Who wants a Librem router?

For a start, most of the time it won’t be doing any association because most of the time the WAP is not there.

Also, the choice of client MAC address for association depends on which WAP is being communicated with. That is, if you have configured to trust certain WAPs (certain SSIDs) and use the permanent MAC address with those WAPs then a change of client MAC address before association is a requirement. So you might as well change the MAC address for an untrusted WAP too.

But that wouldn’t have to be the case. The client can re-randomise the MAC every time. And so it then makes sense to re-randomise the MAC one final time when associating with an untrusted WAP.

So instead of a trail of unsuccessful discovery broadcasts followed by one association - all with the same randomised MAC address, there is a unconnected set of transmissions - all with a different MAC address. Of course, if you are the only active client device around then none of this matters. It is trivial to stalk you regardless of MAC address.

In today’s world though, that will not usually be the case. There will be dozens or hundreds of other WiFi clients around all transmitting away. So it is easy for each randomised transmission to disappear into a haze of randomised clients.

In reality, things are never quite as simple as that. A truly motivated stalker could use fingerprinting and/or traffic analysis to assist with the stalking even if you use only randomised MAC addresses. So I think best practice is to disable any kind of active discovery.

I think it’s also a question of timeliness. If the client itself asks for the WAP immediately after the client develops a need to communicate with the network (and is not currently associated with any WAP) then that can mean kicking off communication slightly more quickly than having to wait for a beacon frame.

I believe that having a hidden SSID is considered not best practice - because the SSID will ultimately be visible anyway. So you are just making clients work harder but without any true security or privacy.

(more to come)

OK, I understand some of what you are trying to achieve with this portable router e.g. solid firewall and solid VPN, enforceably available to the whole network. (Note though that they are both router functions, not WAP functions.)

In terms of reliability of the VPN, client-based v. router-based, bear in mind that, hypothetically, were Purism to develop a router, it would likely be based on the same codebase either way. If they have to fix bugs in the VPN client implementation to go in the router then that would likely benefit the VPN client that you could run in the client device and likewise if there are existing bugs that don’t get fixed then they will be in the router just as they are in the client device.

If I were that concerned about WiFi leakage, I wouldn’t use WiFi on the LAN side at all. That is, I rock up in the hotel room with my pocket-sized router. The router’s WAN side connects to the hotel WiFi, using just the standard client MAC address randomisation, and then maybe deals with hotel login, and then activates firewall and VPN. The router’s LAN side would be strictly ethernet. It might depend on the number and type of client devices. Ethernet works fine on my Librem 5.

If you insist on WiFi on the LAN side, you might need two WiFi cards in your portable router. It would depend on the capability of the WiFi card - and the WiFi card would be limited by the requirement for only open software. If you can get away with using a single WiFi card then it is still going to have to work differently from a regular mesh / repeater arrangement.

I’m feeling that flexibility of hardware configuration, compactness and sales volume might be in conflict.

I don’t have technical understanding of how those, in general, work. I know that some places have them (and some don’t). I know that they sometimes cause a functional problem. I can see your point that that is an additional point of privacy fail - so would certainly warrant attention by this (hypothetical) product. It would great if the router itself could handle the login - rather than proxying it from a connected client.

So instead of a trail of unsuccessful discovery broadcasts followed by one association - all with the same randomised MAC address, there is a unconnected set of transmissions - all with a different MAC address. Of course, if you are the only active client device around then none of this matters. It is trivial to stalk you regardless of MAC address.

Now you’ve nailed it! Agreed.

In reality, things are never quite as simple as that. A truly motivated stalker could use fingerprinting and/or traffic analysis to assist with the stalking even if you use only randomised MAC addresses. So I think best practice is to disable any kind of active discovery.

Well said. Neighborhood traffic analysis for the purpose of identification is trivial, and ironically even moreso if you’re using a VPN or Tor. It may never again be possible to hide one’s identity against an AI-enabled, locally present adversary with such capability. Obfuscation may work for a while but it’s nonperformant and also likely doomed in the next few years. And analog fingerprinting is probably easier still, although it would require ASICs. None of this makes me feel secure, but at least we can protect ourselves against, say, cartel levels of sophistication, wherein they own the towers but don’t have the smarts for any of these enhanced identification methods.

I believe that having a hidden SSID is considered not best practice - because the SSID will ultimately be visible anyway.

I think you mean that, even if the client never enables wifi outside the WAP’s radius, the SSID will eventually become known because it’s embedded into the association process (“Hey @hotel_wifi, let’s connect…”) which will be observed at some point?

