Hi, I have a sim card from my work. When we go away I would like to share the wifi with friends but I don't want them to accidentally click a dodgy link and for me to have issues at my work. What's the simplest way to hide my traffic? I have a cheapo cloud server running CentOS I could route traffic through. I have been trying to use NordVPN but it doesn't really seem to be working that well. it kind of works but fails quite a bit and is fairly slow.

Hi,
Passing your traffic through a VPN connection won't restrict your friends from clicking on unwanted links. However, If your device has encryption accelerator chip then use whatever protocol allows you to use it to gain more throughput.

A couple of other questions which pop up:
- From SIM to Wifi - what's in between ? Your cell phone ?
- issues at work after clicking a dodgy link - how so ? Is your device permanently connected to your work environment ? Scared to have your device infected with some malware ? Then DON'T share your cell wifi ... easy, no ?
- hide your traffic - why hide your traffic ? Why not hide your friends traffic ? Would be more logical.

- Last but not least: where is the Mikrotik in this request ?

Being someone who is responsible for monitoring mobile expenses for the client I work for, I personally think your request is more then simply crossing a line.
Where I live you can get fired for doing this (but it's not easy to proof, I will admit that).
But let's not judge ... or I must have HUGELY misunderstood what you are planning to do, in which case I humbly apologize for jumping to conclusions.

As holveo notes, you have given us a very poor explanation of the equipment and how the traffic actually flows.

A couple of other questions which pop up:
- From SIM to Wifi - what's in between ? Your cell phone ?

An SXT LTE Cat 6 and another Mikrotik to provide wifi, probably a RB951ui-2HnD. The SIM is a second sim to the phone sim.

- issues at work after clicking a dodgy link - how so ? Is your device permanently connected to your work environment ? Scared to have your device infected with some malware ? Then DON'T share your cell wifi ... easy, no ?

It's not connected to the work LAN but I work for the telco so they can potentially view the traffic. I'm not even sure they do

- hide your traffic - why hide your traffic ? Why not hide your friends traffic ? Would be more logical.

That makes sense and is what I did with NordVPN. One SSID for nord and one for straight through traffic

Being someone who is responsible for monitoring mobile expenses for the client I work for, I personally think your request is more then simply crossing a line.
Where I live you can get fired for doing this (but it's not easy to proof, I will admit that).
But let's not judge ... or I must have HUGELY misunderstood what you are planning to do, in which case I humbly apologize for jumping to conclusions.

There's no expenses. The towers cost the same if they sit idle as opposed to passing a small amount of extra traffic. The only costs are fake internal costs which are flat.

As holveo notes, you have given us a very poor explanation of the equipment and how the traffic actually flows.

Yeah I was a bit light on the details there. It's just a Mikrotik SXT LTE6 and another mikrotik for wifi. All basic setup, DHCP, an SSID for me and one for the encrypted traffic.The SXT will be pretty much default config with some sort of VPN link out. The other device will just run wifi and a static IP

• probably a RB951ui-2HnD.

No accelerator chip, You should use IPsec with low P1-P2 config or WG.

• That makes sense and is what I did with NordVPN. One SSID for Nord and one for straight-through traffic

A virtual interface will do.

So SXT LTE6 and then some Wifi equipment ?
And you do have a cloud Centos server available as well.

In broad lines what I would do :
- 2 wifi SSIDs, separate IP subnet, separate VLAN for Guest
- guest VLAN using VPN to CentOS box (Wireguard is the easiest to set up and best performance, will require you to upgrade SXT LTE6 to ROS7 but that's no problem, I also have one like that connected with wireguard to home)

Regular traffic breaks out regular
Guest traffic goes first out encrypted and reaches your CentOS box, will break out from there. No way to decrypt in between.
Don't expect speeds >50-60Mb since ethernet port on that SXT is only 100Mb AND its processor will have to handle all the wireguard encoding/decoding.
Unless you can move that part to the Wifi AP if it has a beefier processor ?

This should be enough conceptual material to get this working.

There's no expenses. The towers cost the same if they sit idle as opposed to passing a small amount of extra traffic. The only costs are fake internal costs which are flat.

At the end someone ALWAYS has to pay the bill.
Flat fee or not.
Let's make no mistake there, please.

• probably a RB951ui-2HnD.

No accelerator chip, You should use IPsec with low P1-P2 config or WG.

• That makes sense and is what I did with NordVPN. One SSID for Nord and one for straight-through traffic

A virtual interface will do.

I can also do the VPN on the SXT but I think the specs are similar. The question is, which flavour of VPN should I use? I have the option of going to the CentOS VM or I could even go via the Mikrotik at home. My home network has a fixed public IP

@MikeKulls

Well, If availability and reliability are part of your concerns? You should use your VM. Also, Wireguard(WG) is easier to set it up vs IPsec ( IKEv2 or L2TP+IPsec). If you are worried about what is going out of your network I don't think using your own home MT would be the best practice.

I can also do the VPN on the SXT but I think the specs are similar

If your clients are going to connect via WIFI in my mind is better to config it on the same device, with easier troubleshooting, and less overhead.

@MikeKulls

Well, If availability and reliability are part of your concerns? You should use your VM. Also, Wireguard(WG) is easier to set it up vs IPsec ( IKEv2 or L2TP+IPsec).

Thanks, I will give it a go. The setup on CentOS doesn't looks too crazy.

If you are worried about what is going out of your network I don't think using your own home MT would be the best practice.

I'm not overly concerned, I just want to protect against work logging someone clicking on the wrong link. My kids could even do it.

@MikeKulls

Thanks, I will give it a go. The setup on CentOS doesn't look too crazy.

No, it is not.
https://linuxhint.com/install-wireguard-vpn-centos/
https://www.linuxbabe.com/centos/wiregu ... ver-centos

I'm not overly concerned, I just want to protect against work logging someone clicking on the wrong link. My kids could even do it.

What I told you was my personal taking you should do whatever you fill like it.

I would be very surprised if your employer tracks what websites you visit.

Corrected that for you ... context is slightly different.

Hi, I have a sim card from my work. When we go away I would like to share the wifi with friends [...]

This comment is how I think:
Well, respect whoever gives you the salary, not taking advantage of the company.
In Italy you pay in volumes, if someone uses an excessive volume of data, especially when they are not in working hours,
they are certainly charged for everything, if not reported to the authorities for theft and fraud, and fired.

And in all of this there is no need to go and see what traffic you have done, but HOW MUCH, and at what time.
And for sure a VPN consumes slightly more traffic...