Author Topic: Tell me about VPN  (Read 1794 times)

0 Members and 1 Guest are viewing this topic.

Offline TB-AV

  • Honorable Ex-Mod
  • All Time Legend
  • *****
  • Posts: 14966
  • Good Vibes 329
Tell me about VPN
« on: March 11, 2014, 08:02:02 pm »
Ok, I've been reading up on this a bit.... also considering setting up a Linux box for some of these other things I've been talking about lately.

VPN... here are my needs and my 'readings'... I have read some about people making a VPN behind their standard ISP/Router setup. EX ISP/Router >> VPN Network at home, office, etc.. OpenVPN I believe.

Then I see VPN subscriptions which apparently would allow me to connect to my home network if I can find say a coffee shop WiFi connection.

So now let's say I am mobile. Have Laptop. Dual boot seems to be working fine. windows8.1 / solydK.

I must at some point use IE to access two certain web sites. So that is a need/must on the Windows side. The remainder could switch over to Linux for general surfing, email, whatever.

Now can someone explain to what I could subscribe to, setup, or whatever. I see the pay services are roughly $40 a year which I can deal with if need be. I'm also ok DIY if that is a good way to go.

Mainly I need to be sure my data I have to transfer is safe.

So has anyone got a Readers Digest / Dummies overview of do this, this, this, this and this, and then find a Internet access by some means(still not sure about that part).

Basically I'm trying to prevent having to buy roaming ISP setup which is pretty expensive.

BTW... I do have mobile power inverter and can run router, etc, if needed. I'm thinking that's not an issue though.

So can anyone give a brief overview of what would work and just how I would work it?
Gone

Offline Dan Graves

  • All Time Legend
  • *******
  • Posts: 6604
  • Good Vibes 171
  • Is on the Outside, looking in
Re: Tell me about VPN
« Reply #1 on: March 12, 2014, 12:37:38 am »
A VPN is only as secure as the access point you're using.
If it isn't a trustworthy AP, nothing will change that.
If you log on at a shop run AP you most likely will never be able to connect anyway as they tend to filter what is and isn't allowed access.
Also, google 'IE tab' for all your IE needs in Firefox/Chrome/Chromium
"You need a little bit of insanity to do great things"
--Henry Rollins

(If you need me for something, PM ME FOR FSM'S SAKE ! I'm not around a lot, and I do NOT have thread notifications on!)

Offline Majik

  • Stadium Superstar
  • ******
  • Posts: 2010
  • Good Vibes 122
Re: Tell me about VPN
« Reply #2 on: March 12, 2014, 10:19:20 am »
Ok, I've been reading up on this a bit.... also considering setting up a Linux box for some of these other things I've been talking about lately.

VPN... here are my needs and my 'readings'... I have read some about people making a VPN behind their standard ISP/Router setup. EX ISP/Router >> VPN Network at home, office, etc.. OpenVPN I believe.

There are a number of VPN standards. The most popular ones are IPSec and OpenVPN. OpenVPN is normally much easier to set up, but less "standard" (although it is more "open").

Quote
Then I see VPN subscriptions which apparently would allow me to connect to my home network if I can find say a coffee shop WiFi connection.

One major use of such VPN services is to circumvent regional web service restrictions. For instance, I have friends in the US who have used VPNs to access the superior Olympics coverage on the BBC.

Of course, providing security is the other primary purpose for VPNs. Note that a VPN is a point-to-point "tunnel". Only traffic between the endpoints is protected by the tunnel encryption.

If you are talking about commercial services? To access your home network you will need something running within your home network. Some of the commercial services use an application running on a PC on your home network to create a tunnel back to their network. When you use the VPN app from (say) a coffee shop then you are connecting into their network, and then they are routing traffic back to your network.

With any of these services, the traffic is transiting their network, possibly unencrypted. You will be better protected if you set up a direct point-to-point VPN. This will require something running OpenVPN as a service on your home network, and a firewall rule configured to allow that. Note that some alternative router distros, like Tomato, can act as an OpenVPN endpoint.

I will point out that a VPN will normally give you routed network connectivity to your home network. You still need to run applications to access it. If you have a website internally hosted on your network, then a VPN is a good way to access it, for instance.

A VPN is only as secure as the access point you're using.
If it isn't a trustworthy AP, nothing will change that.

I'm intrigued as to why you say that Dan. The whole point of an encrypted VPN is to provide security over insecure connections. Obviously encryption can be broken, MITM attacks and so on, and a lot depends on the specific setup, but I see no reason why a well set up VPN connection shouldn't be considered to be as secure as is reasonable to get on the Internet, even from a coffee shop Wifi.

