What is wrong with just using a VPN
If you copy and paste this question on a search engine out there, you will find various website telling you that connecting to a public Wi-Fi is 100% secure. That is not entirely true. This is why :
- Your device is still connected to the network, so everybody else can see it.
- You have, most of the time, to deal with the captive portal (login page), which is like a man-in-the-middle attack on your device. It is somehow difficult to prevent those to open, meaning you're surrendering your device into opening an arbitrary (and potentially malicious) web page.
- VPN leaks can be difficult to avoid.
Use a Raspberry Pi to connect instead
A solution to this problem is to use another device to connect, thus, using it as a router. One could use a Raspberry Pi and have it forward through a connection to your external VPN.
The Raspberry Pi will connect to the public Wi-Fi hotspot and deal with the captive portal. The Pi will then forward an internet connection through the ethernet interface, which has all traffic blocked except for the IP address of your external VPN.
This means that your secure laptop never has to touch the insecure network, and it is not possible for VPN leaks to occur since all other traffic is blocked.
What you would need :
- A secure VPN accessible over the internet with a static IP
- Raspberry Pi (any model)
- Wi-Fi adapter (if required)
- Ethernet cable
- SD card for the Raspberry Pi
Truth is, you don't necessarily need to use a Raspberry Pi - any device can function in the same way. A Raspberry Pi is just convenient, cost-effective and easily accessible.
For personal reason, the steps are not detailed here, but if you want to have an idea of how, it certainly means you're not an amateur.
Steps to take
- Initial Raspberry Pi Setup
a. Ensure that SSH is Enabled at boot
b. Configure UFW (Uncomplicated Firewall) and Fail2ban in order to block repeated failed ssh authentication attempts.
c. SSH server hardening (configure to use ssh key authentication instead of password authentication
d. Disable IPv6 - VNC SSH Tunnel (VNC will be used in order to provide remote desktop functionality so that you can view the captive portal and authenticate in order to access the public Wi-Fi hotspot)
a. Install TightVNC Server on your Pi
b. Configure the SSH Tunnel
c. Connect to VNC
d. Chromium browser hardening (it will be used to deal with the captive portal on the public hotspot). - Network forwarding and blocking
a. Enable native IPv4 packet forwarding
b. Configure firewall rules to block all traffic except for connections to your external VPN
c. Configure the script to run at boot
Connecting to the internet
In order to actually connect to the internet using this setup, you must go through a short process. This is what you would do :
- Secure the VPN client configuration
- Connect your laptop to your Raspberry Pi using an ethernet cable and power on both devices.
- Manually connect your raspberry pi router. You should not set a DNS server - your VPN client will handle this. Setting a DNS server entry just poses unnecessary risk should your locked-down connection somehow fail.
- Establish the SSH Tunnel
- Connect to VNC
- Connect to the public Wi-Fi hotspot and deal with the captive portal
- Connect to your external VPN from your laptop
- Shut down your Pi once you're done
Additional information
It is extremely important that you keep your Raspberry Pi fully up to date. The device is sitting on an insecure network, so it is important that it's always fully patched. Use sudo apt-get update
followed by sudo apt-get dist-upgrade
in order to fully update your device. You should do this at least once per day.
Also double check that you updated the AllowUsers
value in your SSH server configuration.
Ensure that you did not open any ports or set any firewall rules for the VNC server. These are not required as it is tunneled through the SSH connection. Check your UFW config with sudo ufw status verbose
, and remove rules if necessary. See ufw help
for more information.
Potential problems with this design
- The iptables whitelisting rules are set on the device facing the insecure network
- The durability of the iptables rules
Conclusion
This setup is extremely complicated due to various steps. If you're not staying for long in a place where you have to use the public Wi-Fi, it's not worth the effort since it does take around 5 minutes to get connected at the start. But if you're staying for several days in a hotel where you' re gonna use their Wi-Fi for more than 5 hours, and you want to stay completely anonymous, it's worth it.
This article is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Special thanks to JamieWeb