Turns out that Microsoft recently released a PQ-VPN client (open source) for users to download.

Yes, yes, it is Microsoft and they of course own GitHub...

But if you do not trust their code specifically (this is impossible for a lay person to seriously audit w effectiveness), then users can always grab the liboqs library and swap out the cryptographic standards (use the PQVPN as a template)

Sources:

1. https://www.microsoft.com/en-us/research/project/post-quantum-crypto-vpn/

2. https://github.com/Microsoft/PQCrypto-VPN

They actually have the binaries for the PQ-VPN client if people would like to use it.

Works in pretty much the same exact fashion as the prior non-PQ versions of OpenVPN would've worked .

GUI and all. Deploy OpenVPN on a server somewhere and encrypt your connection.

Source: https://github.com/Microsoft/PQCrypto-VPN/releases

That message about the third-party notices and deploys is...interesting ; but there is a former version of the project available on that same repo that one must assume does not have whatever Microsoft felt needed to be added on after the fact.

Wireguard

Ridiculously serviceable. Interface & means of operation are both very intuitive.

Doesn't work off of certificates of any sort but rather via PKI + handshakes

They call it 'Cryptokey Routing'

https://www.wireguard.com/#cryptokey-routing

So Potential Solution

1. Wireguard (speed will be key here in this setup because there are going to be a lot of additional moving parts that could bog down the connection a bit)

— Specifically, the setup that Mullvad deployed is useful because it gives us a concrete template/roadmap for swapping out some of the already strong algorithms embedded in Wireguard for even stronger ones.

The relevant link can be found here = https://github.com/mullvad/oqs-rs/pull/3/files

Doesn't get too much more straightforward than what you see above in this diff file.

Component #2 - PiHole

Let's assume that the backbone (Linux ; Ubuntu for the Kernel) of this setup is a given.

On top of deploying Wireguard, we want to also deploy PiHole with it as well so that we not only encrypt our connection but re-establish peace of mind and greater web security as well.

PiHole explanation + documentation can be found here = https://docs.pi-hole.net/

Specifically, it is defined as a "DNS Sinkhole" [their words; but it is also accurate]

Guide on Installing PiHole on a Server With Wireguard = https://www.sethenoka.com/build-your-own-wireguard-vpn-server-with-pi-hole-for-dns-level-ad-blocking/

This guide above is amazing for those that are looking to research more about how to add PiHole to their server setup (Wireguard custom).

Btw, this is how easy it is to install Wireguard on Linux ; don't want anyone to think that we're doing something super high level yet at this point.

If you're able to copy & paste those two commands into a terminal - congratulations, you now have a Wireguard server (we won't get into the config files & other stuff ; but if you're willing to read closely + follow instructions, you'll be ok)

Next Download: Unbound

What is Unbound, you ask?

Great question.

Per NLnetlabs, Unbound is:

"A validating, recursive, caching DNS resolver. IUt is designed to be fast and lean and incorporates modern features based on open standards."

Source: https://nlnetlabs.nl/projects/unbound/about/

You all can read so there's no reason to break down anything more than that that's on the page - but to put all of what was said above in laymen's terms —- Unbound is what will help you ensure that your DNS requests are going to the right place and that you're getting the right response.

Fortunately, it appears that the statement made above is now validated with an independent, 3rd-party audit as well (golden standard in the world of online software these days) = https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/

Next Download : FTLDNS

Complements Unbound (not competing) + introduced to the world by the same makers of PiHole.

Check out their write-up on it here: https://pi-hole.net/2018/02/22/coming-soon-ftldns-pi-holes-own-dns-dhcp-server/

Next step: Encrypted DNS (Strong Encryption)

This is where we top it all off.

This setup was written in Rust, but its very well-documented.

Open Source [BSD License as well? ; check].

Here's the link = https://lib.rs/crates/encrypted-dns

Super easy setup, which is always a win.

