware
Android OS (https://lineageos.org)
Email - https://tuta.com
Hardware FIDO2 (U2F) key - Thetis
Virtualisation - A combo of Proxmox/MicroVM/qemu
Remote Desktop - (wayland RDP/rustdesk/moonlight/ssh)

Services

Authentication - GitHub - dani-garcia/vaultwarden: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs · GitHub
Calendar - https://radicale.org
Photos - https://immich.app
AI - https://lmstudio.ai / Signal (ZeroClaw)
Instant messaging - https://signal.org
Notes - https://obsidian.md
Porn - https://stashapp.cc
Source Code - https://forgejo.org
Automation - https://n8n.io

Deep Paranoia

I don’t expect anyone to go to this depth but purely as an experiment in thinking.
How deep does the rabbithole go

Warning. There are infohazards beyond. Once you learn about these, you can’t go back

Same can be said about the US. Do you think your Intel or AMD CPU doesn’t have backdoors? Think again, they have several!

RSA/AES encryptions? Tor? Look behind the curtain who funded it all. Oh, and what is AES-NI exactly? Why is it “hardware accelerated”?

And why do Intel and AMD processors have multiple layers of abstraction and virtualization hidden from the ring 0 and above layers?

Yes, there’s no such thing as privacy or security. It’s all a sham. The government can see everything and that has been the case for long.

I wish I was shitposting, but I really am not.

I never mentioned anything specific about the US
Any government could make the claim about china and it would be correct. Also Intel and AMD don’t have American FABs. They’re all TSMC.

I’m also by no means claiming the US government (or any government for that matter) can be trusted. The only trust you can really have is in what you can have attested with science.

Benevolence is rare and fragile. The only people who you should trust are the ones that want you to protect yourself.

Good goddamn, that’s the kind of thing I was hoping would result from my post. TYVM, I have a lot of reading/studying to do.

Re: retail analysis and dynamic pricing have been going on since smartphones rolled out. Devices tracked from parking lot and path through store, time spent in front of x display or product, and cross-ref’d with regular security cameras. I used to consult with retailers about implementing these (dynamic pricing never made it to my industry with MAP in place pretty ubiquitously) in their multi-door operations: how they can ID repeat customers and “capture” them, improve merchandising presence and frequency of display rotation, strategic staffing assignments, and more. Even without actually invading privacy - it’s just watching a person in public and their signal - the level of information that can be pulled from a phone signal and your own visible habits, is pretty incredible, and it didn’t cost nearly what the new facial recognition stuff does. REI was one of the first major chains outside grocery (Kroger et al were immediately on it) to use it, Whole Foods and Target were both also playing around with dynamic pricing way back in the aughts; started within regions, then store-by-store… this within-store is fuckin nuts. I know margins are super slim, but FFS the one thing that will make businesses instantly more in the black and not have to chase this shit is fuckin universal healthcare…

The biggest and first line of privacy concern with facial recognition is not the government, it’s private businesses (incl Flock). Nothing is preventing them from giving or selling that data to the government or a 3rd party. Locally, many of your Flock cameras are hosted by private businesses getting a few bucks for the posts at the edge of the parking lot and empty promises about improved security on the premises - a little digging and I’m sure a few major insurance companies are on board as well.

It should be called “Video Recognition” at this point, because it’s not just faces, it’s observable biometrics - height, size, gait, and even clothing style and brands. The only method really is to just not be observed at all. While there likely isn’t a specific file with your name on it in a data center somewhere, all this information about you is, and companies like Palantir (they are not the only one) are desperately trying to improve connecting that raw data to individuals. So there is likely still a period of time where an individual can feed garbage into the system - but human behavior will eventually out you… We are creatures of habit and routine - to the point where working to deviate from habits or routines will also out you… That’s the scary and insidious part, all this new surveillance is designed to use normal everyday behavior against us.

If you care about privacy, you shouldn’t be using a retail router made after 2013, and should be making your own router from PC hardware released before 2013 with a Libreboot BIOS and custom drivers. You also shouldn’t be using a cell phone.
Everything is backdoored, your phone is tracking everything about you from your location to your body temp and heart rate.
The US is blocking foreign routers as a matter of national security because they can’t reliably disable the spyware/backdoors built into them. Yes, the US also puts spyware and backdoors in stuff made here.
Nobody is the good guy here, but that’s just the way of this world until we clean out our governments and outlaw lobbying.

Proton is fine. Just pay in cash/crypto. Mullvad would run into the same issue if you paid with identifiable methods. They both offer the cash/crypto option with no identifiable information needed.

I think about going full on crazy conspiracy guy levels a lot but it’s almost like at this point it’s kind of out of the bag. Would have had to start way back to be really good. They don’t need my face to ID me on camera. Flock cameras are popping up all over the US. I was altering my routes but it’s a losing battle there. Every damn house around me has a Ring camera.

I don’t know if too much anonymity itself is suspicious yet but the way the world is going it might be a thing in the future.

So I mostly stick to being secure but not overzealous. I still have an iPhone that I use with family. It has Apple Music, Apple TV, etc. I pay my normal person bills on it. I have a pay as you go phone for any other services where I want privacy. I have two bank accounts. I use virtual cards for purchases funded by bank #2. Definitely not 100% private there but at least it’s not PayPal, CashApp, Venmo, etc and doesn’t expose too much money or required allowing Plaid into your account to datamine your banking history. Every service has it’s own email alias as well. Smart TV is on it’s own network. No other smart devices. I use a VPN, encrypted DNS via Quad9/Unbound with DoT. Own my network hardware like mentioned in other posts.

I don’t use other streaming services. I ditched Google, Meta, etc. completely. I use Kagi for search. First search I didn’t find myself inevitably falling back to Google so I pay for it. I wiped my Reddit history and deleted my account. No longer use Windows on personal devices (thanks XTPlayer for supporting Linux). Browser had uBlock and multi-account containers extension for cross-site stuff. Passkeys whenever available.

Unfortunately I’m IT in a Windows environment and work from home. I’m working on being able to VDI for work and get Windows out of my house entirely and possibly just using Linux at work since I don’t do much Windows specific. I almost slipped after recently trying to get one of the AI scripting apps to run on Linux and nearly caved on installing Windows on a spare PC.

So probably not fooling any governments but at least it’s something and not too out of the way to stick with.

Thank you, Vlad! Was aware of most - but not all - of what you wrote about.

I thought about writing a guide at some point, on how I play videos+funscripts on my Quest + Edge2 combo under Linux, with 100% privacy - even “surviving” device inspection. I am almost 100% certain no one would read it, though… It is a solid workflow, but too technical for the everyday person - and definitely errors on the side of caution, not convenience: getting Developer access to run adb on the helmet, serving videos over minidlna from a LUKS-encrypted setup on an SBC, separate wifi subnet over tiny router running openwrt, etc.