I set up a VPN through my UDM-Pro so I can access resources while I’m away from home, but mainly for privacy when I’m at work or on public wifi.
I know it’s still routing through my ISP and they can see what I’m doing on that end, but is it safer while I’m connected to work and public wifi? My understanding is that it’s encrypted from my phone all the way to my home network, and data cannot be intercepted. My boss and anyone on public wifi wouldn’t be able to see what I’m searching.
Just want to confirm, is this correct?
Yes. HTTPS would still encrypt browsing from end-to-end but the VPN will help mitigate man-in-the-middle attacks as well as possible DNS poisoning. I’m sure there are other attacks it would defeat as well.
Yes, it is more secure but might be ultimately unnecessary now that most websites are HTTPS. VPNs come in handy if you want to security access your home network.
So no one can see what website I’m going to unless it’s HTTP right? They can only see I’m making HTTPS requests?
I use a pihole with unbound so I’m getting the top level dns server (help with DNS poison) and block ads of course. Pretty sick… I was hesitant setting VPN up on my LAN bc I didn’t wanna have a bigger attack surface, but it seems secure.
So no one can see what website I’m going to unless it’s HTTP right? They can only see I’m making HTTPS requests?
Do you mean with or without the VPN? With VPN, you’d still be encrypted between your device and home but from home out to the internet would be in the clear. However, there isn’t much using HTTP anymore.
As far as attack surface, a VPN like OpenVPN or Wireguard only requires a single open UDP port along with cryptographic keys for security. UDP ports don’t respond to typical port scans like TCP ports do so there is more obscurity there also.
If you’re using encrypted SNI, no one will be able to see the website you’re visiting over HTTPS.
However, encrypted SNI still isn’t widely adopted at this time. So anyone sniffing your HTTPS traffic will be able to see the domain name of the website you’re visiting by looking at the plaintext SNI.
I mean without VPN. HTTPS should be encrypted all the time and they can’t see any of my traffic regardless, right? Unless there was a man-in-the-middle attack.
True, but your DNS lookups may be seen depending on configuration.