If they have to fix bugs in the VPN client implementation to go in the router then that would likely benefit the VPN client that you could run in the client device and likewise if there are existing bugs that don’t get fixed then they will be in the router just as they are in the client device.

I hadn’t considered this but at least in the case of the notoriously racey firewall killswitches, this would indeed apply. I’m just stunned that, quite obviously, nobody at some of the biggest VPNs on the planet has actually taken half a day to sit down with a packet analyzer and do the work to see if anything leaks during handshaking. And ditto with DNS. That would be an implicit requirement in Purism’s case. I don’t think anyone would complain if doing proper leakage analysis adds $10 to the pricetag.

If I were that concerned about WiFi leakage, I wouldn’t use WiFi on the LAN side at all. That is, I rock up in the hotel room with my pocket-sized router. The router’s WAN side connects to the hotel WiFi,

Sorry, that’s actually what I meant. So the Ethernet WAN plugs into the Purism repeater (which gets USB power, and only power, from the Purism router). (And the repeater itself can be configured via Ethernet. Wifi configuration is a can of worms because you need to alternate between config mode (new SSID/MAC for setup and bonding purposes after reset pressed) and dead mode (no activity at all, other than waiting for a second reset press during transport between locations).) Then the repeater converts Ethernet to wifi, and talks with the hotel’s wifi. Therefore the user could plug their laptop into the LAN, and thus indirectly access the wifi portal and ultimately the internet. (Again there’s the separate question of how to interact with the portal without leaking OS fingerprints. Worst case, a bootable USB with a different OS would be helpful in this regard.) But for going from a standard phone, one would need a WAP on the router. But that’s fine because it would have a new SSID and MAC for the new hotel room.

I’m feeling that flexibility of hardware configuration, compactness and sales volume might be in conflict.

Whatever it takes to make this viable, even if that means a slightly larger footprint. But compactness where possible, like none of the usual superfluous internal air space, or antennas that stick out and you can’t unscrew.

It would great if the router itself could handle the [portal] login - rather than proxying it from a connected client.

That would be a very strong value add but I think it’s really hard. You have to likely use AI to understand where to put the username and password, even if I provide those to you via some standard UI window. Maybe you could have AI as the “usually works” default option with direct user access as an opt-in fallback.

Hi guys.

I admit, I skimmed this thread and did not read all of it. But I had a college course back in the day wherein we had to build a router using an Intel Beagle board and a custom operating system written by the professor that had ethernet drivers but no IP drivers. It was doable as a 6-month project, at least for a NAT proof of concept thing.

Why can’t you just buy a Librem Mini and change the OS to be your router? What’s all this hoopla you guys are going on about? Cisco gotten to your head, making you think “router” is a hardware?

With the typical WiFi surveillance trail, you aren’t associated with any WiFi, so you aren’t generating any VPN or TOR traffic (or any other IP traffic).

If you do associate with WiFi e.g. at your starting point and then later on at a stopping point (e.g. two different hotel rooms) then, yes, the use of, say, a particular VPN service and even more so the use of TOR could be used for tracking, could be used for making a logical connection between the first point and the second point.

That may be true but it does depend on who the adversary is i.e. what your threat model is.

If you are a dissident and your government is trying to get you and they have a Big Brother AI computer taking in all possible inputs (surveillance cameras, motorway tags, financial transactions, RF transmissions, network surveillance, …) then you could be right, we are not too far away from that reality.

However that isn’t the threat model for most people. Most people just don’t want to be pimped by Surveillance Capitalism.

That comment was strictly about the WAP. The WAP has the configuration choice of hiding the SSID or not. But the choice of hiding makes the client’s job harder while not actually hiding the SSID.

If this ever gets beyond a forum topic, maybe some pictures of potential or actual network configurations would be in order.

Always a fair question to ask but there would likely be trade-offs in size and weight (portability) and, in some circumstances, power consumption. In other words, yes, that would almost certainly work for some network configurations but it might be overkill and might cost more than it needs to.

Even running with that suggestion, I guess Purism could come up with a PureOS Router download that would install on a Librem Mini and have it offering all the good functionality that you would want on a network appliance and none of the functionality (attack surface) that you don’t need and shouldn’t have on a network appliance.

A bare minimum starting point though is that whatever WiFi card comes with the Mini must be capable of operating in AP mode for those customers who are going to want that.

On the question of portability, if you look at the devices that mobile network providers sell, which devices offer a SIM card slot and a mobile service on the WAN side, and a WAP (for WiFi clients) on the LAN side then they are actually pretty neat devices. (This is for illustration only since that is not the type of device being discussed here - although it could be one possible configuration.)

