Who wants a Librem router?

No. I was referring only to the client. And clients are expected to do that (three different MAC addresses, if you configure for the most aggressive randomisation).

Wow! Can you elaborate? One to handshake, one for data transmission after handshaking, and one for…? Makes me wonder what “MAC randomization” even means on Android/iOS then. What are the odds that someone did a half-baked job? I assume that L5 got this right but I know nothing.

whether you intend to port a mesh of WAPs around town

Not my use case but it’s actually quite feasible if one wanted to do so: just have all of them select new MAC sets and SSIDs before antennas are enabled or WAN is plugged in.

how secure is that and does it introduce new problems?

Repeaters are MITM attacks in a box: they know your WPA2/3 key, so in principle they could just use the very same WAP to upload it to an attacker, not to mention all of your traffic. If it’s made by a different company than the router, then overall odds of penetration obviously compound. Would be a great way to siphon data because nobody thinks of them as intelligent electronics. In other words, you just convinced me to never install another repeater again (nevermind the fact that they’re also pretty much garbage from a QoS standpoint).

You’ve raised some very sophisticated and perilous issues above. Impressive lateral thinking. This should all be debated by the dev team if there’s interest in a router. But frankly existing routers suck so much from a security standpoint that Purism would have a pretty easy time coming up with a superior offering.

Should one of us set up a poll? Like whether one is interested, and what price one would be willing to pay for, say, the nominal 4 LANs, a WAN port, and (optional) 5/2.4 WAPs at gigabit speeds? And maybe “would you pay $X per optional addon Purism repeater”?

Refer post 11 above.

One for discovery of WAPs. One for all communication with trusted WAPs. One for all communication with untrusted WAPs. (The second of those would likely be using the permanent MAC address. The other two would be randomised. Typically you would choose a set of trusted WAPs and all other WAPs would be considered to be untrusted.)

I believe that this has been discussed before so best to review existing discussion.

For the record, a router for me is:

• one LAN port (ethernet) - connects to my main switch (backbone of the LAN, managed) - but, yes, OK the additional cost for 3 unused LAN ports is not much
• one WAN port - but WAN means different things to different people - so then there is the question as to whether WAN means a plugin module for the required technology or it means a single ethernet port and the customer has to supply a standalone device for the actual WAN, preferably one that is able to operate in some kind of bridged mode (OR if the former then maybe one of the unused LAN ports can be designated as a WAN port)

plus, yes, you want

• an optional plugin WiFi module

One for discovery of WAPs. One for all communication with trusted WAPs. One for all communication with untrusted WAPs.

So if I understand you correctly, then there are only 2 MACs involved in any given wifi connection: one for discovery and one for data transfer? But then sometimes a given client will refuse to connect to an unknown MAC, so the router must offer the option to randomize either both, or neither (separately on 2.4 and 5 GHz)? (Customers would just need to remember to manually randomize their trusted macs in the course of a physical relocation, but otherwise they would stay constant.)

I think trying to designate an unused LAN as a WAN is going to be rather cumbersome. But you have a point that 4 LANs is overkill these days. (One could always just attach a commodity router/switch for expansion.) Portability (i.e. small size) of the router matters a lot because customers will want to have MAC randomization everywhere they travel. So how about this for the poll:

1. Suppose the base config is one Ethernet WAN plus one Ethernet LAN running an OpenWRT spin, with provable but non-targettable MAC randomization. What would you pay relative to the price of a name-brand router with similar (say gigabit bandwidth, ~2 GHz dual core ARM) capability? Same price? $25 more? $50? $75? $100?

2. What would you pay for a set of screw-in antennas and a wifi module (2.4+5 GHz) with configureable randomization of discovery and data MACs per each frequency? $0 (don’t want it)? $25? $50? $75? $100?

3. What would you pay for a separate repeater for bonding to external 2.4/5 wifi? $0 (don’t want it)? $25? $50? $75? $100?

4. Just to get some idea: would you rather pay a market-priced premium for 10Gbs WAN/LAN, or just have the standard gigabit?

Any tweaks to this?