If you log on at a shop run AP you most likely will never be able to connect anyway as they tend to filter what is and isn't allowed access.

Personally speaking, I have had no problems using OpenVPN with public Wifi hotspotsi. A lot of corporate "guest" wifi tend to be more locked down.

Quote
So now let's say I am mobile. Have Laptop. Dual boot seems to be working fine. windows8.1 / solydK.

I must at some point use IE to access two certain web sites. So that is a need/must on the Windows side. The remainder could switch over to Linux for general surfing, email, whatever.

Now can someone explain to what I could subscribe to, setup, or whatever.

I'm a little lost at what you are trying to achieve by using a VPN. If it's secure access to stuff within your home network (e.g. a website, or a file share) then this is a good fit. If it's something else then it may not be.

If, for instance, you think that a VPN will help protect your general web browsing, then it only can do this to a very limited degree. I will disagree with Dan and say that it can help prevent other users sniffing your traffic from an open Wifi hotspot, but if you use a DIY solution into your home network, you will need to traverse your web traffic via your home router, and will be restricted by the bandwidth available at that point. Bear in mind any traffic has to go into your home router, and then back out again, and also remember that many home broadband services are asymmetric, in which case you will be restricted by your upstream bandwidth.

Commercial VPN services can also protect your web traffic from Open Wifi hotspots, but bear in mind that there is nothing stopping the VPN service provider from sniffing your traffic as it exits the tunnel at their network.

Note that none of these VPN services protect your web traffic elsewhere on the Internet. To do that you need something like TOR.

Cheers,

Keith
Guitars: PRS Singlecut S2, Fender Tele Lite Ash, G&L Legacy Tribute, Freshman Apollo 2 OCBX
Amps: Bugera G5 Head, Boss Katana 100
All sorts of other stuff.

Offline TB-AV

  • Honorable Ex-Mod
  • All Time Legend
  • *****
  • Posts: 14966
  • Good Vibes 329
Re: Tell me about VPN
« Reply #3 on: March 12, 2014, 02:12:50 pm »
Ok, yeah, I thought the whole purpose of a VPN was to protect your connection so I was confused by Dan as well. Also I read that commercial services -could- sniff the connection as well and had a list of 5 that claim not to do so and I think at least one keep no data and will give no data to the government even if asked.... I honestly don;t care about the latter part... I don;t want my sniffed but I'm not trying to hide anything from any sort of legal access.

Ok, here's the deal....

1. Home network... yes.. I would like to setup some sort of access to my home network if I needed a certain file while away.

2. While away I may have to access certain web sites and upload documents to someone's secure web site.

3. I have not looked into TOR yet. I did see the TORvpn but understand TOR itself is a different thing.

4. About the home file sharing.. I am still looking into the NAS and realize I probably need to do that to.

5. It was becoming my understanding that the VPN, provided all the other stuff was in place at home, would encrypt and secure that access at the roaming, coffee shop, Book store, end of things.

6. Regarding the asymmetrical connection. .....
Me remote>>>connect to home>>>go back out my router through my normal ISP>>>to web site.... wouldn't I still have my same up and down speeds or something very close?
Gone

Offline Dan Graves

  • All Time Legend
  • *******
  • Posts: 6604
  • Good Vibes 171
  • Is on the Outside, looking in
Re: Tell me about VPN
« Reply #4 on: March 12, 2014, 05:45:21 pm »
Well keith, i assume that you are familiar with Backtrack and Kali, so i'd suggest you have an in-depth look at the WiFi tampering/snooping software, or simply recall the full feature sets.
MiTM, Arp poisoning, spoofed AP's that force TLS...
The amount of damage you or i could do with a Laptop and a WiFi card that can be put in AP mode would worry most of our IT colleagues if they took the time to read up on it.
This http://en.wikipedia.org/wiki/MS-CHAP is also something to consider in regards to VPN's.
If the provider of choice still relies on PPTP (and oddly enough a nukber of them still do), it's a bad idea to use their service.

You may also wish to keep in mind the current issues that are being raised with SSL.
Then there's the inherent insecurity of any AP that you have no control over (because FSM only knows if Starbucks and their ilk even have someone who upgrades the firmwares on their routers, making for some spectacular points of entry), the fact that coffeeshops and similar places that have AP's are a perfect target for folks like me to sit around and host a truly rogue AP, and the fact that if TB-AV ends up using the WiFi when someone like me sitting across the room with a portable hackbox, and the WiFi is set up in any standard form, i can begin running...
Well, just about anything to try and get to him.


As for access restrictions, i really need to learn to keep in mind that only the Dutch are relatively anal-retentive about that, as around here, most open or 'customer use' AP's will filter everything that isn't standard HTTP, some even going so far as to use DPI to be able to identify and subsequently block certain types of traffic.
I suppose the rest of the world may not have such strict and uptight standards.

