Router and Local Area Network Security
|If the Whonix-Gateway is ever compromised, it can theoretically access any computer in the local area network (LAN).|
Based on the threat posed by a Whonix-Gateway compromise, users who have administrator control over the home network are strongly recommended to lock down the web interface of the home router and apply the strictest settings possible.
The State of Router Insecurity
Most routers provided by ISPs and those widely available in electronics stores are profoundly insecure, have outdated software and firmware, enable settings by default that open exploit opportunities, and remain vulnerable if users fail to take appropriate steps. 
Many experienced users who are concerned about computing security overlook these problems and instead focus on general operating system and networking solutions, rather than this weak endpoint frequently targeted by attackers, including state-level adversaries. Compromised routers can easily spy on a user's activities, conduct man-in-the-middle attacks, alter unencrypted data, or send the user to websites that masquerade as webmail or on-line banking portals. 
Suitable Hardware and Router Configurations
Experts routinely advise that low-grade routers should be avoided. Cheap models often fail to notify of firmware updates that patch security vulnerabilities, have limitations on password length for administrator access, and typically come as a less-secure, combined modem/router unit.
Users should consider upgrading to a commercial-grade router that is normally intended for small businesses as a sensible investment in security. Further, it is safer to have a personally owned routing device that connects to an ISP-provided modem/router in order to maximize administrative control over routing and wireless features of the home network.
Before purchase, check the router has firewall capabilities and that it supports Network Address Translation (NAT), so internal systems cannot be directly accessed from the Internet. Also check whether the router can be configured off-line, which is an advantage. Disconnect or turn-off routers/modems when they are not in use.  
Accessing Router Settings
To access and change router settings, the user must type the router's IP address into a web browser address bar and then enter the administrative login and password when prompted. Users who are unsure of the default login credentials can check the list here and search by manufacturer and model.
Routers usually have a common address like:
192.168.1.1, but there are many alternatives depending on the make and model of the router. Check the manual that comes with the router to determine the correct address or alternatively research the manufacturer's website to determine this address. 
If users cannot confirm the relevant address to access the router, terminal commands can be used to trace the ip route or various networking tools can be accessed to discover it.
On Linux operating systems, run the following command in a terminal. 
The output starting with "default via XXX.XXX.XXX.XXX" is the relevant router IP address for changing settings.
Alternatively, most Linux desktops have a network icon which has this information:
Right-click on network icon ->
Select "Connection Information" or similar.
The IP address displayed next to "Default Route" or "Gateway" is the relevant address required. 
In a terminal, run. 
This command will show all the interfaces and their respective IP and MAC addresses.
Alternatively, look for the relevant network settings under:
System Preferences ->
TCP/IP (hardwired) or Wi-Fi (wireless) section. 
To find the router IP address in Windows, open a command prompt.
Search box ->
The output should reveal the relevant IP address next to the "Default Gateway".
Alternatively, look for the relevant network settings under:
Control Panel ->
Network and Internet ->
View network status and tasks ->
Left-click on the appropriate connection ->
Left-click on "Details".
The router's IP address is to the right of the IPv4 Default Gateway. Further network and router configuration information can be found here.
Recommended Router Settings
|Many router models do not allow the user to change specific settings discussed in this section.|
General Router Settings
Router Access and Management
- Change the default router username and password to something suitably long and random using a Diceware passphrase. 
- Use the browser's incognito or private mode when accessing the administrative interface so the URL is not saved in the browser history.
- Avoid administrating the router with a smartphone application.
- Disable the HTTP interface and enable the HTTPS interface instead, preferably on a non-standard port. For example:
- Disable remote administrative access and administrative access over Wi-Fi. Set administrator access only via wired ethernet connections (not possible with mesh routers).
- Disable all other remote-access protocols like PING, Telnet and SSH.
- If offered, disable cloud-based router management because trust is shifted to another person between the user and the router.
- Do not use mesh router systems that do not permit local administrative access.
Router Configuration and Services
- Change the Service Set ID (SSID) which often leaks router information. Do not use personally identifying information like the apartment number you live in.