Yes (if talking about the client), except that
a) the two MAC addresses can be the same, and
b) discovery by the client is optional.

I suspect that if the WAP uses MAC randomisation then discovery by the client won’t work (although I guess it depends on the implementation details). So from the perspective of the WAP either its MAC address is randomised or it isn’t.

You may be getting down into details without establishing whether there is any interest in a router at all (where for the purposes of this discussion “router” means a typical home internet appliance offering the potential for routing, WAP and a, say, 4-port switch.

For me, if we were getting down into details, I would be asking what routing and other internet gateway functionality is offered.

There’s also 2.5 Gbit/sec LAN.

My existing triple-WAN router can do that. There isn’t choice about which LAN port is used as WAN - it’s always the same LAN port if that functionality is in use at all - so that specific LAN port is clearly marked as dual role. There is only choice as to whether a LAN port is instead used as an ethernet WAN port. So you have the choice between n-1 ethernet LAN ports with 1 ethernet WAN port and n ethernet LAN ports.

It’s not a big deal for me either way. I have another triple-WAN router that instead has n ethernet LAN ports and offers a range of WAN ports including a, usually unused, ethernet WAN port. So there are n+1 ethernet ports but one of them is usually doing nothing.

The first approach may allow slightly improved compactness (one fewer ethernet ports), which you said was important.

But then in your portable scenario it isn’t clear to me how you are getting on the internet - and hence what type of WAN is most useful to you.

discovery by the client is optional.

How exactly is the client supposed to transfer data to a router if it hasn’t discovered the router to begin with? You mean like the user just says “here’s the router’s MAC so you don’t need the SSID”?

I suspect that if the WAP uses MAC randomisation then discovery by the client won’t work

Well one could just forget the SSID and start over, right? Granted, if one forget to do that before enabling wifi on the client, then the client might see the SSID and just automatically start talking to its previous MAC, which would then, in effect, leak the prior physical location of that SSID. But at least this is better than the status quo. There probably needs to be a section of the manual which discusses what the router does, and does not, actually afford by way of privacy.

For me, if we were getting down into details, I would be asking what routing and other internet gateway functionality is offered.

Not my area of expertise, so I’d be happy to add questions in this vein if you want to suggest any.

There’s also 2.5 Gbit/sec LAN.

How did I not know this? OK I can just expand the question.

So you have the choice between n-1 ethernet LAN ports with 1 ethernet WAN port and n ethernet LAN ports.

I think most of us would want a dedicated WAN port but I won’t complain if LAN-only is a valid configuration. And yeah, compactness trumps everything but privacy.

what type of WAN is most useful to you

Home/office would generally involve plugging into some sort of modem (fiber, coax, etc) via Ethernet. Travel case would generally involve an air bridge (Ethernet to Purism repeater, then wifi to hotel WAP). The repeater would probably plug into a USB port on the router purely for power acquisition. (Just punch a hole in the firewall for the stupid hotel signin webpage, e.g. 172.16.0.1, which is a whole other security can-of-worms in itself.)

There is a difference between “discovery” and “association”.

“Association” is the process of a 4-way handshake where the client and the WAP mutually authenticate (and hence it involves the client knowing the pre-shared key aka passphrase). Association is a pre-requisite for using the WAP to transfer any actual data.

“Discovery” is the process of knowing that the WAP is there at all. There are two ways. “Active” and “Passive”. (Those are not official terms.) “Passive” is the safer way. Every WAP broadcasts a beacon frame every X milliseconds and the beacon frame says “I’m here” and the beacon frame gives the SSID and other useful information (such as what type of security is in use on the SSID). So the client just waits to hear the beacon frame. “Active” involves the client sending a message to the WAP in the hope that the WAP is there and will answer. For that purpose, the client would use a destination MAC address of the WAP that it had previously noted. “Active” is generally frowned upon, since it leaks information but at a minimum if doing this then a randomised source MAC address should be used specifically for this purpose (and then change to a different source MAC address before attempting association - where the choice of source MAC address depends on the discovered SSID).

