The Register® — Biting the hand that feeds IT

Feeds

VPN security - if you want it, come and get it

If you value your privacy and use Wi-Fi hotspots or other public networks, there is no tool more indispensable than a virtual private network. Yes, technologies such as secure sockets layer (denoted by an "https" in a web address) will prevent information transmitted between a PC and a web or email server from being intercepted …

This topic is closed for new posts.

Page:

Anonymous Coward
Happy

gmail

gives you end to end encryption of the entire session - IF you check the option within settings!

Ben Schofield
Linux

IPCop and Zerina

At home and work I use IPCop with the Zerina OpenVPN addon as the server. Clients vary, but are mostly Fedora 9 and Win XP. It has been bullet proof since I started using it - it's got to be at least 12 months now, but I've not been keeping track.

ipcop.org

http://www.vpnforum.de/zerina/

B

Steve

Huh?!

The key and fundemental issue with a VPN is that a lot of public hotspots don't permit them (and are actively blocked - see various hotels, pubs etc.) and also with a basic solution like OpenVPN, you only get authentication about the user.... the device is an unknown unless using IPSec/L2TP. (Even then that's easy enough to move or copy to a second PC)

The SSL claim is nonsense. "Side-jacking" is pretty simple to get around - don't use cookies.

Just implemented a new Juniper SSL-VPN SA4500 cluster which uses some rather nice web GUI's for the users whilst employing RSA Auth, cache cleaning and host checking. (The latter two prior to credential entering!)

Additionally, the client laptops issued use TrueCrypt and various other technologies (GPO's, antivirus, management agent etc.) running to help with security - and of course the final addition is using Citrix once the users are connected via SSL to do the bulk of their work.

All over SSL.

The users love it as they are free from being blocked using VPN's, whilst having a more stable and user friendly setup. Plus we get a much better level of security and ease of management.

Everyone's a winner (other than the FD once we tell him how much it costs!)

FathomsDown
Stop

Erm?

"Like many small and medium sized businesses, El Reg is too cheap to equip its grunts with any sort of VPN"

Even the most basic of ADSL routers come with a reasonable VPN server these days and for the most advanced business, Windows SBS or more expensive routers come with more feature rich versions.

Surely, if VPN access is so critical to a business then surely its better to go for a commercial offering and buy support for it than run a freeware product on a desktop?

Flocke Kroes
Linux

The other downside:

They don't know what your doing, but they do know the IP address of the VPN server. That can tell them who you are or who your employer is. If you want privacy, you have to set up your VPN server on a zombie located in the home of a clueless newbie.

BTW: Use iptables to limit all network access except the tunnel to the tunnel. That way, if your tunnel caves in your communications do not suddenly become public. Oops, XP does not have iptables. Set XP's default route to a linux box use filter the packets there.

Mahou Saru

sniffle you made me cry

Nice article, now if people would just try to follow it....

Alan Donaly
Thumb Up

Very good,

you really suck. That was a good walk through I had been wondering about OpenVPN.

JohnG

Nice article

One way to get around VPN ports being blocked is not to use the standard ports - use say, port 443 (https) instead. Of course, you have to setup your VPN client and server to support this.

Anonymous Coward
Happy

Quick off the mark with this one...

Lol, been using OpenVPN for over 5 years now to do this personally, and have sold this inexpensive solutions to many organisations over the same period.

On the bright side, you got there eventually! Let me know if you need help helping people :D

Anonymous Coward
Thumb Down

Why could I still see logins and passwords then

HI all

If OpenVPN is so good......

How come I was still able to see usernames and passwords in Wireshark?

Did I miss something basic here

Ohhh Yeah the OPEN bit of the VPL

Nice try though

Anonymous Coward
Thumb Up

oops

forgot to reboot my server 2008

Shouldn't need to but then it worked a treat

Cheers El Reg

Neil Alexander
Paris Hilton

If you're an average person

... then this will be way too complicated and/or confusing, and then the need for a better solution becomes apparent. You don't seriously expect typical average users to sit at home configuring OpenVPN with subnets, key pairs and connection bridges, do you?

Paris, because she can't work OpenVPN either.

