Isn’t it a bit insecure to trust networks based on a SSID whitelist? Personally, I check if the hostname of my router resolves and if its ssh host key is the same as expected. My am_i_home.sh could be cleaner but works nicely:
I guess they could work. I did not think so much about deliberate spoofing but more about accidental collitions. Of course the are rather unlikely with an SSID like the authors, but could happen especially with more common ones.
The whole spoofing attack vector would assume that an attacker can already authenticate to your legitimate network and send a stronger signal then your real one, right? Even my technique above would not guard against that if the network would just forward most traffic to the real network by default. I am not sure if spoofing could be avoided under such circumstances?
Yep, I use Algo to set up an IPSec VPN. It generates macOS and iOS configs which can be configured to automatically connect, with SSID exclusions e.g. for home and work.
Before Algo I used Streisand, and had to go through similar trickery as the OP to make it auto reconnect. When I saw the Algo way I realised that it’s both simple and pretty smart.
(Caveat: I don’t know if Algo generates similar auto connect setups for non-Apple OSes.)
I am not the author, but you need to trust some network, don’t you? Because who runs your VPN? And if you do it yourself, where does it exit?
By using a solution like the author you can at least establish a trusted LAN or layer 2 network by using your own router behind your ISPs up-link. You’d need to carry a portable router with you to do the same at a coffee shop or so.
Isn’t it a bit insecure to trust networks based on a SSID whitelist? Personally, I check if the hostname of my router resolves and if its ssh host key is the same as expected. My
am_i_home.shcould be cleaner but works nicely:What about BSSID’s? Of course they’re spoofable, but I’d guess not as trivially like SSID’s.
I guess they could work. I did not think so much about deliberate spoofing but more about accidental collitions. Of course the are rather unlikely with an SSID like the authors, but could happen especially with more common ones.
The whole spoofing attack vector would assume that an attacker can already authenticate to your legitimate network and send a stronger signal then your real one, right? Even my technique above would not guard against that if the network would just forward most traffic to the real network by default. I am not sure if spoofing could be avoided under such circumstances?
Ah, that’s actually pretty clever, thanks for sharing.
Whitelisting and automatic VPN connection can be achieved with Apple profiles. See for example how algo does it
Yep, I use Algo to set up an IPSec VPN. It generates macOS and iOS configs which can be configured to automatically connect, with SSID exclusions e.g. for home and work.
Before Algo I used Streisand, and had to go through similar trickery as the OP to make it auto reconnect. When I saw the Algo way I realised that it’s both simple and pretty smart.
(Caveat: I don’t know if Algo generates similar auto connect setups for non-Apple OSes.)
Why wouldn’t you use a VPN at home? You trust your ISP?
I am not the author, but you need to trust some network, don’t you? Because who runs your VPN? And if you do it yourself, where does it exit?
By using a solution like the author you can at least establish a trusted LAN or layer 2 network by using your own router behind your ISPs up-link. You’d need to carry a portable router with you to do the same at a coffee shop or so.
It’s straightforward to set up OpenVPN to do this with systemd and a script.
Personally I use it from home too. My ISP doesn’t need to know my business.
I do similar things with Hammerspoon, you can see it in my config.