Coldwave 0 Posted ... Hello, I have 2 PCs at my home. One is configured with comodo firewall and all, and is always connected through AirVPN with wire on the router. On the other hand, my other PC is not connected on VPN, it is connected wirelessly on the same home WiFi. Is it okay to connect like that? My non-VPN laptop is just for business purposes. I'm just curious, if it makes any "damage" to anonymity and/or security? Thanks. Quote Share this post Link to post
iwih2gk 93 Posted ... I prefer to isolate my VPN'd computer from other computers/devices, which are on my "INTRA-net". It might be over the top for some here. I use linux but the principle is the same. Once my VPN'd computer is connected I completely isolate the machine and confine it to ONE thing - the AirVpn tunnel - tun0. My machine can see no other intranet devices and they can't communicate with the tunnel machine.My intranet (home network) has satellite devices, network TV's, and normal computers; so I want them all "off limits" in both directions regarding my VPN'd machine.Many here might not think this is needed, but its so easy to do once you understand firewalls. This is my opinion regarding the question you asked. Quote Share this post Link to post
Staff 9973 Posted ... Hello! iwih2gk comment is good especially for security. In order not to weaken anonymity layer, it is even more important not to mix identities. As long as identities are not mixed, the anonymity layer is not compromised. An isolated from the rest of the local network computer can anyway weaken the anonymity layer if it uses, over the VPN, non-VPN identities. For "identities" in this context we mean any possible account, behavior, pattern. Such elements should not be used over the VPN and not over the VPN. Kind regards Quote Share this post Link to post
iwih2gk 93 Posted ... Hello! iwih2gk comment is good especially for security. In order not to weaken anonymity layer, it is even more important not to mix identities. As long as identities are not mixed, the anonymity layer is not compromised. An isolated from the rest of the local network computer can anyway weaken the anonymity layer if it uses, over the VPN, non-VPN identities. For "identities" in this context we mean any possible account, behavior, pattern. Such elements should not be used over the VPN and not over the VPN. Kind regards ____________________________________________________ It should go without saying that a user should NEVER employ a VPN and then log into his REAL "person" unless his intention is to protect the traffic from prying eyes ----- BUT --- not to protect the identity itself. Many companies use VPN's to encrypt traffic from snoops along the way. The application I just described is NOT why I use VPN's. I have regular encrypted computers for banking, email, paypal, etc...... I use Air as my first hop and from there its TOR and/or another tunnel provider. Never use my "identity" once I leave the final circuit exit node - no exceptions!! The only thing "freaky" about my arrangement is that I never get to see the nice green connected box at the bottom of the forum. I don't come to the forum website directly from Air exit nodes very often so my box is RED. LOL!! Quote Share this post Link to post
Coldwave 0 Posted ... Hello again. Thanks for your answers. I only use my personal accounts (email, banking, paypal etc.) on non-VPN computer. And I also never use anonymous accounts on my non-VPN computer. Correct me if I'm wrong, that's what I understand by identities. Even though I don't mix identities on VPN/non-VPN, can ISP fugure out that non-VPN identity is the same person on VPN'd identitiy? Quote Share this post Link to post
iwih2gk 93 Posted ... Hello again. Thanks for your answers. I only use my personal accounts (email, banking, paypal etc.) on non-VPN computer. And I also never use anonymous accounts on my non-VPN computer. Correct me if I'm wrong, that's what I understand by identities. Even though I don't mix identities on VPN/non-VPN, can ISP fugure out that non-VPN identity is the same person on VPN'd identitiy? Basically the answer should be no. You didn't state what OS you are using so I'll assume its windows. Regarding your ISP on a windows machine especially, you need to pay direct attention to DNS being locked down. While the tunnel will guard against your ISP actually reading your traffic it will NOT guard against DNS leaks on a windows machine unless you have a client that does that. I don't want to start an unresolvable debate here. Air along with several other providers have "point and click" clients, which allege to protect against dns leakage. My personal opinion is that while I also use those clients I will construct my own firewall ruleset to eliminate any breakdown outside of my control. This approach does use all the client features. As a backup my firewall will bring things to a stop even if the client or any tunnel component in the circuit fails. I am not trying to confuse you but what I indicated in my posts above this one deals with something that most clients never approach. I was referring to security of your INTRA-net not your internet. My way does both in that it isolates the VPN machine from any devices on YOUR network, while also taking care of the internet side of the transaction. Its very easy and this way all those devices in your home can't burn you if a user does anything stupid with them. Quote Share this post Link to post
Coldwave 0 Posted ... Hello again. Thanks for your answers. I only use my personal accounts (email, banking, paypal etc.) on non-VPN computer. And I also never use anonymous accounts on my non-VPN computer. Correct me if I'm wrong, that's what I understand by identities. Even though I don't mix identities on VPN/non-VPN, can ISP fugure out that non-VPN identity is the same person on VPN'd identitiy? Basically the answer should be no. You didn't state what OS you are using so I'll assume its windows. Regarding your ISP on a windows machine especially, you need to pay direct attention to DNS being locked down. While the tunnel will guard against your ISP actually reading your traffic it will NOT guard against DNS leaks on a windows machine unless you have a client that does that. I don't want to start an unresolvable debate here. Air along with several other providers have "point and click" clients, which allege to protect against dns leakage. My personal opinion is that while I also use those clients I will construct my own firewall ruleset to eliminate any breakdown outside of my control. This approach does use all the client features. As a backup my firewall will bring things to a stop even if the client or any tunnel component in the circuit fails. I am not trying to confuse you but what I indicated in my posts above this one deals with something that most clients never approach. I was referring to security of your INTRA-net not your internet. My way does both in that it isolates the VPN machine from any devices on YOUR network, while also taking care of the internet side of the transaction. Its very easy and this way all those devices in your home can't burn you if a user does anything stupid with them. I'm using Windows 7 x64. I've configured my firewall to cut the connection if VPN drops. Is that what you mean by the leakage? How do get into this INTRA-net you are talking about? Any tutorial or some good site to read it about? I'm pretty a newbie when it comes to these things, hence never heard of it. Quote Share this post Link to post
iwih2gk 93 Posted ... Intranet = your home network Put simply; all devices on your home network are on your intra-net. I don't know what devices you have on your network at the same time you are connected on the VPN machine. On your intranet the LAN address is your router's address and how you'll pull up the Admin panel on it. For most its 192.168.1.1 but the last digit can be different. The important (to me it seems important but many don't seem to care much) thing is WHY would I allow any device using the same router to ping or communicate with my VPN machine while I am using the tunnel. Unless something sinister is going on it should not matter at all, but if you weren't at all concerned about that, would you be in this forum??? I know this will sound "tin foil hat" but my satellite stuff and TV's being on the network 24/7 along with other family computers provide too large of an attack surface for my liking. I bring up my connection and then activate an exclusive firewall tunnel so my machine IGNORES any request or ping from the outside, and that includes devices on the intranet, which would give them a unique advantage since they are already past the router. I have not looked at the Air client for windows so I don't know what steps if any are taken regarding INTRAnet protection. I don't see how you could prohibit all device interaction if the client can establish a connection after your firewall is up. I go the other route and allow the connection and then I lock it all down in 2 seconds afterwards. When my firewall is up I can't even log into the router unless I am in the tunnel. I don't log in the router from the tunnel. I would drop the firewall and tunnel before logging into the router for Admin work within it. Quote Share this post Link to post