Jul (they/she)

Thank goodness. I often have to remote into remote servers to do work, it’s so confusing having stacks of task bars on the bottom. It’s been driving me insane since my company upgraded Windows.

If configured properly, it can usually bypass the router altogether. In my setup I have several VLANs for different traffic, so for me it’s important to have a Layer 3 switch that can handle the routing between VLANS. But if you don’t use VLANs, a layer 2 switch will build a mac address table and bypass the router once it knows where the traffic is going. That way only your DNS queries and similar get sent to the router for internal traffic on the LAN. Then the issue is just traffic going to the internet.

For the internet side you just need to configure the firewall to drop packets on ports (not reject, just drop/ignore) you don’t use and use something like fail2ban or crowdsec to make your router outright drop malicious and LLM bot kinds of traffic to ports you do use that otherwise have to be processed. That generally will reduce processing load unless you have self-hosted services that really generate a ton of traffic in which case you can move those to VPSs outside of your network.

Those are my general strategies at a very high level.

Wow, I run opnsense in proxmox along with a pihole and a couple of other small services and never hit 100% CPU on an Intel N100. My miniPC box has 4 2.5 gigabit network ports though I only use 2 of them, one for LAN and one to the modem. I do also have a managed switch, though, that has a couple of 10 gigabit ports a couple of 2.5 and the rest 1. Likely the switch is taking some of load off of the router I suppose. Might try getting a low-end managed switch. If you’re in the US do it quick, though as a lot of networking equipment is about to spike in price since the administration banned all new foreign made equipment and none is made I’m he US.

I use OpnSense on a miniPC with an N100 processor. I got a decent one from HUNSN and added memory. I installed ProxMox and OpnSense runs in that along with a pihole instance and a few other services and it is really fast compared to any router I’ve had in the past.

I also use a RAM disk for OpnSense caching and logs, and anything I want to keep gets copied out to my NAS for permanent storage. That helps a lot with performance and SSD drive wear, but with memory so expensive from the LLM bubble, it might be more expensive now than a few years ago when I got mine.

This too would likely require compromising at least one of the devices or at the very least compromising both users’ ISPs or some other fairly detailed and highly targeted attack, but none of that would require compromising Signal’s servers and would make any system’s key exchanges vulnerable, even self hosted systems.

Simply compromising Signal’s servers might allow disrupting key exchanges from succeeding and thus making it impossible for those users to communicate at all, but not MITM really, at least if we assume there aren’t defects in the client apps.

The key exchange is much more complex than something like TLS and designed specifically so that the server can’t interfere. With true e2ee the key never passes through the server. This isn’t like many other apps that say e2ee, but really mean end to server gets one key and server to end gets another and decryption and re-encryption happens at the server to allow users to access older messages on new devices and stuff like that. Signal just connects the users to each other. The apps do the rest.

They could probably do something if they totally took over the entire Signal network infrastructure, but it’s definitely not something they could do undetected. But if a government took over the entire infrastructure, security conscious people would stop using it immediately thus not really worth the monetary and political cost. Otherwise China and others would have already done that to all secure communications. And again, not Signal specific.

It’s unlikely encryption would be compromised since the keys never leave the device. The user’s device would have to be compromised for that. Decrypting messages on Signal servers without the keys takes too many resources to be feasible en masse, even for a state actor. And the current app has no method to transfer those private/decryption keys.

But Signal is not private. It is only secure. Two totally different things. A bad actor could uniquely identify a user and what users they have communicated with and how often, just not the content of the messages. That metadata is stored on the Signal servers and the company has access. That is the tradeoff for ease of use and keeping malicious accounts to a minimum vs an anonymous IM app.