Dan Goodin
(Written by Reg staff)

This configuration of OpenVPN should *not* be blocked by most hotspots

To those complaining that OpenVPN is frequently blocked by hotspots, note that the configuration offered here uses port 443, which is open on the typical Wi-Fi network. This is exactly the configuration that JohnG discusses a few comments back.

Anonymous Coward
Anonymous Coward

IronKey

For public hotspot security I've been using the IronKey USB stick which you guys reviewed some time back. It comes with access to their privately maintained Tor servers and all traffic out is encrypted including DNS requests. I'm not affiliated with them, just a very happy user. www.ironkey.com, the personal edition.

Sarev
Paris Hilton

Something like VPNs...

Is there something similar which allows you to access the web via a VPN into some sort of 'cloud' of anonymous servers? E.g. just something to stop your ISP from snooping all your traffic? I accept that whoever administers the server(s) at the other end would get to see (some fraction of) your traffic but that's no different to all the routers between your ISP and the destination.

The main thing would be the removal of any easy facility for some party (like the Government) to get a single record of all your internet activity.

Anonymous Coward
Anonymous Coward

bah!

Three days to configure a VPN connection...

Since when rephrasing a user manual* became worthy of a news article? Slow day at El Reg?

*http://openvpn.net/index.php/documentation/howto.html#install

soaklord

Why not Hamachi

Why not just download Hamachi? Or Hamachi and Squid? Hamachi is dead easy to set up.

Calum Morrison
Happy

Been...

Using OpenVPN for years with multiple users connecting from different connections all over the world easily and successfully.

The only problems we've come across are in the Far East - possibly latency as it can be a bit slow out there. Connections made in China seem to hardly ever work; can they block encrypted traffic? Unfortunately I never get sent to these places to find out...

Anyway, we use it 24/7 for shared folder, Exchange, intranet access et al over wifi, dialup and ethernet and as others have said, it just works. Excellent software.

Lee Dowling

And?

Already been doing this for the past few years.

The workaround in Windows for the "if your connection drops" thing is to install a software firewall on the laptop and limit which networks are Trusted. Normally I use Linux with the iptables as suggested but when I use Windows I have the wireless "network" marked as untrusted and the VPN "network" marked as trusted. This stops stray packets as well as the connection-dying issue.

I use this in preference of and normally in addition to wireless security on the AP I have at home. I have WPA2 PSK on my home wireless but I really don't trust anything wireless at all, so all communications within the house use OpenVPN to talk across the WPA2 network. There's very little downside to this, the latency is no worse than normal, even with 600MHz clients and a noisy spectrum.

It's so simple that even my wife can manage it - with OpenVPN GUI for Windows, it's just a matter of making sure the little icon is green and shouting if not. We do all our main Internet things (email, web, skype, gaming, etc.) over it. It took about an hour to set up but after that it was fantastically simple.

A word of warning: if you set OpenVPN to use UDP on a Windows client (less latency I believe), you will run into lots of problems unless you have a stateful firewall on the Windows client. Zonealarm handles it, Windows firewall just blocks it entirely.

Anonymous Coward
Dead Vulture

Hmm

Mis-titled article really.

This is a guide to creating a secure OpenVPN connection..

Most of us don't have the luxury of choosing what type of VPN connection we are using. It would have been more useful to understand the flaws in other more common VPN servers used out there.

Rasczak
Thumb Up

@ Sarev

You may want to have a look at iPIG, http://www.iopus.com/ipig/

I was using this, have now set up Open VPN back to IPCop using Zerina like Ben Schofield, though connecting back to my own server at home.

You can connect to the iPIG server, 10 MB only for free, $30 for a further 30 GB is not too terrible, but could be better I suppose. Setting up the server on your own system is not that difficult, just install and set up a username and password. You have to set up a dynamic DNS name the same as for OpenVPN and do the port forwarding if you run a router, but these are the least difficult bits. You don't get access to your local shares with iPIG, but if you are just wanting encrypted net access when away from home, with the benefit of anything you access thinking you are at home, it is great. You either have to pay for the iPIG account, or install the server on a safe third party machine to encrypt away from your ISP.

