I'm not sure that making 'security' easy in this style helps people. Say you set this up, and you get yourself that nice cosy feeling of security, how does that compare to reality? People used to buy anti-virus software to buy 'security' and it turned out to not really help against actual problems like zero-day malware. Now, we get VPNs and people that don't actually know what they are or how they work or what they're for install and 'use' them (for lack of a better term) and get that sense of security with no backing. How is it secure for them? Is it still secure after one month? Was it secure to begin with?
Security isn't a thing that you 'buy' or 'add', it's something that you 'do' and 'know'.
Using a VPN server and a VPN client doesn't do anything other than getting traffic from A to B over a presumed hostile network. Ideally using asymmetrical encryption to make sure the keys don't have to travel the network. Then, you sure probably use that tunnel to send all traffic, not just your p2p or http traffic. Using DNS over the normal network and your 'secret' stuff over the tunnel still exposes what you are doing and actually makes you more suspicious since you now look like you are trying to hide things (and doing a bad job at it). And what about firewalls, WebRTC hacks, routing tables etc. that now expose your network setup to any software you execute (be it an application or a webpage), or applications that don't honor your VPN setup and route packets wherever they want to. What about your OS routing stuff elsewhere? What about that Pi not being setup correctly and you happily using it but still leaking a ton of traffic over the visible network? A user of an easy VPN setup will not know and be covered by a false sense of security.
Even if you have perfect instructions and set it up perfectly initially, you would still be vulnerable down the road as new problems arise and mitigations might be available but unknown due to a user not actually knowing what it is or what they are doing.
As a single hop proxy, VPNs are pretty limited in terms of the OPSEC they provide. Personally I only ever use them to route traffic over hostile networks, and spoof my geolocation to access geo-blocked content. That's all they should be used for[1]
They for obvious reasons should not be used for anonymity[2] although for some this is the sole reason they use a VPN. I think, since they are a single hop proxy, that chaining VPNs together and buying subscriptions anonymously with tumbled Bitcoins/Monero is the only way you might get anonymity, but the overhead and potential for things to go wrong is massive. Things like Tor already solves many of these obstacles and provides reasonable OPSEC, providing you use it correctly.
Yet even tor is fairly compromised in that the evidence presents that it has already been tapped by the NSA, and even using it puts you on a watchlist irregardless of your actions.
Yet again, the charming HN audience shows their true colors by downvoting people who have no proof of what they claim, while conveniently forgetting that if anyone had a proof of what you said they'd be in a secret court, and then prison -- for a long time.
While this is true in an ideal world, I think there is also something to be said against an honest attempt to 'do it yourself', and then getting it wrong. Like many things that seem relatively straightforward at first glance, VPNs are a rabbit hole of networking theory that are quite likely to cause anyone who's not an enthusiast to lose interest.
Well, I guess it depends on your use case. If you want to be able to access the Nextcloud instance you are running on a little home server, for example, it's certainly a much better solution to have a proper VPN for accessing your home network than to forward any traffic to all the ports that you have to use for the various protocols Nextcloud supports.
I personally use Streisand [1] hosted on a t2.micro using the AWS Free Tier. Some people also recommend Algo [2]. Both have all their code open sourced on GitHub.
I do have a Pi too, but after all these new laws where ISP's can sell your Internet history etc. I think it's nice to be able to hide traffic from them too.
I have personally tried OpenVPN on an EdgeRouter PoE. The OpenVPN version in the current EdgeOS is fairly old and also has zero hardware support, so like the sibling post mentioned, it kills the bandwidth. It was something like 1 Mbit for TCP and 10-15 Mbit for UDP.
I was going to say the same. Nice exercise but poor performance for broadband speeds. A more interesting offering might be the MinnowBoard Turbot. It has an Intel Atom with Intel's AES-NI acceleration instruction. Cost is around $150.
Well my home internet isn't much better than that in the first place, so it's not a bottleneck. The same would likely hold for everyone on an ADSL connection.
