VPN security - if you want it, come and get it If you value your privacy and use Wi-Fi hotspots or other public networks, there is no tool more indispensable than a virtual private network. Yes, technologies such as secure sockets layer (denoted by an "https" in a web address) will prevent information transmitted between a PC and a web or email server from being intercepted …
At home and work I use IPCop with the Zerina OpenVPN addon as the server. Clients vary, but are mostly Fedora 9 and Win XP. It has been bullet proof since I started using it - it's got to be at least 12 months now, but I've not been keeping track.
ipcop.org
http://www.vpnforum.de/zerina/
B
The key and fundemental issue with a VPN is that a lot of public hotspots don't permit them (and are actively blocked - see various hotels, pubs etc.) and also with a basic solution like OpenVPN, you only get authentication about the user.... the device is an unknown unless using IPSec/L2TP. (Even then that's easy enough to move or copy to a second PC)
The SSL claim is nonsense. "Side-jacking" is pretty simple to get around - don't use cookies.
Just implemented a new Juniper SSL-VPN SA4500 cluster which uses some rather nice web GUI's for the users whilst employing RSA Auth, cache cleaning and host checking. (The latter two prior to credential entering!)
Additionally, the client laptops issued use TrueCrypt and various other technologies (GPO's, antivirus, management agent etc.) running to help with security - and of course the final addition is using Citrix once the users are connected via SSL to do the bulk of their work.
All over SSL.
The users love it as they are free from being blocked using VPN's, whilst having a more stable and user friendly setup. Plus we get a much better level of security and ease of management.
Everyone's a winner (other than the FD once we tell him how much it costs!)
"Like many small and medium sized businesses, El Reg is too cheap to equip its grunts with any sort of VPN"
Even the most basic of ADSL routers come with a reasonable VPN server these days and for the most advanced business, Windows SBS or more expensive routers come with more feature rich versions.
Surely, if VPN access is so critical to a business then surely its better to go for a commercial offering and buy support for it than run a freeware product on a desktop?
They don't know what your doing, but they do know the IP address of the VPN server. That can tell them who you are or who your employer is. If you want privacy, you have to set up your VPN server on a zombie located in the home of a clueless newbie.
BTW: Use iptables to limit all network access except the tunnel to the tunnel. That way, if your tunnel caves in your communications do not suddenly become public. Oops, XP does not have iptables. Set XP's default route to a linux box use filter the packets there.
... then this will be way too complicated and/or confusing, and then the need for a better solution becomes apparent. You don't seriously expect typical average users to sit at home configuring OpenVPN with subnets, key pairs and connection bridges, do you?
Paris, because she can't work OpenVPN either.
To those complaining that OpenVPN is frequently blocked by hotspots, note that the configuration offered here uses port 443, which is open on the typical Wi-Fi network. This is exactly the configuration that JohnG discusses a few comments back.
For public hotspot security I've been using the IronKey USB stick which you guys reviewed some time back. It comes with access to their privately maintained Tor servers and all traffic out is encrypted including DNS requests. I'm not affiliated with them, just a very happy user. www.ironkey.com, the personal edition.
Is there something similar which allows you to access the web via a VPN into some sort of 'cloud' of anonymous servers? E.g. just something to stop your ISP from snooping all your traffic? I accept that whoever administers the server(s) at the other end would get to see (some fraction of) your traffic but that's no different to all the routers between your ISP and the destination.
The main thing would be the removal of any easy facility for some party (like the Government) to get a single record of all your internet activity.
Using OpenVPN for years with multiple users connecting from different connections all over the world easily and successfully.
The only problems we've come across are in the Far East - possibly latency as it can be a bit slow out there. Connections made in China seem to hardly ever work; can they block encrypted traffic? Unfortunately I never get sent to these places to find out...
Anyway, we use it 24/7 for shared folder, Exchange, intranet access et al over wifi, dialup and ethernet and as others have said, it just works. Excellent software.
Already been doing this for the past few years.
The workaround in Windows for the "if your connection drops" thing is to install a software firewall on the laptop and limit which networks are Trusted. Normally I use Linux with the iptables as suggested but when I use Windows I have the wireless "network" marked as untrusted and the VPN "network" marked as trusted. This stops stray packets as well as the connection-dying issue.
I use this in preference of and normally in addition to wireless security on the AP I have at home. I have WPA2 PSK on my home wireless but I really don't trust anything wireless at all, so all communications within the house use OpenVPN to talk across the WPA2 network. There's very little downside to this, the latency is no worse than normal, even with 600MHz clients and a noisy spectrum.
It's so simple that even my wife can manage it - with OpenVPN GUI for Windows, it's just a matter of making sure the little icon is green and shouting if not. We do all our main Internet things (email, web, skype, gaming, etc.) over it. It took about an hour to set up but after that it was fantastically simple.
A word of warning: if you set OpenVPN to use UDP on a Windows client (less latency I believe), you will run into lots of problems unless you have a stateful firewall on the Windows client. Zonealarm handles it, Windows firewall just blocks it entirely.
