I finally finished writing Connected Isn’t Protected: Your Router Enforcement and Leak Audit Manual. 🥳  It got a little away from me and ran past 130 pages.

Table of Contents if anyone is interested:

Terminology	12
Introduction	13
The Router Is Upstream Authority	13
“Connected” Means Nothing	14
Enforcement vs Assumption	15
Fail Open vs Fail Closed	16
Scope of This Manual	17
What You Walk Away With	18
Threat Model Alignment & Scope Definition	19
Define Your Adversary	19
Home Network vs Travel Router	20
Map the Exposure Surface	21
Understand Blast Radius	22
Define Your Acceptable Failure State	23
Router as Enforcement Layer	25
The Core Path: Device -> Router -> WAN	25
DNS Resolution Path Variants	27
VPN Tunnel Interface Mechanics	28
Router Generated Traffic Flows	29
Trust Boundaries	30
Conceptual Data Flow Layers	32
Architecture Checklist	33
Baseline Observation (Pre-Hardening)	34
Step 1: Create a Controlled Testing Environment	34
Step 2: Capture DNS Behavior Before Changes	35
Step 3: Capture Exit IP State	36
Step 4: Check IPv6 Exposure	36
Step 5: Observe Routing Behavior	37
Step 6: Snapshot Router Logs	37
Step 7: Document Failure Without Intervention	38
What You Should Have Documented	38
Why Baseline Matters	39
DNS Resolver Path Verification	40
Step 1: Identify the Intended Resolver Path	40
Step 2: Detect Resolver Drift	41
Step 3: VPN On vs VPN Off Comparison	42
Step 4: Enforce or Detect Fallback Behavior	43
Step 5: Verify Port 53 Policy	43
Step 6: Detect Hard Coded Device Bypass	45
Step 7: Encrypted DNS Verification	45
DNS Verification Checklist	46
Exit IP & Routing Enforcement Verification	47
Step 1: Establish the Expected Exit Identity	47
Step 2: Basic Exit IP Validation	48
Step 3: Refresh and Stress Test	48
Step 4: Traceroute Verification	49
Step 5: WireGuard vs OpenVPN Differences	50
Step 6: Detect Intermittent Leak Under Reconnect	50
Step 7: Multi WAN and Failover Awareness	51
Step 8: Policy Based Routing Edge Cases	52
Exit Enforcement Checklist	53
Failure Mode & Kill Switch Testing	54
Define Your Intended Failure State	54
Test 1: Manual Tunnel Termination	55
Test 2: Physical WAN Disconnect	55
Test 3: Network Switching	56
Test 4: Rapid VPN Restart Loop	57
Test 5: DNS Behavior During Failure	57
Test 6: Router Generated Traffic Under Failure	58
Kill Switch Verification	58
Failure Mode Checklist	59
Boot Window Leak Testing	60
Understand the Boot Sequence	60
Test 1: Cold Boot With Active Clients	61
Test 2: Log Analysis During Startup	62
Test 3: Boot With VPN Disabled Then Enabled	62
Safe Boot Configuration Patterns	63
Travel Router Specific Risk	64
Boot Window Checklist	64
IPv6 Enforcement & Bypass Detection	65
Understand the Risk	65
Step 1: Confirm IPv6 Status on LAN	66
Step 2: Inspect Router IPv6 Configuration	66
Step 3: Traceroute Over IPv6	67
Step 4: DNS Over IPv6	67
Mitigation Paths	67
Option 1: Disable IPv6 Entirely	68
Option 2: Tunnel IPv6 Through VPN	68
Option 3: Block Native IPv6 at Firewall	69
Router Advertisements Matter	69
IPv6 Boot Window Risk	70
IPv6 Enforcement Checklist	70
Hard Truth	71
Silent Exceptions & Router Generated Traffic	72
The Router Is a Client	72
Step 1: Identify Router Origin Connections	73
Step 2: NTP Bypass Detection	73
Step 3: Firmware Update Calls	74
Step 4: Connectivity Probes	75
Step 5: DNS Fallback Mechanisms	76
Acceptable vs Unacceptable Exceptions	77
Log Driven Audit Pattern	77
Configuration Patterns for Control	78
Travel Router Captive Portal Isolation	79
Understand the Portal Sequence	79
Principle: Authenticate First, Then Expose LAN	80
Test 1: Simulate Fresh Hotel Network	80
Test 2: Downstream Redirect Detection	81
Test 3: Reconnect Behavior After Sleep	82
Hostile WiFi Considerations	83
Configuration Patterns	83
Travel Isolation Checklist	84
Log-Centric Verification Framework	85
Enable the Right Logs First	85
What You Are Actually Looking For	86
Correlate DNS and Routing Events	87
Detect Reconnect Loops	87
Detect DNS Fallback Attempts	88
When Logs Lie or Are Incomplete	89
Log Review Protocol	90
Case Study Breakdowns	91
Case 1: VPN Connected, DNS Still ISP	91
Case 2: IPv6 Bypass Active Tunnel	93
Case 3: Boot Window Exposure	94
Case 4: Captive Portal Isolation Failure	96
Case 5: Router Fail Open Under WAN Instability	97
What These Cases Have in Common	98
Maintenance & Drift Detection Protocol	99
Drift Is Normal	99
Firmware Update Retesting	100
VPN Provider Configuration Changes	101
Periodic Power Cycle Audits	102
Travel Topology Retesting	102
Lightweight Automated Checks	103
Build a Drift Log	103
Signs You Have Drift	104
Printable Audit Worksheets	105
1. Baseline Capture Sheet	106
2. DNS Resolver Drift Sheet	107
3. Exit IP & Fail Closed Verification Sheet	108
4. Boot Window Test Sheet	109
5. IPv6 Enforcement Sheet	110
6. Log Review Sheet	111
How to Use These Worksheets	112
Troubleshooting Matrix	113
Problem: ISP DNS Appears While VPN Connected	114
Problem: ISP Hop Appears Before VPN in Traceroute	115
Problem: IPv6 Leak While IPv4 Tunnel Active	116
Problem: VPN Reconnect Loops Exposing ISP IP	117
Problem: DNS Resolves During Tunnel Drop	118
Problem: Captive Portal Redirect Seen on Client Devices	119
Problem: Router Origin Traffic Bypasses VPN	120
How to Use This Matrix	121
Upgrade Path to Level 3 Enforcement	122
Step 1: Strict Port 53 Control	122
Step 2: Policy Based Routing as Explicit Architecture	123
Step 3: VLAN Segmentation	124
Step 4: Dedicated Firewall or Router OS	125
Step 5: Enterprise Grade Kill Switch Logic	126
Step 6: IDS and Traffic Visibility	127
Step 7: Automated Testing Scripts	127
When to Upgrade	128
Final Operational Notes	129
Usability vs Enforcement	129
Router Limitations Are Real	130
When to Accept Risk	130
Continuous Validation Mindset	131
What This Manual Does Not Do	132
The Real Win	132