These actors compromised routers and redirected traffic from connected devices including phone and laptops to GRU controlled infrastructure. The GRU compromised a vast amount of household routers in the US and around the world.
– The FBI, Cyber Division

When you start to see a coordinated effort between intelligence agencies that historically have a bad rep for not working well together. I start to wonder what the actual play is, it's not Russian GRU. The vast amount of household routers in the US are default ISP routers that are rented and hardcoded with DNS servers; if it's Xfinity: (75.75.75.75 & 75.75.75.76). It makes no sense to effectively ban third party routers, with a weird definition of a router, to the consumer market.

Nobody but networking nerds are buying and setting up their own routers at home and the majority of ISPs restrict you from using your own router! This coordinated effort seems to be a longer term play on corning the consumer market and restricting your acceess to privacy.

Here is one piece of how I achieve home network privacy, even with a default xfinity router.


Prerequisites: USB wireless adapter w/ dual band support and AP mode. Ubuntu Linux box, on your LAN. Ethernet cable. And of course the internet. But you can't forget CLI skillz.


Upfront, this is not a tutorial or walk-through on how to get this setup and running step by step. I'm just giving you the general network topology and architecture. Point your best clanker at this write up and you can have this setup in no-time. But I advise that you actually bang your head against the wall and set this up yourself, so that you actually gain some skills in linux networking and networking in general. You may have to do this impromptu out in the field.


First you will need hostapd. Hostapd, or Host Access Point Daemon, is a user space daemon designed for Linux systems. It will enable you to use a NIC to function as an access point (AP) and an authentication server. You can create wireless hotspots and manage wireless connections. In order to use this in the manner that we need it you will need dnsmasq (DHCP server) to assign IP addresses to connected devices.

Tun2socks is software that handles universal proxying at the layer 3 level. You will take a hit in your network speeds up / down, but it's so easy to use and for something like this where we care about privacy and ease of use this can't be beat.

The network topology will look something like this: 

	    Wifi Clients
	    	--> wlx... (AP / hostapd + dnsmasq)
			--> iptables FORWARD
				--> tun0
					--> tun2socks
					--> Tor (:9050)
						--> Tor Net


It's that simple and quick to get setup once you understand how everything is laid out. Here are my config files...

------------------------
/etc/hostapd/hostapd.conf

# Interface and Driver
interface=wlx...
driver=nl80211

# 802.11ac/ax Settings
hw_mode=a
channel=36
ieee80211n=1
ieee80211ac=0
wmm_enabled=1
country_code=US

# SSID and Auth
ssid=Name
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=password

# Logging
logger_syslog=-1
logger_syslog_level=2

# whether wireless network will be broadcasted
ignore_broadcast_ssid=0

------------------------
/etc/dnsmasq.conf

interface=wlx...
bind-interfaces
listen-address=192.168.0.1
domain-needed
bogus-priv
no-resolv

# DHCP Range
dhcp-range=192.168.0.10,192.168.0.250,255.255.255.0,12h

# Default gateway
dhcp-option=3,192.168.0.1

dhcp-option=6,192.168.0.1

# Upstream servers
server=127.0.0.1#5353

# Logging
log-facility=/var/log/dnsmasq.log
log-queries
log-dhcp

------------------------
bash

# Start tor normally (SOCKS5 on 9050)
# Then:
ip tuntap add dev tun0 mode tun
# can be whatever ip range you prefer
ip addr add 10.0.0.1/24 dev tun0
ip link set tun0 up
ip route add default dev tun0

# Enable forwarding, if not on already
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

# Mark all packets arriving from the AP interface
sudo iptables -t mangle -A PREROUTING -i wlx+ -j MARK --set-mark 1

# Policy route: marked packets go through tun0
sudo ip rule add fwmark 1 table 100
sudo ip route add default dev tun0 table 100

# Allow forwarding between wlx and tun0
sudo iptables -A FORWARD -i wlx+ -o tun0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -o wlx+ -m state --state RELATED,ESTABLISHED -j ACCEPT

tun2socks -device tun0 -proxy socks5://127.0.0.1:9050


That's it. That's all you need to get a privacy network / hotspot up and running. You now have a router in a PC / Server / Laptop / Rasberry pi; basically anything that can run Ubuntu. Don't forget to make things persistent within /etc/systemd/system/... You will need to install iptables-persistent and save your current config. Reload your daemon and systemctl enable and start your tun0 setup and tun2socks services.

"tun0=pipe to redirect traffic to tun2socks,tun2socks=translator that converts raw packets to SOCKS5 calls,tor=encrypts and sends" Happy hacking!