Security practices evolve, in general you should expect some sort of significant change once or twice a year. Sometimes it’s because the world changes, but if the things you do are at all edgy it’s much more likely that YOU will be the reason you need to modify your game plan.

June is going to be one of those months for me, so let’s take a look at VPN usage.

Attention Conservation Notice:

Shifty online operator mumbles about a mix of threat model and esoteric VPN issues. Use ProtonVPN, use WireGuard protocol, use their kill switch. Come on in if you want to know why.

Pursuers:

There are some articles we just keep coming back to and for this Substack I bet the one that’s mentioned most often is What Hunts You? If you don’t know what sort of hazards you may encounter, it’s hard to pick out tools, let alone apply them properly.

A few days ago in Signal Me: nealr.07 I mentioned that I’ve got a new Signal account that I’m going to use for Shall We Play A Game? This is going to be way more permissive than my daily driver Signal account.I can count on the fingers of one hand the people I talk to whose names I do not know, and it’s extraordinarily rare for someone to be in that position without someone with skin the game vouching for them.

Now with this new thing, it’s a y’all come for an environment where the odds are I may never learn who’s on the other side of the chat window. Since we’re just playing a game, that’s fine, I’ll talk to anybody, but the least little hint of undercover activity, I will firmly press the Heck You button on my little keyboard extension and move on.

So those are the rules of engagement, now we gotta talk remediation.

WireGuard:

While the ROE is what it is, I must anticipate a steady supply of goons with ulterior motives, so lockdown is the order of the day. I’m using ProtonVPN, I’m employing the simple, sturdy WireGuard protocol, instead of the metaphorical dialup mess that is OpenVPN. I’m using their kill switch, so that if there’s something wrong with the WireGuard link, ain’t nothin’ movin’.

OpenVPN is an older system, it’s full of seldom used, poorly audited features, and it employs the “dial up” metaphor. If you want a kill switch with this thing you’ve got to use a static IP address, a static route to the VPN endpoint, and then probably manually fiddle with it. This is doable on Linux, it’s suicidal to try on any of the other operating systems I use.

WireGuard is a simple policy level routing thing. Oh, there’s a packet leaving? It’s going to be encrypted. It doesn’t get there? No fail open like OpenVPN so often does, the packet left encrypted and if it didn’t reach the other end, nbd. You have to mess with your network settings to figure out what happened, but it’s not going to depants you in front of who knows what sort of bad actor.

Compartments:

I got an iPhone 12 Mini earlier this year for the sake of 5G access. My prior iPhone XR got a plan for a bit, but the job I got it for never materialized and the plan ran out. I had a fresh Signal setup which never got used, so this is now the basis of the SWPAG environment.

Cicada 3301 has a Discord server. Have I mentioned that using Discord feels like trying to chat using a pinball machine? I already had this corralled in a Windows 11 ARM64 VM and it also got the WireGuard/kill switch treatment.

Linux:

I don’t have anything Linux in the mix at this time - there’s no Discord client for ARM64 systems. But if you need to do a fail closed setup, this is super slick with WireGuard. Both ChatGPT and Claude will give you a short incantation to make WireGuard active. You’ll have to do the work of modifying /etc/netplan to replace DHCP with a static IP and route, but these are not complex things.

Here’s an /etc/netplan example from a Linux VM I had sitting around, you just need to get the WireGuard endpoint IP from the config and put it where the 10.10.10.10/32 appears in this configuration.

network:

version: 2

ethernets:

ens160:

dhcp4: false

addresses:

- 192.168.191.129/24 # Your static IP

nameservers:

addresses:

- 9.9.9.9

routes:

- to: 10.10.10.10/32

via: 192.168.191.2

Conclusion:

Someone stumbling or being tricked into giving up an IP address used to be a really big deal. That kinda faded for many years, but now with the Trump administration it is again a serious problem.

Whatever I’ve said in the past about fail closed VPN configs with OpenVPN should be discarded. If you can’t explain in precise detail why you still need to use this rather than WireGuard, you should not BE using it.

This is a running from a bear situation - you don’t have to outrun the bear, you just need to be no worse than the second slowest person. There are a LOT of other ways to get correlated, but fixing this one is a low hanging fruit, one which you should pluck immediately.