In that case, what benefit does the router provide? I’m not saying that it can’t provide a benefit, just asking you to elaborate. My point is that if the client device just associates directly to the hotel WiFi and the client uses MAC address randomisation then that isn’t much different. In either case, at a bare minimum, you should only use secure protocols (since the hotel provides an untrusted network, but no more so than the internet as a whole, in general) and in either case you may want to use a VPN.

OK, I can see that the router could provide a more robust firewall than the client by itself does.

I occasionally encounter hotel rooms that give ethernet directly (but I guess even then the hotel room also offers WiFi).

and then change to a different source MAC address before attempting association

OK so if you’re using active discovery (because the SSID is presumably not broadcast, i.e. hidden), then why would it be advantageous for the client to switch to a new randomized MAC for association purposes? Like if you’re at the supermarket and your wifi is bleeting out pings at your home hidden SSID, then those pings always have the same (albeit randomized) client MAC stuck on them. If I follow the pings earmarked by that MAC, then I know where you live, as well as where you shop. So you’re already geocompromised in that sense. Trying to compensate for that via a newly randomized MAC (for association) is too little too late. Or what am I missing here? (Just trying to see if we can simplify the minimum viable product.)

OK, I can see that the router could provide a more robust firewall than the client by itself does.

Yes and it’s also more convenient than having to set up N VPNs for N devices every time you enter your room. Not only that, though: VPNs are perniciously racey, if you know what I mean. The firewall killswitches fail all the time, even in some namebrand VPNs. It’s just appalling, as though someone never learned about locking semaphores in uni. The thing is, empirically, rotuers are simply less poorly designed than device-local VPNs. And let’s not even talk about DNS leaks, DNS cache poisoning, DNS cache tier inconsistencies, etc. Device network stacks are just crap upon crap. At least a router can be power-cycled, which usually causes it to forget various badness (including memory-resident exploits, for that matter).

So basically, a pocket-sized router with a repeater module would be awesome. You would just need to remember to factory-reset the repeater between different hotels, so you don’t walk into your new room at the Hyatt and start broadcasting Hilton_Wifi_Ext as soon as you power it on. In a perfect design, you’d be able to use a barebones HTTP(not S) proxy within the router administation UI itself in order to sign into the hotel login. That way you wouldn’t need to expose your real OS fingerprint to the hotel’s LAN. (“Hello hotel hotspot login! My machine name is “Leaky Laptop” and I’m running Leaky Linux 6.1. I’ll be switching over to VPN in a moment, but make a note of all that so you can track me everywhere I use this repeater in the future!”)

For a start, most of the time it won’t be doing any association because most of the time the WAP is not there.

Also, the choice of client MAC address for association depends on which WAP is being communicated with. That is, if you have configured to trust certain WAPs (certain SSIDs) and use the permanent MAC address with those WAPs then a change of client MAC address before association is a requirement. So you might as well change the MAC address for an untrusted WAP too.

But that wouldn’t have to be the case. The client can re-randomise the MAC every time. And so it then makes sense to re-randomise the MAC one final time when associating with an untrusted WAP.

So instead of a trail of unsuccessful discovery broadcasts followed by one association - all with the same randomised MAC address, there is a unconnected set of transmissions - all with a different MAC address. Of course, if you are the only active client device around then none of this matters. It is trivial to stalk you regardless of MAC address.

In today’s world though, that will not usually be the case. There will be dozens or hundreds of other WiFi clients around all transmitting away. So it is easy for each randomised transmission to disappear into a haze of randomised clients.

In reality, things are never quite as simple as that. A truly motivated stalker could use fingerprinting and/or traffic analysis to assist with the stalking even if you use only randomised MAC addresses. So I think best practice is to disable any kind of active discovery.

I think it’s also a question of timeliness. If the client itself asks for the WAP immediately after the client develops a need to communicate with the network (and is not currently associated with any WAP) then that can mean kicking off communication slightly more quickly than having to wait for a beacon frame.

I believe that having a hidden SSID is considered not best practice - because the SSID will ultimately be visible anyway. So you are just making clients work harder but without any true security or privacy.

