On Tue, 28 Nov 2017 21:28:55 +0900 Mark Fletcher <mark2...@gmail.com> wrote:
> On Sun, Nov 26, 2017 at 04:18:12PM +0000, Joe wrote: > > > > Note that most (maybe all) free wifi systems will want you to > > provide some authentication before you are connected to the Net, > > generally through a web page. In some systems, you may have a need > > to access the web page after the VPN is up, so it is probably > > advisable to allow web access to the wifi network as well as DHCP > > and OpenVPN. > That would defeat some of the purpose -- allowing the tablet > (specifically bloatware) to access the local network would (continue > to) expose me to gawd alone knows what on unknown and untrusted > networks. Obviously the network outside my home LAN is no more > trusted than a hotel / coffee shop / airport WiFi is, but bad actors > are known to loiter on such public networks waiting for idiots like > me to come along, and I'm interested in seeing to what extent I can > dodge them. But in a network of that kind, you have no choice: you *must* connect to the authentication web server, in order to be granted access to the rest of the Net. If you try to connect to anything else, you will be redirected to that server. If that server has been hacked and malware installed, tough, there's no way to avoid it, it's one of the risks of using free wifi. Allowing web access *out* through the wifi interface is not optional before the VPN is up, and will only allow the tablet to initiate a connection to a web server in that local network after the VPN is up. It will not allow anything there to initiate inbound connections at any time, nor outbound web connections to anywhere else, they will get routed through the VPN. If you have something installed which can make a connection to another web server in that local network without action on your part, you've already been hacked, and there's nothing left to worry about... -- Joe