- Disable NAT-PMP, since it has similar functionality to UPnP.
- Disable the Home Network Administrative Protocol since it allows remote management of network devices.
- Do not bind services to the external interface.
- Turn off Universal Plug and Play (UPnP), which can allow applications to open ports to external computers.
- If port forwarding is necessary, it should be limited to a source IP address and/or source IP address subnet.
- Set logging to on, if the feature is available. This allows for a record of unsolicited incoming connection attempts, attempted logins and so on.
- Reconfigure the router firewall rules to drop all relevant incoming packets.
- Firewall ports should be set to "stealth" rather than "closed". This way no response is given to unsolicited external communications from attackers probing the network.
- Keep router firmware up-to-date at all times for better security. Set the self-updating firmware option if it is available.
- Use Gibson Research Corp.'s Shields Up port-scanning service to test the router for hundreds of common vulnerabilities, most of which can be mitigated by the router's administrator.
Wireless Network Router Settings
|Warning: Recent research suggests that WPA2 encryption may be broken.  Although various countermeasures are reported in the literature and Linux distributions have already patched relevant software, users who require greater security may wish to disable Wi-Fi completely on their systems. |
Wi-Fi Configuration and Services
- Do not bother disabling SSID broadcasting since it is trivial to guess.
- Enable the "Block WAN Requests" option to conceal the network from other Internet users.
- Enable MAC Filtering so only specific devices may connect to the network.
- Limit the number of Dynamic Host Configuration Protocol (DHCP) leases (connects) to the Wi-Fi network to match the number of personal devices owned.
- If you must allow use of the Wi-Fi network to visitors, set up a guest network that turns itself off after a set period.
- Use the 5-GHz band for Wi-Fi instead of the standard 2.4GHz band (if possible), since the 5 GHz band does not travel as far.
- If possible, schedule Wi-Fi networks to turn off at night and then turn on in the morning.
- Disable Wi-Fi Protected Setup (WPS) because it allows any device to connect to the network with the relevant eight-digit PIN.
- Do not rely on the WEP and WPA standards which are cryptographically weak and have known security weaknesses. Use the WPA2 standard so only authorized users can use the network. 
- Use routers that exclusively use WPA2, preferably with the AES standard (CCMP) and not TKIP which is less secure.
Strong consideration should be given to flashing the wired/wireless router with an open-source GNU/Linux distribution. Solutions such as OpenWrt and DD-WRT provide firmware that is suitable for a large variety of wired and wireless routers and embedded systems.
The strengths of this approach are openness, regularly updated firmware images, a great number of functionalities (fully-featured), less bloat and more control over router behavior. The downside is that open-source firmware is not free of bugs; careful research is required before attempting this procedure. Check the online guides for instructions on how to proceed and whether the home router is compatible with the available firmware.
- In Qubes-Whonix, this command is run from the NetVM terminal.
- It may be sensible to tape this on the router so it is not lost in the future.
- Due to flawed 802.11 random number generation (generating insufficient entropy), downgrade attacks on group keys transmitted in the 4-way handshake (forcing usage of RC4 encryption), decryption of the 128-bit group key, and injection of group traffic into unicast traffic. This means unicast wifi traffic can be decrypted.
We tested this attack against an Asus RT-AC51U and a laptop running Windows 7. The group key was obtained by exploiting the weak random number generator as discussed in Section 3.4.1. In order to successfully perform the ARP poisoning attack against Windows, we injected malicious ARP requests. First, we were able to successfully inject the ARP packets using the group key. This confirms that the group key can be used to inject unicast packets. Once we poisoned the ARP cache of both the victim and router, they transmitted all their packets towards the broadcast MAC address. At this point we were able to successfully decrypt these broadcast packets using the group key, and read out the unicast IP packets sent by both the victim and router.
- Usually the WPA2 Personal standard is fine; the WPA2 Enterprise version is only required for businesses.
Whonix Router and Local Area Network Security wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Router and Local Area Network Security wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <firstname.lastname@example.org>
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.