(more to come)

OK, I understand some of what you are trying to achieve with this portable router e.g. solid firewall and solid VPN, enforceably available to the whole network. (Note though that they are both router functions, not WAP functions.)

In terms of reliability of the VPN, client-based v. router-based, bear in mind that, hypothetically, were Purism to develop a router, it would likely be based on the same codebase either way. If they have to fix bugs in the VPN client implementation to go in the router then that would likely benefit the VPN client that you could run in the client device and likewise if there are existing bugs that don’t get fixed then they will be in the router just as they are in the client device.

If I were that concerned about WiFi leakage, I wouldn’t use WiFi on the LAN side at all. That is, I rock up in the hotel room with my pocket-sized router. The router’s WAN side connects to the hotel WiFi, using just the standard client MAC address randomisation, and then maybe deals with hotel login, and then activates firewall and VPN. The router’s LAN side would be strictly ethernet. It might depend on the number and type of client devices. Ethernet works fine on my Librem 5.

If you insist on WiFi on the LAN side, you might need two WiFi cards in your portable router. It would depend on the capability of the WiFi card - and the WiFi card would be limited by the requirement for only open software. If you can get away with using a single WiFi card then it is still going to have to work differently from a regular mesh / repeater arrangement.

I’m feeling that flexibility of hardware configuration, compactness and sales volume might be in conflict.

I don’t have technical understanding of how those, in general, work. I know that some places have them (and some don’t). I know that they sometimes cause a functional problem. I can see your point that that is an additional point of privacy fail - so would certainly warrant attention by this (hypothetical) product. It would great if the router itself could handle the login - rather than proxying it from a connected client.

So instead of a trail of unsuccessful discovery broadcasts followed by one association - all with the same randomised MAC address, there is a unconnected set of transmissions - all with a different MAC address. Of course, if you are the only active client device around then none of this matters. It is trivial to stalk you regardless of MAC address.

Now you’ve nailed it! Agreed.

In reality, things are never quite as simple as that. A truly motivated stalker could use fingerprinting and/or traffic analysis to assist with the stalking even if you use only randomised MAC addresses. So I think best practice is to disable any kind of active discovery.

Well said. Neighborhood traffic analysis for the purpose of identification is trivial, and ironically even moreso if you’re using a VPN or Tor. It may never again be possible to hide one’s identity against an AI-enabled, locally present adversary with such capability. Obfuscation may work for a while but it’s nonperformant and also likely doomed in the next few years. And analog fingerprinting is probably easier still, although it would require ASICs. None of this makes me feel secure, but at least we can protect ourselves against, say, cartel levels of sophistication, wherein they own the towers but don’t have the smarts for any of these enhanced identification methods.

I believe that having a hidden SSID is considered not best practice - because the SSID will ultimately be visible anyway.

I think you mean that, even if the client never enables wifi outside the WAP’s radius, the SSID will eventually become known because it’s embedded into the association process (“Hey @hotel_wifi, let’s connect…”) which will be observed at some point?

If they have to fix bugs in the VPN client implementation to go in the router then that would likely benefit the VPN client that you could run in the client device and likewise if there are existing bugs that don’t get fixed then they will be in the router just as they are in the client device.

I hadn’t considered this but at least in the case of the notoriously racey firewall killswitches, this would indeed apply. I’m just stunned that, quite obviously, nobody at some of the biggest VPNs on the planet has actually taken half a day to sit down with a packet analyzer and do the work to see if anything leaks during handshaking. And ditto with DNS. That would be an implicit requirement in Purism’s case. I don’t think anyone would complain if doing proper leakage analysis adds $10 to the pricetag.