Here's the link to the cryptography embedded this thing in the source code = https://github.com/jedisct1/encrypted-dns-server/blob/master/src/crypto.rs

Possible to swap out w liboqs to enhance / elevate the cryptography in this? Why not.

Additional protocols supported by this setup:

A) DnsCrypt v2

B) Anonymized DNSCrypt

C) DNS-over-HTTP (DoH)

Link (again) = https://lib.rs/crates/encrypted-dns

Cryptography Underpinning XMPP

1. 'Off-the-Record Messaging' = https://otr.cypherpunks.ca/

2. 'OMEMO' = https://conversations.im/omemo/

Read through the specifications ; OTR is what helps make XMPP extremely secure in terms of sending messages back and forth from one party to the next.

Advanced Cryptographic Ratcheting = https://signal.org/blog/advanced-ratcheting/

(From Signal's Website) ; discusses 'Forward Secrecy' and how Open Whisper Systems operates on a similar principle in order to strengthen the secrecy and security of the messages being shared from one user to the next.

Encryption Fears

Lately, there has been a lot of news regarding statements made by the current presidential administration (Trump) for the United States re: cryptography + encryption.

The reality of the situation is that, as of right now, there is access to very strong cryptography as well as a wealth of documentation available for those that search.

However, the permanence of such information is in question.

Thus, while we can, we're going to continue to aggregate as many resources / repositories / etc., and do our best to continually elevate + upgrade our means of storing said information by adding as many means for viable storage as possible.

Reality:

It sucks that a technological (and largely, mathematical) innovation is, in itself, being branded as a 'threat'.

The argument against encryption could essentially be made against the internet or any other technological innovation that has been leveraged for evil.

The idea behind weakening encryption or making some levels of encryption illegal to be deployed in production use is that it prevents the government from being able to pierce through the veil of secrecy that some nebulous hypothetical terrorist organization may or may not use in order to prevent a catastrophic terrorist event.

To date, this hasn't happened and more than likely won't happen.

As stated in the first post of this channel, society's focus must be on figuring out, "Where did this desire for violence/harming children come from? How did it grow to this point? What are we doing to even foster such an element?" <— Because if we're at the point where the gov't cannot trust anyone to hold cryptographic tools of a certain strength out of fear that well-formed alliances will plot mass murder / destruction, then society has reached a level of depravity that mandates higher concern and attention be placed on the underlying reasons for why rather than simply focusing on preventing its consequences.

Conclusion

This channel will continue as normal, without stop.

We find it hard to acquiesce to any demands / laws / restrictions against posting academic information meant to inform individuals - especially in a world where hacks / malware / identity theft / exploits are rampant and the largest tech conglomerates in the Western world (i.e., Microsoft / Google / Amazon), seem to be able to operate with impunity, regardless of what shortcomings they may have.

If the government cannot protect its citizens, then it must not fault those same citizens for taking the responsibility for protection into their own hands.

Outlining Our First Steps Toward a Post-Quantum VPN

For those that do not know, we're working on a fork of Mullvad's post-quantum VPN deployment (using Wireguard).

There is public code posted in their repository for it (linking to Rust crates) , but unfortunately - the repository hasn't been updated since 2017.

However, that's not really an issue because the only serious update needed is to the liboqs signatures.

There have been various different implementations / redactions / changes made among the NIST post-quantum crypto competition finalists (in addition to the announcement of an entirely new round in Jan. 2019) since Mullvad originally published the code for their Rust-based fork of Wireguard.

More information can be found in our first installment here: https://libre.fail/post-quantum-vpn-setup-part-one-scratch-work

Interesting statements from status.im regarding their plans to allegedly “fork” ‘Whisper’ [appears they’re referring to a co-opted version of double ratchet encryption / OTR]

Passwords / Storage / End User Security (for sysadmins ; re: latest add to this header)

1. Solid resource that details good information about secure password hashing methods = http://crackstation.net/hashing-security.htm

2. This is a really old Stackexchange answer, but it doesn't address the OP by breaking down cryptographic primitives, but rather using *sound logic* that will probably remain true until the end of time = https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846