You may want to have a look at iPIG, http://www.iopus.com/ipig/
I was using this, have now set up Open VPN back to IPCop using Zerina like Ben Schofield, though connecting back to my own server at home.
You can connect to the iPIG server, 10 MB only for free, $30 for a further 30 GB is not too terrible, but could be better I suppose. Setting up the server on your own system is not that difficult, just install and set up a username and password. You have to set up a dynamic DNS name the same as for OpenVPN and do the port forwarding if you run a router, but these are the least difficult bits. You don't get access to your local shares with iPIG, but if you are just wanting encrypted net access when away from home, with the benefit of anything you access thinking you are at home, it is great. You either have to pay for the iPIG account, or install the server on a safe third party machine to encrypt away from your ISP.
Of course something to remember with iPIG or OpenVPN when running from home, is that you are transferring from the remote server to the VPN server, then uploading back to your client. A 5 MB download will count as 10MB on any limited data transfer account. You are also limited in transfer speed to that which your connection can upload.
I don't go online from strange places with Windows, from Linux I run an SSH session to my home machine and run a PPP session across it. I've yet to determine which gives the better throughput, running ppp_deflate or SSH's compression, but it just works.
I remember using Hamachi (now LogMeIn Hamachi), and this was MUCH easier to set up a VPN. None of this DynDNS BS, Install the software, create a name for your network, create a name for your PC, install the software on the end machine, create a name for your PC, then join the network you created by name. Then I install whatever services on my server PC that I want, such as AnalogX Proxy: http://www.analogx.com/CONTENTS/download/network/proxy.htm
Now it might not be Open Source, but it is Free, and before it was bought by LMI, it went through a huge development effort to make it very secure, useable and great!
I pay for reliable hostings VPN quarterly and have no problems with hotspots or anything else for that matter, also, it was configured in seconds...
Reason, it gives me peace of mind, high availability and bandwidth with decent throughput - enough throughput for me to be living in Sweden and able to stream loads of HD yank TV for free perfectly.
Now I’m not saying that you should always pay, but sometimes it just makes sense.
Paris because even she'll pay now and then.
Why not use SSL with published applications (Via Citrix or Other Vendor)?. VPN is over kill (Unless an admin).
Also that nice VPN will let your infected XP PC have access to your intranet!
Don't get me wrong OpenVPN will be good to stop the Government Snooping on some email and BT, Virgin and ripoff Britain selling your browsing habits. But why use it for browsing and email?
Good Article though :-)
VPNs are great but the server software usually puts 99.9% of people off so one great alternative is a VPN endpoint router like the models from Draytek (with whom I have no connection other than being a satisfied customer). Now, if only more of the hardware players would join in - Netgear have one but it's pricey - life would become more interesting for the SoHo market.
hmm .. that netgear router you used in the article.. does that not have the VPN section at the bottom left hand side of the menu? I know mine does...
If static IP's are a problem.. well there are plenty of ISP's that don't charge for them (Zen for one)
as for the press getting caught out at the blackhat convention .. well.. I don't think that puts the press in the best light tbh
"Steve" said:
The key and fundemental issue with a VPN is that a lot of public hotspots don't permit them (and are actively blocked - see various hotels, pubs etc.) and also with a basic solution like OpenVPN, you only get authentication about the user.... the device is an unknown unless using IPSec/L2TP. (Even then that's easy enough to move or copy to a second PC)
--
It's not that public hotspots don't permit the use of VPNs, it's more to do with common ipsec vpns using unusual IP protocols like esp (50 i believe)... Many cheap lowend routing devices don't know how to deal with such traffic and will drop it. OpenVPN on the other hand uses standard UDP or TCP, which will almost always be permitted through. It's even possible to tunnel the TCP version over an HTTP proxy if you run the service on the correct port. If you have an OpenVPN running on port 443/TCP it's very hard to distinguish from an SSL website, since you will connect and talk SSL, and they can't see what's inside of the encrypted stream.
As for difficulty to set up, there are companies out there offering openvpn based services, so they will have an already configured server, and provide you with a point and click installer for the client, and configuration specific to their setup.
My biggest issue with commercial VPNs is the clients, most of them suck and are slowly updated, have support for a very poor range of platforms, and some seem to transparently vpn your traffic instead of creating a new logical interface with it's own ip and routing entries - which breaks some apps. I would take OpenVPN over any of the other options I've seen.
I'm unsure on UK providers; did a bit of research and none of them looked that respectable and costs were quite high in comparison to what I currently get... as much as I wouldn't mind catching some shows from blighty there is no way I’d pay £30 p/month for it!
The American one I use is strong VPN from reliablehosting.com
Just checked and there is one I haven't seen apparently offering UK services, check vpngate.com - haven't looked for feedback but might be worth some more research.
IF ...
"the vast majority of web pages and email services don't offer the option to encrypt your traffic"
THEN ...
they're hardly likely to let you install a VPN termination on their machines, are they?
SSL has been available for longer than many of us have been on the web. If the hosts haven't got round to providing SSL facilities on services where they're most likely to be needed (and email services would seem to be a very good candidate) then they're hardly likely to start installing Open VPN in a hurry.