Of course something to remember with iPIG or OpenVPN when running from home, is that you are transferring from the remote server to the VPN server, then uploading back to your client. A 5 MB download will count as 10MB on any limited data transfer account. You are also limited in transfer speed to that which your connection can upload.

Louis Mullineux
Gates Halo

Woops!!!

Well done, by having Logmein.com installed on your VPN server you have just given away the keys and a map to your castle to an exterior source.

Socks proxy over ssh works far better for me.

Bill, cos he knows all about security.

K
Thumb Down

All good and well

I've been using a home based VPN for a long - but the issue is OpenVPN is its just too complicated for jon-doe.

Soruk
Boffin

Probably an insane way of doing things, but

I don't go online from strange places with Windows, from Linux I run an SSH session to my home machine and run a PPP session across it. I've yet to determine which gives the better throughput, running ppp_deflate or SSH's compression, but it just works.

David Hayes
Stop

Wow, how complex

I remember using Hamachi (now LogMeIn Hamachi), and this was MUCH easier to set up a VPN. None of this DynDNS BS, Install the software, create a name for your network, create a name for your PC, install the software on the end machine, create a name for your PC, then join the network you created by name. Then I install whatever services on my server PC that I want, such as AnalogX Proxy: http://www.analogx.com/CONTENTS/download/network/proxy.htm

Now it might not be Open Source, but it is Free, and before it was bought by LMI, it went through a huge development effort to make it very secure, useable and great!

BRAINPLAN
Paris Hilton

Free Vs Paid?

I pay for reliable hostings VPN quarterly and have no problems with hotspots or anything else for that matter, also, it was configured in seconds...

Reason, it gives me peace of mind, high availability and bandwidth with decent throughput - enough throughput for me to be living in Sweden and able to stream loads of HD yank TV for free perfectly.

Now I’m not saying that you should always pay, but sometimes it just makes sense.

Paris because even she'll pay now and then.

Anonymous Coward
Thumb Up

RE: Huh?!

"The key and fundemental issue with a VPN is that a lot of public hotspots don't permit them (and are actively blocked - see various hotels, pubs etc.) and also with a basic solution like OpenVPN"

For just this reason, we have a dedicated IP and run OpenVPN on port 110.

Ringster
Linux

So what

Open VPN runs on Windows so what, you would be a twit to waist your time and install it, because you get VPN and SSL VPN with the 2008 Server OS out the box.

Colin Critch
IT Angle

Why not use SSL with published applications, VPN is over kill

Why not use SSL with published applications (Via Citrix or Other Vendor)?. VPN is over kill (Unless an admin).

Also that nice VPN will let your infected XP PC have access to your intranet!

Don't get me wrong OpenVPN will be good to stop the Government Snooping on some email and BT, Virgin and ripoff Britain selling your browsing habits. But why use it for browsing and email?

Good Article though :-)

phormwatch
IT Angle

Paid VPNs

Brainplan-

What is the name of the service you are paying for? It would be nice to have a list of some trusted VPN services on offer in the UK.

Spinux
Linux

simple way to set up VPN server

The client side is free, for the server side there is a cheap solution. Buy an old linksys broadband router an flash it DDwrt firmware. Upload the encryption keys and of you go. I admit, it is not simple but is worth the effort for secure (inter)networking.

Henry Budgett
Coat

A much easier solution

VPNs are great but the server software usually puts 99.9% of people off so one great alternative is a VPN endpoint router like the models from Draytek (with whom I have no connection other than being a satisfied customer). Now, if only more of the hardware players would join in - Netgear have one but it's pricey - life would become more interesting for the SoHo market.

rhidian

hmm...

hmm .. that netgear router you used in the article.. does that not have the VPN section at the bottom left hand side of the menu? I know mine does...

If static IP's are a problem.. well there are plenty of ISP's that don't charge for them (Zen for one)

as for the press getting caught out at the blackhat convention .. well.. I don't think that puts the press in the best light tbh

Joe Montana
Flame

Clarifying...