Exactly. On one hand I'm happy to see people getting exposed to more of this stuff via the Pi; on the other hand I'm dismayed when they never move beyond it.
I've tested an Odroid C2 doing ~400 Mbit/s using SSH (chacha20-poly1305@openssh.com) (maxed out one of four cores). Same form factor, same GPIO pinout, similar power requirements as the Pi. Supported well-enough for virtually any application with armbian. People are gouging on price for now but even still it's only $10 more for the board and it trounces the Pi in any networking application.
True, the Pi has terrible networking over its usb bus, but those machines also cost 5-10 times as much, so you'd certainly expect more performance from them. There are a lot of ~ $100USD fanless mini-pc options (I have a Zotax Zbox) on the market that have gigbit NICs which would should get you about 10X the performance for about twice the price, e.g. http://a.co/4KsxmEa
I've seen quite a few guides and blog posts using OpenVPN, but very few show how to setup native Cisco ipsec which works out of the box with macOS and iOS without any 3rd party software to configure.
Thus, here is a blog post I wrote a bit ago on how to setup a dedicated native Cisco ipsec pi:
I've gone a similar route for my VPN needs, though instead of using a script I configured StrongSwan directly. I skipped the whole L2TP thing since the only things I care about routing are IP packets and IPSec does that just fine. I tried OpenVPN for a bit, but the iOS app felt like it was main an ad for Private Internet Access and turned me off of it.
My VPN needs are, roughly:
- Remote access to my home network from my phone/laptop/tablet. This is mainly to check on my security cameras, but being able to access my NAS and everything else is a nice bonus. I can even turn my Philips Hue lights on and off via my VPN connection.
- Remote access to VMs running on a rented machine at Joe's Data Center. Basically the same scenario as above, but with different stuff on the other side of the tunnel.
- Seamless integration of my home network with the remote one. This is where things get fun. Basically, custom routes on my router tell it to send packets destined for the remote subnets to the VPN server, plus some custom dnsmasq configuration routes DNS requests for remote machines to the appropriate server.
Honestly, the only thing that bugs me about my setup is that I can't figure out what the secret sauce is to get Windows 10's native VPN client to connect to my servers. I'm pretty sure that my certificates are missing something that Win10 needs in order to use them, but I haven't figured out what it is yet. Fortunately, this isn't something I need right now, but it would be nice to get it working.
Same here. I'm looking at eventually replacing my router with an OpenBSD box and having it handle the VPN stuff.
My servers are primarily FreeBSD, but I wouldn't recommend doing IPSec on it. FreeBSD 10 doesn't enable IPSEC by default, so you have to recompile the kernel to use it. FreeBSD 11 enables IPSEC but does not enable IPSEC_NAT_T (NAT Traversal, basically IPSec encapsulated in UDP), so you need to recompile to use it since many clients end up being behind NAT at some point.
My ideal setup would see OpenBSD gateways in front of my FreeBSD servers, but in some cases that isn't possible. I'll probably end up creating small OpenBSD VMs on the FreeBSD hosts to do the VPN work.
> FreeBSD 11 enables IPSEC but does not enable IPSEC_NAT_T
FWIW I heard that FreeBSD 11.1 (already in 11-Stable) is going to removed IPSEC_NAT_T as a tunable, and it will be effectively enabled by default.
I wanted to create an openbsd vm (on bhyve) too, but there is some weird issue with openbsd 6.1 and bhyve passing through some funky cpu flags it shouldn't be that causes openbsd to panic. Apparently passing -w to bhyve works, but I haven't tried it yet.
> FWIW I heard that FreeBSD 11.1 (already in 11-Stable) is going to removed IPSEC_NAT_T as a tunable, and it will be effectively enabled by default.
Sweet!! I guess I'll hold off on upgrading my boxes until 11.1 lands.
> I wanted to create an openbsd vm (on bhyve) too, but there is some weird issue with openbsd 6.1 and bhyve passing through some funky cpu flags it shouldn't be that causes openbsd to panic. Apparently passing -w to bhyve works, but I haven't tried it yet.
