npub18d…lh8x3 on Nostr: I finally finished writing Connected Isn’t Protected: Your Router Enforcement and ...

I finally finished writing Connected Isn’t Protected: Your Router Enforcement and Leak Audit Manual. 🥳 It got a little away from me and ran past 130 pages.

Table of Contents if anyone is interested:

Terminology 12
Introduction 13
The Router Is Upstream Authority 13
“Connected” Means Nothing 14
Enforcement vs Assumption 15
Fail Open vs Fail Closed 16
Scope of This Manual 17
What You Walk Away With 18
Threat Model Alignment & Scope Definition 19
Define Your Adversary 19
Home Network vs Travel Router 20
Map the Exposure Surface 21
Understand Blast Radius 22
Define Your Acceptable Failure State 23
Router as Enforcement Layer 25
The Core Path: Device -> Router -> WAN 25
DNS Resolution Path Variants 27
VPN Tunnel Interface Mechanics 28
Router Generated Traffic Flows 29
Trust Boundaries 30
Conceptual Data Flow Layers 32
Architecture Checklist 33
Baseline Observation (Pre-Hardening) 34
Step 1: Create a Controlled Testing Environment 34
Step 2: Capture DNS Behavior Before Changes 35
Step 3: Capture Exit IP State 36
Step 4: Check IPv6 Exposure 36
Step 5: Observe Routing Behavior 37
Step 6: Snapshot Router Logs 37
Step 7: Document Failure Without Intervention 38
What You Should Have Documented 38
Why Baseline Matters 39
DNS Resolver Path Verification 40
Step 1: Identify the Intended Resolver Path 40
Step 2: Detect Resolver Drift 41
Step 3: VPN On vs VPN Off Comparison 42
Step 4: Enforce or Detect Fallback Behavior 43
Step 5: Verify Port 53 Policy 43
Step 6: Detect Hard Coded Device Bypass 45
Step 7: Encrypted DNS Verification 45
DNS Verification Checklist 46
Exit IP & Routing Enforcement Verification 47
Step 1: Establish the Expected Exit Identity 47
Step 2: Basic Exit IP Validation 48
Step 3: Refresh and Stress Test 48
Step 4: Traceroute Verification 49
Step 5: WireGuard vs OpenVPN Differences 50
Step 6: Detect Intermittent Leak Under Reconnect 50
Step 7: Multi WAN and Failover Awareness 51
Step 8: Policy Based Routing Edge Cases 52
Exit Enforcement Checklist 53
Failure Mode & Kill Switch Testing 54
Define Your Intended Failure State 54
Test 1: Manual Tunnel Termination 55
Test 2: Physical WAN Disconnect 55
Test 3: Network Switching 56
Test 4: Rapid VPN Restart Loop 57
Test 5: DNS Behavior During Failure 57
Test 6: Router Generated Traffic Under Failure 58
Kill Switch Verification 58
Failure Mode Checklist 59
Boot Window Leak Testing 60
Understand the Boot Sequence 60
Test 1: Cold Boot With Active Clients 61
Test 2: Log Analysis During Startup 62
Test 3: Boot With VPN Disabled Then Enabled 62
Safe Boot Configuration Patterns 63
Travel Router Specific Risk 64
Boot Window Checklist 64
IPv6 Enforcement & Bypass Detection 65
Understand the Risk 65
Step 1: Confirm IPv6 Status on LAN 66
Step 2: Inspect Router IPv6 Configuration 66
Step 3: Traceroute Over IPv6 67
Step 4: DNS Over IPv6 67
Mitigation Paths 67
Option 1: Disable IPv6 Entirely 68
Option 2: Tunnel IPv6 Through VPN 68
Option 3: Block Native IPv6 at Firewall 69
Router Advertisements Matter 69
IPv6 Boot Window Risk 70
IPv6 Enforcement Checklist 70
Hard Truth 71
Silent Exceptions & Router Generated Traffic 72
The Router Is a Client 72
Step 1: Identify Router Origin Connections 73
Step 2: NTP Bypass Detection 73
Step 3: Firmware Update Calls 74
Step 4: Connectivity Probes 75
Step 5: DNS Fallback Mechanisms 76
Acceptable vs Unacceptable Exceptions 77
Log Driven Audit Pattern 77
Configuration Patterns for Control 78
Travel Router Captive Portal Isolation 79
Understand the Portal Sequence 79
Principle: Authenticate First, Then Expose LAN 80
Test 1: Simulate Fresh Hotel Network 80
Test 2: Downstream Redirect Detection 81
Test 3: Reconnect Behavior After Sleep 82
Hostile WiFi Considerations 83
Configuration Patterns 83
Travel Isolation Checklist 84
Log-Centric Verification Framework 85
Enable the Right Logs First 85
What You Are Actually Looking For 86
Correlate DNS and Routing Events 87
Detect Reconnect Loops 87
Detect DNS Fallback Attempts 88
When Logs Lie or Are Incomplete 89
Log Review Protocol 90
Case Study Breakdowns 91
Case 1: VPN Connected, DNS Still ISP 91
Case 2: IPv6 Bypass Active Tunnel 93
Case 3: Boot Window Exposure 94
Case 4: Captive Portal Isolation Failure 96
Case 5: Router Fail Open Under WAN Instability 97
What These Cases Have in Common 98
Maintenance & Drift Detection Protocol 99
Drift Is Normal 99
Firmware Update Retesting 100
VPN Provider Configuration Changes 101
Periodic Power Cycle Audits 102
Travel Topology Retesting 102
Lightweight Automated Checks 103
Build a Drift Log 103
Signs You Have Drift 104
Printable Audit Worksheets 105
1. Baseline Capture Sheet 106
2. DNS Resolver Drift Sheet 107
3. Exit IP & Fail Closed Verification Sheet 108
4. Boot Window Test Sheet 109
5. IPv6 Enforcement Sheet 110
6. Log Review Sheet 111
How to Use These Worksheets 112
Troubleshooting Matrix 113
Problem: ISP DNS Appears While VPN Connected 114
Problem: ISP Hop Appears Before VPN in Traceroute 115
Problem: IPv6 Leak While IPv4 Tunnel Active 116
Problem: VPN Reconnect Loops Exposing ISP IP 117
Problem: DNS Resolves During Tunnel Drop 118
Problem: Captive Portal Redirect Seen on Client Devices 119
Problem: Router Origin Traffic Bypasses VPN 120
How to Use This Matrix 121
Upgrade Path to Level 3 Enforcement 122
Step 1: Strict Port 53 Control 122
Step 2: Policy Based Routing as Explicit Architecture 123
Step 3: VLAN Segmentation 124
Step 4: Dedicated Firewall or Router OS 125
Step 5: Enterprise Grade Kill Switch Logic 126
Step 6: IDS and Traffic Visibility 127
Step 7: Automated Testing Scripts 127
When to Upgrade 128
Final Operational Notes 129
Usability vs Enforcement 129
Router Limitations Are Real 130
When to Accept Risk 130
Continuous Validation Mindset 131
What This Manual Does Not Do 132
The Real Win 132