Help with settingup a secure home network and open vpn

[Mrrobot?]

Hello there im well known around pc & osx but i kinda suck when it comes down to network and vpn so im in despret need for guidace throu setting up my home network, and especially one Laptop that will run constant on the openvpn and has to be super secure.
S0 here's the current setup in my network and the PC that i need to be as safe as it could ever be.
Im running veracrypt on a decent laptop with Win 10 & Ubuntu with Ubuntu fully encrypted with Veracrypt, on this i need to visit Protonmail and also 3 sites at most, and here im only going to use Tor ?
Protonmail you can ad a emulator so it's like a mobile phone for instant messege recival ?
Im running on a shirtty ISP provided router Compal CH7486e that dont supports openvpn tunneling, so ive set it to Bridge mode.
And my primary router is Asus RT-AC68U on the latest Merlin Firmware and ive also got Ipvannish.com as VPN provider.
My home network has 5 Wireless devices connected 2 computers thats running Ipvannish app on them and 2 Mobiles also using the app, ive got a tv connected to the router and a printer that only supports 2.4G so there for i havent dissabled 2.4 and also running a litter easier passwords when my kids are here and guests.
Connected to the Lan port is the Tv and my kids Gaming PC, and also the Laptop in question ? its better and safer running Openvpn and connect thru Lan-port ?
Ive got Ai-protection on exept dissable UPnP so my kids Pc and the tv is running correctly ?
Im also wondering witch scripts i should implement and the easiest way to install them.
I also got hidden SSID.
Other than that ive havent thouched rest of the Asus settings something elese important that ive missed out ?


So please go ahead and instruct me how to make it as SAFE as possible ?

 

[Val D.]

So please go ahead and instruct me how to make it as SAFE as possible ?

Disconnect all your devices from Internet?
In my opinion most of your security measures are not necessary for home network. You are just limiting yourself. What are you selling, drugs or weapons? Because you are voluntarily sending your information to TrendMicro for analysis by enabling AiProtection; VPN connections are not untraceable; your mobile operator knows exactly there you are in any given moment; Google/Apple know what you search for and how often, along with your location; your connected TV is most likely a weak security device; your family members most likely share information online; your hidden SSID basically means nothing, just an inconvenience for you guests, etc.

 

[Mrrobot?]

So i should maybe get another Asus router so i can dubble nat and only use one without AiProtection ? And what kinda scripts is good securety vise and the easiest way to impliment them ? Thx for straight answers

 

[Val D.]

No matter what you do, there is always someone on the other side of your connection able to see what packets you send and receive and what servers you connect to. Your ISP, VPN, DNS, protection services you use, etc. If someone is badly interested what you do online, there is a way to find out. I believe your family members won't be happy with all the limitations you put on your network. Double NAT will introduce just another set of potential issues. Many people on this forum run Diversion (router Ad-blocker) and Skynet (firewall enhancement) scripts.

 

[Mrrobot?]

So best option in my case is getting another Asus RT-AC68U and only run my "secure" laptop throu that one ?
And ive already set up laptop with Veracrypt and running Ubuntu on hidden partiton.

 

[thelonelycoder]

All this while UPnP is enabled on the router. It's like having your door ajar with a brick stopping it from blowing completely open.

 

[Val D.]

So best option in my case is getting another Asus RT-AC68U and only run my "secure" laptop throu that one ? And ive already set up laptop with Veracrypt and running Ubuntu on hidden partiton.

Your goal is to "secure" a laptop, as I understand. Then secure this laptop only and don't put restrictions on the entire network and your family. And forget about those "hidden" things. Your "hidden" SSID and your "hidden" partition are actually visible with proper tools. If someone wants to hack you badly, he'll know what to do.

This is what I would do in your case, using the same RT-AC68U you have:
(a bit too much, but why not, if we can)

- Change your router IP to something not so common like 192.168.136.103, for example. Or 10.10.1.23, if you like.
- Disable all AiProtect services.
- Change global DNS to something trusted with spyware, malware protection. You may try DoT, if supported.
- Install Skynet router firewall script. Set it to default protection level. You may adjust the settings after.
- Use DNSFilter parental control for the kids devices.
- Create a 2.4GHz SSID for the printer only, put a MACFilter on it with printer's MAC only. Hide it, if you like.
- Create a 5GHz SSID for your computers, put a MACFilter with their MAC addresses. Hide it, if you like.
- Create a 2.4GHz Guest SSID with DNSFilter parental control (YazFi script can do it) and no access to Intranet. This is the one you'll give to your guests. This way they have Internet access, but no Intranet access and someone's kid won't be surprised by accidental adult content.
- Create a 5GHz Guest SSID with no access to Intranet. Connect all your mobile devices there. They don't need to communicate to each other and probably never use the printer.
- Run the VPN client on your computers, when you need it or all the time, your choice. This will save you money on router replacement. Make sure you set a Kill Switch. Choose a VPN Server in another country, if you feel safer this way.
- Use your encrypted connections on your laptop, along with all the "hidden" things you may like. Make sure you don't lock yourself out with all the encryption going on with this laptop. Drive failure is an interesting situation if you don't have all your keys, certificates, etc. you use.

There are endless configurations. You can do whatever you want, but remember to keep the balance between security and convenience. No one will have interest to steal your car if you remove all 4 tires and the engine every time you get home. But you'll need half a day in preparations to use your car again, every time you need it. And whatever you do, make sure your wife is happy with the restrictions you create, otherwise one day you'll find yourself sleeping in front of the door using your router as a pillow.