Providing SSL on *every* page of a web site shouldn't really be a problem these days. Historically, encrypting the data might have taken too much CPU time -- but the average CPU today is probably at least 10 times faster than the CPUs were when SSL was presumed to be viable for login pages only.
And if people can hack into SSL pages after they're encrypted by using browser flaws, why suppose they can't do the same with VPN pages ? They've still got to be decrypted, unless you teach the USER to encrypt and decrypt pages in their head.
Hmm I don't think the author is suggesting that you vpn to each website .. more if you are 'out and about' using other peoples wifi hotspots or networks and you don't want your unencrypted data to be easily monitored, then you would setup some form of vpn back to you own secure 'vpn server' and then go out to the internet that way. Centralizing the point of risk I suppose.
I agree however that the final connection from the remote end of the tunnel to the internet also needs to be hardened and no.. there not likely to let you setup VPN's to each website... But I guess you somewhat more protected whether it's a form of vpn, remote desktop or ssh (putty is great)
Of course the alternative is to harden your computer and use your phone as a modem or buy a laptop with a built in sim, expensive, but avoids them pesky unsecured wireless hotspots :)
If all you want is secure email and browsing SSH does the trick as you can configure it to run a SOCKS proxy and do IP tunneling
As for small business, If you want proper VPN server anybody can afford a 800 series Cisco router. My Cisco 877w runs like a charm.
Paris, because even she knows how to securely run her blackberry. (wait... that wasn't it?)
Is there any way to connect OpenVPN to a Cisco VPN router? Or to a Windows VPN Server? Or to connect a Cisco VPN router to an OpenVPN router? Or a Windows 98/2000/XP/Vista VPN to an OpenVPN server or Cisco router?
I'm happy using MS VPN and Windows authentication, which avoids all the configuration problems and security limitations of OpenVPN or Cisco, but not everybody wants to use Windows servers, and the compatibility thing is a killer: is there a better way than having three VPN clients installed?
if your statement "I've been using a home based VPN for a long - but the issue is OpenVPN is its just too complicated for jon-doe." is about installing software then I agree but I dont think this is limited to OpenVPN
I have installed a VPN router at home and have never looked back (although Vista SP1 appears to have broken VPN access over wifi
OpenVPN is one of the very few free software applications that I have donated money to. It has saved me so much travel expense and time and frustration with other VPN products. And to all you whining about it being too complex or duplicating what's available via SSL/Citrix/Win2008 and what not... I doubt there is anything close to OpenVPN's price/features ratio, including the cost of time needed to set it up (it's a one-time expense anyway - once you've done it you know it). Cross-platform support, all sorts of authentication and encryption options, extensive debugging options, stability and speed, etc.
I am surprised that no-one else noticed this, but your guide makes no mention of generating the Diffie-Hellman parameters for the server! I see that your reporter did perform that step, because one of the screenshots shows the dh1024.pem file (mine says 2048 of course!).
Might make sense to include this is the guide though eh? For those people who can't actually be bothered to read the expansive Howto. I never actually tried to run my server with the dh.pem file, but my guess is that it ain't gonna like it!
</sarcasm>
Mines the uNSLUng NSLU2 (http://en.wikipedia.org/wiki/NSLU2) with OpenVPN on it... small, cheap, silent and secure. Go Slug, Go!
Well you can use it to create VPN I suppose, but been using VPN without it since 1996.
The MS Built-in VPN client sticks up a ruddy big ReDial dialog if it disconnects.
Indeed with a Open-WRT based router at home and a portable one on your travels you can connect to Internet or whatever via the home network with no server or client software. Handy if the client is not a PC.
I've seen a couple of people on here suggesting Hamachi. It's certainly easy to set up. There's another project called Leaf with similar ease of setup.
Do people know of downsides to using Hamachi or Leaf? I know OpenVPN is very "roll your own" but for sheer convenience would Hamachi or Leaf be suitable?
Yep, as I commented previously, El Reg seems to have missed that bit out of the article! Shame as it is essential.
All you need to do is type (on Windows) "build-dh" to generate the Diffie-Hellan parameter file. It will take a loooooonnnnnnnng time.
Of course, you may need to redo the entire process (CA, Server and Client key/certs) and do this last step *before* closing the command prompt.
The detailed explanation of the entire process can be found here:
http://openvpn.net/index.php/documentation/howto.html
This is much easier to setup, both on server and client. It only needs installing Linux on both and having a domain name for the server or knowing its IP address. Any linux distro seems to come with an SSH server and client as part of the standard install these days. So from your client you establish an X forwarding session using:
ssh -X fred@bloggs.dyndns.org
Assuming your user name on the server is fred and your domainname of the server is bloggs.dyndns.org . You can then run any application e.g. Firefox, Konqueror on the server displaying the window/s on the client just by typing its name and running it in background if you want the remote shell to be able to run more than one application, e.g. using
konqueror &
Konqueror or nautilus can then open any file on the server using the appropriate application based on the file type using point and click, displaying the windows on the client.
Chances are if you are a Linux user you can already do all this without having to install anything new. If you can only use Windows then I guess your life has to be a lot more complicated.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