"Steve" said:

The key and fundemental issue with a VPN is that a lot of public hotspots don't permit them (and are actively blocked - see various hotels, pubs etc.) and also with a basic solution like OpenVPN, you only get authentication about the user.... the device is an unknown unless using IPSec/L2TP. (Even then that's easy enough to move or copy to a second PC)

--

It's not that public hotspots don't permit the use of VPNs, it's more to do with common ipsec vpns using unusual IP protocols like esp (50 i believe)... Many cheap lowend routing devices don't know how to deal with such traffic and will drop it. OpenVPN on the other hand uses standard UDP or TCP, which will almost always be permitted through. It's even possible to tunnel the TCP version over an HTTP proxy if you run the service on the correct port. If you have an OpenVPN running on port 443/TCP it's very hard to distinguish from an SSL website, since you will connect and talk SSL, and they can't see what's inside of the encrypted stream.

As for difficulty to set up, there are companies out there offering openvpn based services, so they will have an already configured server, and provide you with a point and click installer for the client, and configuration specific to their setup.

My biggest issue with commercial VPNs is the clients, most of them suck and are slowly updated, have support for a very poor range of platforms, and some seem to transparently vpn your traffic instead of creating a new logical interface with it's own ip and routing entries - which breaks some apps. I would take OpenVPN over any of the other options I've seen.

BRAINPLAN
Thumb Up

@phormwatch

I'm unsure on UK providers; did a bit of research and none of them looked that respectable and costs were quite high in comparison to what I currently get... as much as I wouldn't mind catching some shows from blighty there is no way I’d pay £30 p/month for it!

The American one I use is strong VPN from reliablehosting.com

Just checked and there is one I haven't seen apparently offering UK services, check vpngate.com - haven't looked for feedback but might be worth some more research.

Anonymous Coward
Unhappy

All very well, but ...

IF ...

"the vast majority of web pages and email services don't offer the option to encrypt your traffic"

THEN ...

they're hardly likely to let you install a VPN termination on their machines, are they?

SSL has been available for longer than many of us have been on the web. If the hosts haven't got round to providing SSL facilities on services where they're most likely to be needed (and email services would seem to be a very good candidate) then they're hardly likely to start installing Open VPN in a hurry.

Providing SSL on *every* page of a web site shouldn't really be a problem these days. Historically, encrypting the data might have taken too much CPU time -- but the average CPU today is probably at least 10 times faster than the CPUs were when SSL was presumed to be viable for login pages only.

And if people can hack into SSL pages after they're encrypted by using browser flaws, why suppose they can't do the same with VPN pages ? They've still got to be decrypted, unless you teach the USER to encrypt and decrypt pages in their head.

rhidian

@AC

Hmm I don't think the author is suggesting that you vpn to each website .. more if you are 'out and about' using other peoples wifi hotspots or networks and you don't want your unencrypted data to be easily monitored, then you would setup some form of vpn back to you own secure 'vpn server' and then go out to the internet that way. Centralizing the point of risk I suppose.

I agree however that the final connection from the remote end of the tunnel to the internet also needs to be hardened and no.. there not likely to let you setup VPN's to each website... But I guess you somewhat more protected whether it's a form of vpn, remote desktop or ssh (putty is great)

Of course the alternative is to harden your computer and use your phone as a modem or buy a laptop with a built in sim, expensive, but avoids them pesky unsecured wireless hotspots :)

John Sanders
Paris Hilton

Secure email and browsing

If all you want is secure email and browsing SSH does the trick as you can configure it to run a SOCKS proxy and do IP tunneling

As for small business, If you want proper VPN server anybody can afford a 800 series Cisco router. My Cisco 877w runs like a charm.

Paris, because even she knows how to securely run her blackberry. (wait... that wasn't it?)

david

Compatibility?

Is there any way to connect OpenVPN to a Cisco VPN router? Or to a Windows VPN Server? Or to connect a Cisco VPN router to an OpenVPN router? Or a Windows 98/2000/XP/Vista VPN to an OpenVPN server or Cisco router?

I'm happy using MS VPN and Windows authentication, which avoids all the configuration problems and security limitations of OpenVPN or Cisco, but not everybody wants to use Windows servers, and the compatibility thing is a killer: is there a better way than having three VPN clients installed?

