What's new

Setting up security (VPN's, etc)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

TheLyppardMan

Very Senior Member
I have just set up my RT-AX88U to use Quad9’s DNS servers, rather than the default settings for my ISP. However, I’m no expert at this sort of stuff, so I have a few questions which I’d appreciate answers to from someone more knowledgeable:-
  • Can anyone tell me whether it’s possible or indeed necessary to use a VPN on my network devices when at home, in addition to Quad9?
  • If only one of them can be used at any one time, which is likely to provide the most privacy and security?
  • I have an active subscription for Surfshark and I understand that there is an option to install that on the router in order to protect the entire network. If I were to do that, would there be an option to be able to exclude certain devices on the network and if so how would I do that?
  • If I did have Surfshark on my router, would that interfere with AdGuard that I have on two of my laptops and may be about to reinstall on my Fire TV Stick, if I can fathom out a way to access YouTube using the Siri browser when AdGuard is active, which I have yet to be able to do?
Basically, I am confused as to how all these various options interact with each other, so any guidance be much appreciated. Thank you.
 
I'm on BT's Full Fibre 500 service.
These are the results of a quick speedtest on Ookla:-
 

Attachments

  • With Surfshark off (via Wi-Fi in another room).jpg
    With Surfshark off (via Wi-Fi in another room).jpg
    46.7 KB · Views: 65
  • With Surfshark on (via Wi-Fi in another room).jpg
    With Surfshark on (via Wi-Fi in another room).jpg
    40.4 KB · Views: 68
This is what I'm getting at the router (the network is not entirely idle at the moment as my daughter is on her laptop and phone.
 

Attachments

  • Speed test at the router.jpg
    Speed test at the router.jpg
    32.3 KB · Views: 67
249 down on a 500Mbps service isn’t good to begin with
It's because the test was using Wi-Fi in another room. I'll run a test using ethernet and post the results here in a few minutes.
 
Here's the results of connecting via Ethernet:-
 

Attachments

  • BT Via Ethernet (No VPN).jpg
    BT Via Ethernet (No VPN).jpg
    43.6 KB · Views: 66
  • BT Via Ethernet (With VPN).jpg
    BT Via Ethernet (With VPN).jpg
    45.9 KB · Views: 61
  • Quad9 via Ethernet no VPN.jpg
    Quad9 via Ethernet no VPN.jpg
    43.5 KB · Views: 70
What devices are you planning to connect to the VPN?

You need to take the 50%+ reduction in speed into account
 
When all the family is here, we potentially have the following devices connected (see uploaded image). At busy times it's usually a mixture of surfing/streaming YouTube videos on my son's and daughter's devices and I might be surfing on my laptop or watching videos stored on my NAS, streamed to my Fire TV. There could be some downloading/uploading taking place as well, but that is very intermiitent.
 

Attachments

  • Network Devices List.jpg
    Network Devices List.jpg
    54.8 KB · Views: 73
So. given that the VPN is slowing things down quite a lot, I presume it would be better to stick with Quad9 for general security and only use the VPN for really sensitive stuff, like online banking?
 
9.9.9.9 is your DNS and doesn't do anything other than translate www.xyz.com into 1.2.3.4

VPN over OVPN profiles on a generic router is going to be crap for speeds. If you have the option to switch to a wireguard based option like Nord using Nordlynx then your speeds will be quicker.

I run a DIY router using a PC w/ Linux and can hit line speeds above 1gbps using Nord and have tested several options and they still come out on top for this sort of setup or in general even with PC clients or phones / tablets / etc.

TV's typically max out at 20mbps
pones are a trickle
streaming music / surfing the web aren't all that much either.

VPN allows you to obfuscate your IP by sharing the same IP with several users and also encrypts your traffic to the server it's connected to.
VPN is a layered approach to securing your network traffic beyond encrypting your DNS queries --- privacy
No matter the VPN provider you can use whatever DNS you want to as they're different functions and not mutually exclusive

Now, getting 50% of your BW isn't ideal if you're actually using the full bandwidth. Unless you're constantly DL'ing huge files 24/7 you're not using the full pipe. The benefit of higher BW plans is less waiting when you need to grab a huge file like W11 ISO to upgrade a PC or torrenting (VPN helpful in avoiding notices).

Even with a gig plan my downloads typically max out around 600mbps even with speedtests hitting gig speeds. The duration of the DL / peers / etc. all determine the reported speed during the DL. Generic speedtests usually lack in these same areas or the host server doesn't have a big enough pipe for true BW testing. Ookla does provide a downloadable app for testing but, still uses the same servers. It is a bit better when measuring higher speed connections though than the webpage is. I use a script in Linux though that probes several servers by pinging them before picking one based on location and then it runs an extended test against the server to get a better measurement.

Code:
server:~/SpeedTest$ ./SpeedTest
SpeedTest++ version 1.14
Speedtest.net command line interface
Info: https://github.com/taganaka/SpeedTest
Author: Francesco Laurita <francesco.laurita@gmail.com>

IP: 50.117.77.215 ( EGIHosting ) Location: [32.7767, -96.805]
Finding fastest server... 10 Servers online
..........
Server: Dallas, TX ook-dal-x1.puregig.net:8080 by Netprotect (0.758054 km from you): 13 ms
Ping: 13 ms.
Jitter: 4 ms.
Determine line type (2) ........................
Fiber / Lan line type detected: profile selected fiber

Testing download speed (32) ..............................................................................................................................................................................................................................................................................
Download: 930.98 Mbit/s
Testing upload speed (12) .......................................................................
Upload: 42.78 Mbit/s

Adguard... I use PiHole instead as its central on the server / router and you can DL lists of ad servers but, you can also scroll through the logs when you're seeing ads and block them. Really all this would need is a PI or a PC that's on 24x7 to block anything you want to block from curated lists to any domain you don't want accessed from your LAN.