If I were that concerned about WiFi leakage, I wouldn’t use WiFi on the LAN side at all. That is, I rock up in the hotel room with my pocket-sized router. The router’s WAN side connects to the hotel WiFi,

Sorry, that’s actually what I meant. So the Ethernet WAN plugs into the Purism repeater (which gets USB power, and only power, from the Purism router). (And the repeater itself can be configured via Ethernet. Wifi configuration is a can of worms because you need to alternate between config mode (new SSID/MAC for setup and bonding purposes after reset pressed) and dead mode (no activity at all, other than waiting for a second reset press during transport between locations).) Then the repeater converts Ethernet to wifi, and talks with the hotel’s wifi. Therefore the user could plug their laptop into the LAN, and thus indirectly access the wifi portal and ultimately the internet. (Again there’s the separate question of how to interact with the portal without leaking OS fingerprints. Worst case, a bootable USB with a different OS would be helpful in this regard.) But for going from a standard phone, one would need a WAP on the router. But that’s fine because it would have a new SSID and MAC for the new hotel room.

I’m feeling that flexibility of hardware configuration, compactness and sales volume might be in conflict.

Whatever it takes to make this viable, even if that means a slightly larger footprint. But compactness where possible, like none of the usual superfluous internal air space, or antennas that stick out and you can’t unscrew.

It would great if the router itself could handle the [portal] login - rather than proxying it from a connected client.

That would be a very strong value add but I think it’s really hard. You have to likely use AI to understand where to put the username and password, even if I provide those to you via some standard UI window. Maybe you could have AI as the “usually works” default option with direct user access as an opt-in fallback.

Hi guys.

I admit, I skimmed this thread and did not read all of it. But I had a college course back in the day wherein we had to build a router using an Intel Beagle board and a custom operating system written by the professor that had ethernet drivers but no IP drivers. It was doable as a 6-month project, at least for a NAT proof of concept thing.

Why can’t you just buy a Librem Mini and change the OS to be your router? What’s all this hoopla you guys are going on about? Cisco gotten to your head, making you think “router” is a hardware?

With the typical WiFi surveillance trail, you aren’t associated with any WiFi, so you aren’t generating any VPN or TOR traffic (or any other IP traffic).

If you do associate with WiFi e.g. at your starting point and then later on at a stopping point (e.g. two different hotel rooms) then, yes, the use of, say, a particular VPN service and even more so the use of TOR could be used for tracking, could be used for making a logical connection between the first point and the second point.

That may be true but it does depend on who the adversary is i.e. what your threat model is.

If you are a dissident and your government is trying to get you and they have a Big Brother AI computer taking in all possible inputs (surveillance cameras, motorway tags, financial transactions, RF transmissions, network surveillance, …) then you could be right, we are not too far away from that reality.

However that isn’t the threat model for most people. Most people just don’t want to be pimped by Surveillance Capitalism.

That comment was strictly about the WAP. The WAP has the configuration choice of hiding the SSID or not. But the choice of hiding makes the client’s job harder while not actually hiding the SSID.

If this ever gets beyond a forum topic, maybe some pictures of potential or actual network configurations would be in order.

Always a fair question to ask but there would likely be trade-offs in size and weight (portability) and, in some circumstances, power consumption. In other words, yes, that would almost certainly work for some network configurations but it might be overkill and might cost more than it needs to.

Even running with that suggestion, I guess Purism could come up with a PureOS Router download that would install on a Librem Mini and have it offering all the good functionality that you would want on a network appliance and none of the functionality (attack surface) that you don’t need and shouldn’t have on a network appliance.

A bare minimum starting point though is that whatever WiFi card comes with the Mini must be capable of operating in AP mode for those customers who are going to want that.

On the question of portability, if you look at the devices that mobile network providers sell, which devices offer a SIM card slot and a mobile service on the WAN side, and a WAP (for WiFi clients) on the LAN side then they are actually pretty neat devices. (This is for illustration only since that is not the type of device being discussed here - although it could be one possible configuration.)

Why can’t you just buy a Librem Mini and change the OS to be your router?

Personally, I want something with an audited network stack (with thousands of eyeballs being better than any “official” certification), so probably based on popular router firmware, e.g. OpenWRT. Then it also needs wifi antennas for most people, so now your Librem Mini needs a plugin wifi dongle on USB with other security risks. Then it’s not really portable. A ground-up Purism design should end up with the most compact possible router(+WAP) that fits the bill, optimized for plane travel (tiny and light).