Anonymous Coward
Anonymous Coward

@All good and well

if your statement "I've been using a home based VPN for a long - but the issue is OpenVPN is its just too complicated for jon-doe." is about installing software then I agree but I dont think this is limited to OpenVPN

I have installed a VPN router at home and have never looked back (although Vista SP1 appears to have broken VPN access over wifi

kns2c
Thumb Up

OpenVPN FTW

OpenVPN is one of the very few free software applications that I have donated money to. It has saved me so much travel expense and time and frustration with other VPN products. And to all you whining about it being too complex or duplicating what's available via SSL/Citrix/Win2008 and what not... I doubt there is anything close to OpenVPN's price/features ratio, including the cost of time needed to set it up (it's a one-time expense anyway - once you've done it you know it). Cross-platform support, all sorts of authentication and encryption options, extensive debugging options, stability and speed, etc.

The Spook
Linux

Err, Diffie-Hellman?

I am surprised that no-one else noticed this, but your guide makes no mention of generating the Diffie-Hellman parameters for the server! I see that your reporter did perform that step, because one of the screenshots shows the dh1024.pem file (mine says 2048 of course!).

Might make sense to include this is the guide though eh? For those people who can't actually be bothered to read the expansive Howto. I never actually tried to run my server with the dh.pem file, but my guess is that it ain't gonna like it!

</sarcasm>

Mines the uNSLUng NSLU2 (http://en.wikipedia.org/wiki/NSLU2) with OpenVPN on it... small, cheap, silent and secure. Go Slug, Go!

Mage
Linux

OpenVPN?

Well you can use it to create VPN I suppose, but been using VPN without it since 1996.

The MS Built-in VPN client sticks up a ruddy big ReDial dialog if it disconnects.

Indeed with a Open-WRT based router at home and a portable one on your travels you can connect to Internet or whatever via the home network with no server or client software. Handy if the client is not a PC.

Deckard

SwissVPN (p.s.)

..and just in case you're wondering, it seems to evade my ISPs (cough) Virgin (cough) traffic shapping as certain downloads work much faster while connected

Deckard
Black Helicopters

SwissVPN

Is a pretty good provider I've been using ever since this whole Phorm in a teacup thing. You pay by the month and 6 months access cost me £30, which worked out at £16-17 in real money

The Spook
Stop

Ooops! My Bad!

D 'oh!

"I never actually tried to run my server with the dh.pem file" should of course have read;

"I never actually tried to run my server *without* the dh.pem file". Read first, *then* press enter!

Simon Brown

Hamachi

I've seen a couple of people on here suggesting Hamachi. It's certainly easy to set up. There's another project called Leaf with similar ease of setup.

Do people know of downsides to using Hamachi or Leaf? I know OpenVPN is very "roll your own" but for sheer convenience would Hamachi or Leaf be suitable?

Armitage
Unhappy

1024.pem

was following ur instructions and when i tried it it said i was missing the dh1024.pem file, looking back i can see it in your screenshots but how did you make it?

The Spook

dh1024.pem

Yep, as I commented previously, El Reg seems to have missed that bit out of the article! Shame as it is essential.

All you need to do is type (on Windows) "build-dh" to generate the Diffie-Hellan parameter file. It will take a loooooonnnnnnnng time.

Of course, you may need to redo the entire process (CA, Server and Client key/certs) and do this last step *before* closing the command prompt.

The detailed explanation of the entire process can be found here:

http://openvpn.net/index.php/documentation/howto.html

Richard Kay
Linux

X forwarding over SSH

This is much easier to setup, both on server and client. It only needs installing Linux on both and having a domain name for the server or knowing its IP address. Any linux distro seems to come with an SSH server and client as part of the standard install these days. So from your client you establish an X forwarding session using:

ssh -X fred@bloggs.dyndns.org

Assuming your user name on the server is fred and your domainname of the server is bloggs.dyndns.org . You can then run any application e.g. Firefox, Konqueror on the server displaying the window/s on the client just by typing its name and running it in background if you want the remote shell to be able to run more than one application, e.g. using

konqueror &

Konqueror or nautilus can then open any file on the server using the appropriate application based on the file type using point and click, displaying the windows on the client.

Chances are if you are a Linux user you can already do all this without having to install anything new. If you can only use Windows then I guess your life has to be a lot more complicated.

Page:

This topic is closed for new posts.