I have an Edge Router as well. I know this particular thread is about IPSec but wanted to mention that the OpenVPN version on EdgeOS is rather old at this point and fairly underperformant for anyone considering that route.
Thanks for the info. This vpn setup for me maxes out at 25Mbps but that's only because my ISP caps my upload at that. I bet the pi 3 can do 100Mbps of Cisco IPsec traffic maxing out the ethernet 100BASE-T interface.
How much extra security does this actually provide over a subscription-based VPN service? I mean, yeah, I control the physical hardware (assuming my apartment doesn't get busted in), but it means I have to make sure everything is configured properly/patched/etc. Is it really worth all that extra effort? I'm legitimately curious here.
It depends on your risk profile. If you're using it to bypass NetFlix region controls a VPN service would be fine. If you're using it to circumvent an oppressive regime with extreme consequences you should control the hardware yourself.
I built my own IPSec IKEv2 VPN using OpenBSD 6 and a BeagleBone Black. It worked really well and I would do it again. It replaced a FreeBSD 11 Raspberry Pi Model B which had only been doing NAT and VLANs. Never ran into issues with either. I do prefer the OpenBSD pf syntax as well as the ease with which OpenBSD facilitates IKEv2.
I've been using PiVPN[0], which sets up a VPN server for you, but also wraps a lot of the admin commands (creation and revocation of certs, for instance) in easier-to-remember commands.
I'm pretty sure you can find an expert in any field (provided enough 'experts', which for TLS there certainly are) who will have a given opinion on the topic.
I myself am not entirely happy with the way TLS works. It invites for bad configurations and in our pen testing reports, it is extremely rare to see setups that do not have some recommendation. I have yet to see one, but I'm sure someone in the office will have seen a "perfect" setup on some odd assignment (once again: given enough samples, you'll find one...). And then there's the fact that almost all TLS connections use endpoints written in memory-unsafe languages, which has caused its fair share of vulnerabilities. (Alright, maybe a lot more than its fair share.)
But the notion that OpenVPN is bad just because it relies on TLS is mildly ridiculous. The only reason I could agree with "let's move OpenVPN off of TLS" is because too much relies on one protocol. Then again, that makes it an extremely well-vetted protocol, which is one of the things that makes it so good, and it's a fairly versatile protocol. Most of the important parts can be swapped out with a configuration change.
Does anyone know VPN service (NOT self-hosted server) that could help establish small private networks for multiple PCs without public IP? Right now i should to setup OpenVPN in DigitalOcean, but i really prefer to pay for service here.
3000KiB/s or 24000kbps, that's 3.5-5x my UK broadband bandwidth [depends on the weather!].
UltraHD video is about 7GB per hour, or about 2MB/s.
Mind you I'm surprised that Ofcom actually reports average UK bandwidth to be 4.5MB/s (SamKnows study; self-selected group of 2000 participants AFAIK).
Security isn't a thing that you 'buy' or 'add', it's something that you 'do' and 'know'.
Using a VPN server and a VPN client doesn't do anything other than getting traffic from A to B over a presumed hostile network. Ideally using asymmetrical encryption to make sure the keys don't have to travel the network. Then, you sure probably use that tunnel to send all traffic, not just your p2p or http traffic. Using DNS over the normal network and your 'secret' stuff over the tunnel still exposes what you are doing and actually makes you more suspicious since you now look like you are trying to hide things (and doing a bad job at it). And what about firewalls, WebRTC hacks, routing tables etc. that now expose your network setup to any software you execute (be it an application or a webpage), or applications that don't honor your VPN setup and route packets wherever they want to. What about your OS routing stuff elsewhere? What about that Pi not being setup correctly and you happily using it but still leaking a ton of traffic over the visible network? A user of an easy VPN setup will not know and be covered by a false sense of security.
Even if you have perfect instructions and set it up perfectly initially, you would still be vulnerable down the road as new problems arise and mitigations might be available but unknown due to a user not actually knowing what it is or what they are doing.