One thing to point out here : i am worse than the Unabomber when it comes to being paranoid about any sort of snooping, so keep in mind i will sketch the worst possible scenarios.
Obviously with some care and common sense a lot of these issues can be avoided.
I just prefer the 'rather safe than sorry' approach, obviously YMMV.
"You need a little bit of insanity to do great things"
--Henry Rollins

(If you need me for something, PM ME FOR FSM'S SAKE ! I'm not around a lot, and I do NOT have thread notifications on!)

Offline Majik

  • Stadium Superstar
  • ******
  • Posts: 2010
  • Good Vibes 122
Re: Tell me about VPN
« Reply #5 on: March 12, 2014, 06:30:41 pm »
Well keith, i assume that you are familiar with Backtrack and Kali, so i'd suggest you have an in-depth look at the WiFi tampering/snooping software, or simply recall the full feature sets.
MiTM, Arp poisoning, spoofed AP's that force TLS...
The amount of damage you or i could do with a Laptop and a WiFi card that can be put in AP mode would worry most of our IT colleagues if they took the time to read up on it.
This http://en.wikipedia.org/wiki/MS-CHAP is also something to consider in regards to VPN's.
If the provider of choice still relies on PPTP (and oddly enough a nukber of them still do), it's a bad idea to use their service.

Yes, I did say "a well set up VPN connection". I would exclude any VPN which uses PPTP from that!

And, yes I've very familiar with arp spoofing, and so on, I recently saw a very interesting talk on that very subject from a guy who breaks into Government buildings and IT systems for a career.

Quote
You may also wish to keep in mind the current issues that are being raised with SSL.

All of which are down to poor software implementations. SSL itself is not in doubt that I'm aware of. Nor, for instance, is OpenSSL which is the bedrock of most SSL implementations on Linux.

There's been a lot of recent publicity around GnuTLS, but that's old news: http://www.openldap.org/lists/openldap-devel/200802/msg00072.html

And there is no currently known way to decrypt, perform a MITM on, or otherwise break a properly configured OpenVPN setup. The Backtrack/Kali toolsets are powerful tools, but not that powerful.

Quote
Then there's the inherent insecurity of any AP that you have no control over (because FSM only knows if Starbucks and their ilk even have someone who upgrades the firmwares on their routers, making for some spectacular points of entry), the fact that coffeeshops and similar places that have AP's are a perfect target for folks like me to sit around and host a truly rogue AP, and the fact that if TB-AV ends up using the WiFi when someone like me sitting across the room with a portable hackbox, and the WiFi is set up in any standard form, i can begin running...
Well, just about anything to try and get to him.

I agree, which is one reason to use a VPN if you use such a hotspot. It agree has to be a good one though. You should also make sure your device is patched and secured of course.

Quote
As for access restrictions, i really need to learn to keep in mind that only the Dutch are relatively anal-retentive about that, as around here, most open or 'customer use' AP's will filter everything that isn't standard HTTP, some even going so far as to use DPI to be able to identify and subsequently block certain types of traffic.
I suppose the rest of the world may not have such strict and uptight standards.

The only common one I have come across is port 25 outbound is usually blocked, as a way of preventing casual spammers and spambot infections.

Quote
One thing to point out here : i am worse than the Unabomber when it comes to being paranoid about any sort of snooping, so keep in mind i will sketch the worst possible scenarios.
Obviously with some care and common sense a lot of these issues can be avoided.
I just prefer the 'rather safe than sorry' approach, obviously YMMV.

It's not a bad way to be as long as there some balance and focus. I know people who are paranoid about using any Google services (thanks to Microsoft's smear campaigns), when they should probably be more concerned about the fact they are using IE6 on Windows XP.

Of course the safest approach is to not use the Internet at all...

Cheers,

Keith
Guitars: PRS Singlecut S2, Fender Tele Lite Ash, G&L Legacy Tribute, Freshman Apollo 2 OCBX
Amps: Bugera G5 Head, Boss Katana 100
All sorts of other stuff.

Offline Majik

  • Stadium Superstar
  • ******
  • Posts: 2010
  • Good Vibes 122
Re: Tell me about VPN
« Reply #6 on: March 12, 2014, 06:49:01 pm »
Ok, yeah, I thought the whole purpose of a VPN was to protect your connection so I was confused by Dan as well. Also I read that commercial services -could- sniff the connection as well and had a list of 5 that claim not to do so and I think at least one keep no data and will give no data to the government even if asked.... I honestly don;t care about the latter part... I don;t want my sniffed but I'm not trying to hide anything from any sort of legal access.