But if you just want a strictly Ethernet router in your home and you really understand how to make a secure router stack, then by all means, your solution will suffice.

a particular VPN service and even more so the use of TOR could be used for tracking, could be used for making a logical connection between the first point and the second point.

Yep, that was my point.

However that isn’t the threat model for most people. Most people just don’t want to be pimped by Surveillance Capitalism.

Yeah that was also my point. Nobody likes Big Brother but it’s not a meaningful threat model if the only evasion strategy is to buy a bungalo in an Antartic cave.

But yeah surveillance capitalism is more the threat model I’m talking about, although in my neck of the woods, that means narcoterrorists who own cell towers and map IMEIs to identities so they can conduct targetted harassment or murders. Sorta 2013 panopticon stuff. They get so much mileage out of that, as it is, because people are so negligent and/or clueless about security. They have no pressing need to upgrade to realtime traffic analysis.

But the choice of hiding makes the client’s job harder while not actually hiding the SSID.

Yeah I’ve come around to this counterintuitive conclusion thanks to this forum: hidden SSIDs create more exposure than public ones.

I guess Purism could come up with a PureOS Router download that would install on a Librem Mini and have it offering all the good functionality that you would want on a network appliance and none of the functionality (attack surface) that you don’t need and shouldn’t have on a network appliance

This is a really good idea as a minimum-viable-product! Once you’ve written the software and debugged it on a Librem Mini, you suddenly have a massless router that anyone can download. Then just suck all the un-routerly stuff out of the Mini, add some antennas and an optional repeater package, and I think you’re good to go to market.

Putting aside the overkill aspects … I like my network equipment to be fanless and the Mini has a fan. That may or may not be a showstopper to you. (The expectation would be that in the “hotel” scenario, you are sleeping in the room where the equipment is - unless your budget extends to a multi-room suite .)

Another consideration is that the Mini has only one ethernet port. That could be OK if that is sufficient. That could be fudged around if you needed to use the ethernet port as the WAN side but also want to use the ethernet port as the LAN side.

Final observation on that: if your configuration required using the WiFi in AP mode, the WiFi card that the Mini comes with if you choose to have WiFi is the Intel AX200 and, looking on the internet, that card seems sketchy when using it in AP mode … but on the other hand if the goal is to have a turnkey router then customers will expect Purism to have found a card that works well for that application.

I like my network equipment to be fanless and the Mini has a fan.

Fanless is mandatory but it’s fine if the MVP isn’t really travel-friendly. I’m so desperate that I would probably buy a Mini anyway, for that matter.

Mini has only one ethernet port.

A cheap USB dongle could provide the LAN side of that if the router were smart enough to realize it’s a viable egress.

Intel AX200 and, looking on the internet, that card seems sketchy when using it in AP mode

That sounds like an actual problem. Maybe this one chip would need to be replaced in a revision to the Mini. To make that economically viable, maybe just do a wholesale upgrade of the Mini (better CPU, bigger memory, etc.) and offer the router mode as an optional use case. Then people who buy it as a router could actually turn it back into a desktop later, once the real Purism router becomes available. Then you get two birds with one stone.

@irvinewade

While I don’t own one, I believe it’s a removable card: https://www.amazon.com/Intel-AX200-IEEE-802-11ax-Bluetooth/dp/B086656ZPD

so it should be no drama to remove it and insert a card that works, provided that you can find a card that does what you want. (That said, recently Intel is doing something dodgy that makes me wonder whether the card slot is a full functionality card slot or whether it only supports the Intel WiFi card. This would need checking by someone who actually knows the Librem Mini hardware.)

Yep, that’s what I meant by fudged around. There are plenty of USB ports. So you can add a WiFi dongle to be the WiFi client (connection to upstream) and/or you can add an ethernet port via a dongle.

I think Linux in general is more than capable of handling most routing scenarios. However Purism would probably need to build a GUI front end to assist with configuration.

Makes sense. What’s the next step?

A poll with a simple question: Do you want a Librem router? yes/no.

Done!