Why can’t you just buy a Librem Mini and change the OS to be your router?

Personally, I want something with an audited network stack (with thousands of eyeballs being better than any “official” certification), so probably based on popular router firmware, e.g. OpenWRT. Then it also needs wifi antennas for most people, so now your Librem Mini needs a plugin wifi dongle on USB with other security risks. Then it’s not really portable. A ground-up Purism design should end up with the most compact possible router(+WAP) that fits the bill, optimized for plane travel (tiny and light).

But if you just want a strictly Ethernet router in your home and you really understand how to make a secure router stack, then by all means, your solution will suffice.

a particular VPN service and even more so the use of TOR could be used for tracking, could be used for making a logical connection between the first point and the second point.

Yep, that was my point.

However that isn’t the threat model for most people. Most people just don’t want to be pimped by Surveillance Capitalism.

Yeah that was also my point. Nobody likes Big Brother but it’s not a meaningful threat model if the only evasion strategy is to buy a bungalo in an Antartic cave.

But yeah surveillance capitalism is more the threat model I’m talking about, although in my neck of the woods, that means narcoterrorists who own cell towers and map IMEIs to identities so they can conduct targetted harassment or murders. Sorta 2013 panopticon stuff. They get so much mileage out of that, as it is, because people are so negligent and/or clueless about security. They have no pressing need to upgrade to realtime traffic analysis.

But the choice of hiding makes the client’s job harder while not actually hiding the SSID.

Yeah I’ve come around to this counterintuitive conclusion thanks to this forum: hidden SSIDs create more exposure than public ones.

I guess Purism could come up with a PureOS Router download that would install on a Librem Mini and have it offering all the good functionality that you would want on a network appliance and none of the functionality (attack surface) that you don’t need and shouldn’t have on a network appliance

This is a really good idea as a minimum-viable-product! Once you’ve written the software and debugged it on a Librem Mini, you suddenly have a massless router that anyone can download. Then just suck all the un-routerly stuff out of the Mini, add some antennas and an optional repeater package, and I think you’re good to go to market.

Putting aside the overkill aspects … I like my network equipment to be fanless and the Mini has a fan. That may or may not be a showstopper to you. (The expectation would be that in the “hotel” scenario, you are sleeping in the room where the equipment is - unless your budget extends to a multi-room suite .)

Another consideration is that the Mini has only one ethernet port. That could be OK if that is sufficient. That could be fudged around if you needed to use the ethernet port as the WAN side but also want to use the ethernet port as the LAN side.

Final observation on that: if your configuration required using the WiFi in AP mode, the WiFi card that the Mini comes with if you choose to have WiFi is the Intel AX200 and, looking on the internet, that card seems sketchy when using it in AP mode … but on the other hand if the goal is to have a turnkey router then customers will expect Purism to have found a card that works well for that application.

I like my network equipment to be fanless and the Mini has a fan.

Fanless is mandatory but it’s fine if the MVP isn’t really travel-friendly. I’m so desperate that I would probably buy a Mini anyway, for that matter.

Mini has only one ethernet port.

A cheap USB dongle could provide the LAN side of that if the router were smart enough to realize it’s a viable egress.

Intel AX200 and, looking on the internet, that card seems sketchy when using it in AP mode

That sounds like an actual problem. Maybe this one chip would need to be replaced in a revision to the Mini. To make that economically viable, maybe just do a wholesale upgrade of the Mini (better CPU, bigger memory, etc.) and offer the router mode as an optional use case. Then people who buy it as a router could actually turn it back into a desktop later, once the real Purism router becomes available. Then you get two birds with one stone.

@irvinewade

While I don’t own one, I believe it’s a removable card: https://www.amazon.com/Intel-AX200-IEEE-802-11ax-Bluetooth/dp/B086656ZPD

so it should be no drama to remove it and insert a card that works, provided that you can find a card that does what you want. (That said, recently Intel is doing something dodgy that makes me wonder whether the card slot is a full functionality card slot or whether it only supports the Intel WiFi card. This would need checking by someone who actually knows the Librem Mini hardware.)

Yep, that’s what I meant by fudged around. There are plenty of USB ports. So you can add a WiFi dongle to be the WiFi client (connection to upstream) and/or you can add an ethernet port via a dongle.

I think Linux in general is more than capable of handling most routing scenarios. However Purism would probably need to build a GUI front end to assist with configuration.

Makes sense. What’s the next step?

A poll with a simple question: Do you want a Librem router? yes/no.

Done!