There's different approaches for different scenarios and what works for me might not work for you but, hopefully this helps a little bit.
 
So. given that the VPN is slowing things down quite a lot, I presume it would be better to stick with Quad9 for general security and only use the VPN for really sensitive stuff, like online banking?
A VPN service (like Surfshark et al.) does not provide "security" (at home). All it does is hide your internet activity from your ISP (BT) and obfuscate your IP address to others. As such it's often a bad idea to use a VPN when connecting to banks or other secure sites as they often block access from "shared" or frequently changing source IP addresses.

The main reason people use a VPN at home (other than mistakenly thinking it's more secure) is to a) hide their illegal internet activities from their ISP (e.g. torrenting movies), or b) changing their geolocation to another country so as to access content that would otherwise be blocked.

If however you were not at home and were connecting to public WiFi then using a VPN could be regarded as more secure.
 
9.9.9.9 is your DNS and doesn't do anything other than translate www.xyz.com into 1.2.3.4

VPN over OVPN profiles on a generic router is going to be crap for speeds. If you have the option to switch to a wireguard based option like Nord using Nordlynx then your speeds will be quicker.

I run a DIY router using a PC w/ Linux and can hit line speeds above 1gbps using Nord and have tested several options and they still come out on top for this sort of setup or in general even with PC clients or phones / tablets / etc.

TV's typically max out at 20mbps
pones are a trickle
streaming music / surfing the web aren't all that much either.

VPN allows you to obfuscate your IP by sharing the same IP with several users and also encrypts your traffic to the server it's connected to.
VPN is a layered approach to securing your network traffic beyond encrypting your DNS queries --- privacy
No matter the VPN provider you can use whatever DNS you want to as they're different functions and not mutually exclusive

Now, getting 50% of your BW isn't ideal if you're actually using the full bandwidth. Unless you're constantly DL'ing huge files 24/7 you're not using the full pipe. The benefit of higher BW plans is less waiting when you need to grab a huge file like W11 ISO to upgrade a PC or torrenting (VPN helpful in avoiding notices).

Even with a gig plan my downloads typically max out around 600mbps even with speedtests hitting gig speeds. The duration of the DL / peers / etc. all determine the reported speed during the DL. Generic speedtests usually lack in these same areas or the host server doesn't have a big enough pipe for true BW testing. Ookla does provide a downloadable app for testing but, still uses the same servers. It is a bit better when measuring higher speed connections though than the webpage is. I use a script in Linux though that probes several servers by pinging them before picking one based on location and then it runs an extended test against the server to get a better measurement.

Code:
server:~/SpeedTest$ ./SpeedTest
SpeedTest++ version 1.14
Speedtest.net command line interface
Info: https://github.com/taganaka/SpeedTest
Author: Francesco Laurita <francesco.laurita@gmail.com>

IP: 50.117.77.215 ( EGIHosting ) Location: [32.7767, -96.805]
Finding fastest server... 10 Servers online
..........
Server: Dallas, TX ook-dal-x1.puregig.net:8080 by Netprotect (0.758054 km from you): 13 ms
Ping: 13 ms.
Jitter: 4 ms.
Determine line type (2) ........................
Fiber / Lan line type detected: profile selected fiber

Testing download speed (32) ..............................................................................................................................................................................................................................................................................
Download: 930.98 Mbit/s
Testing upload speed (12) .......................................................................
Upload: 42.78 Mbit/s

Adguard... I use PiHole instead as its central on the server / router and you can DL lists of ad servers but, you can also scroll through the logs when you're seeing ads and block them. Really all this would need is a PI or a PC that's on 24x7 to block anything you want to block from curated lists to any domain you don't want accessed from your LAN.

There's different approaches for different scenarios and what works for me might not work for you but, hopefully this helps a little bit.
Thanks for the detailed response. I'll have another look at it in a day or so when I have more time on my hands. I did check what options I have with Surfshark protocols and there are a few (currently it's set to "auto" but I can change that to see what difference it makes.
 

Attachments

  • Surfshark Available Protocols.jpg
    Surfshark Available Protocols.jpg
    11.3 KB · Views: 59
A VPN service (like Surfshark et al.) does not provide "security" (at home). All it does is hide your internet activity from your ISP (BT) and obfuscate your IP address to others. As such it's often a bad idea to use a VPN when connecting to banks or other secure sites as they often block access from "shared" or frequently changing source IP addresses.

The main reason people use a VPN at home (other than mistakenly thinking it's more secure) is to a) hide their illegal internet activities from their ISP (e.g. torrenting movies), or b) changing their geolocation to another country so as to access content that would otherwise be blocked.

If however you were not at home and were connecting to public WiFi then using a VPN could be regarded as more secure.
I have had a few problems with blocking certains websites, although my main bank sends me a code to my phone if something looks a bit dodgy. I had a problem with connecting to my Canon TS8250 printer for scanning this evening, but I'm not sure if that was caused by Surfshark or not. I turned the VPN off, signed out and back in on my Windows account and everything was working again. I think I'll probably just leave Surfshark switched off most of the time and only switch it on when absolutely necessary.
 
View attachment 41704

This is the one you want for speed.

VPN shouldn't have anything to do with the printer. I have 0 issues with printing w/ VPN enabled. Seems more like a Windows issue to me.
It may just have been a coincidence then with the printer/scanner (strange coincidences happen all the time). I'll give Wireguard a go and see what happens.
 
@TheLyppardMan, drop the all network VPN idea. You get more inconveniences than benefits. You don't get any extra security. Slower internet, higher latency and refused services from websites detecting public VPNs. You don't need to have a middle man for your online banking either.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top