With any service provider, it's down to trust. Unless you build your own infrastructure with encrypted connections at all points between, sooner or later you need to put your trust in other people or you end up severely limiting what you can do. Email, for instance, is inherently untrustworthy, even if you run your own email server.

My view is you need to decide whether you can trust any of these people. Personally I'm not sure I would, but that's largely because I have no need to.

Bear in mind if things like wifi hotspots are your major concern, you could rent a hosted server or VM and run that as a personal VPN concentrator. I'm not sure how the costs would compare with a VPN service though.

Quote
Ok, here's the deal....

1. Home network... yes.. I would like to setup some sort of access to my home network if I needed a certain file while away.

2. While away I may have to access certain web sites and upload documents to someone's secure web site.

3. I have not looked into TOR yet. I did see the TORvpn but understand TOR itself is a different thing.

4. About the home file sharing.. I am still looking into the NAS and realize I probably need to do that to.

Yes, that's all possible through a VPN.

TOR itself is a separate thing, but you normally access it using a VPN or encrypted connection of some sort.

Quote
5. It was becoming my understanding that the VPN, provided all the other stuff was in place at home, would encrypt and secure that access at the roaming, coffee shop, Book store, end of things.

It should do if you are sensible about how you do it. Avoid PPTP as Dan suggested. OpenVPN or IPSec (with a strong encryption) are the way to go. The strong encryption is a key point. IPSec is designed to negotiate encryption with the other end and, in some cases, it can end up negotiating down to something that is close to useless. Incidentally, for that reason the Open Source FreeSWAN IPsec project refuses to support some of these encryption standards, on the basis they would rather it didn't work than have people think they were protected when they weren't.

Quote
6. Regarding the asymmetrical connection. .....
Me remote>>>connect to home>>>go back out my router through my normal ISP>>>to web site.... wouldn't I still have my same up and down speeds or something very close?

You will lose a bit of bandwidth due to the overhead of the encryption. More of an issue is that the act of encrypting and decryption uses processor power and this will introduce bandwidth limitations and latency. How bad this is depends on the system in use. An underpowered system running as a VPN endpoint could have a significant impact. I should point out I have regularly been getting 15-20 Mbps on OpenVPN using a Via Eden 1GHz based embedded system, although that does have a hardware crypto accelerator.

The best way to judge this is to try it out.

My main point though was if you are doing normal websurfing via a VPN to your home, you won't get the same speeds as if you were sitting at home. If, for instance, your broadband is 10Mbps down and 2Mbps up, if you are using a VPN your web surfing will be restricted to 2Mbps.

An alternative approach which, depending on circumstances, can be faster is to remote desktop (e.g. RDP, VNC, Chrome Remote Desktop) into a desktop PC running internally and browse the Internet from that.

Cheers,

Keith


Guitars: PRS Singlecut S2, Fender Tele Lite Ash, G&L Legacy Tribute, Freshman Apollo 2 OCBX
Amps: Bugera G5 Head, Boss Katana 100
All sorts of other stuff.

Offline TB-AV

  • Honorable Ex-Mod
  • All Time Legend
  • *****
  • Posts: 14966
  • Good Vibes 329
Re: Tell me about VPN
« Reply #7 on: March 12, 2014, 06:51:37 pm »
Posted at same time.. will read your post above..
---------------------------------------------------------


Ok... so provided I do this... OpenVPN is the way to go? That's the one I have been reading up on....


..and I need to stay away from PPTP... what do I want to head towards.

I say coffee shop.... but hospital, library.... apartment complex, I figure the odds of me hitting a spot at the same time someone is sitting there hacking is probably going to be remote.

Which was another reason I mentioned that would me having a router handy be of any extra security use... just for the fact of the things it blocks by default.

Majik do you know of a link for simple OpenVPN "how to" that is 'done right' that would suit my simple needs.

@Dan... that is a hell of a band name.... "The Odd Nukbers"
Quote
enough a nukber
The first album would of course be titled "Oddly Enough".

That just sounds like hit music without even hearing it.
Gone

Offline Majik

  • Stadium Superstar
  • ******
  • Posts: 2010
  • Good Vibes 122
Re: Tell me about VPN
« Reply #8 on: March 12, 2014, 07:01:57 pm »
By the way, you might think using your mobile phone data is more secure than Wifi.

Well it's less accessible to randoms with a copy of backtrack, but there is a strong possibility it's going across a relatively public exchange network with a lot of very technically skilled people having access to it.

Many of the companies running these exchanges actively advertise that they sniff the communications because they sell traffic reports to the mobile carriers which detail utilisation by traffic type, destination, and so on.

And, in Europe at least, some of these networks are run by Chinese companies which is almost as bad as having a US carrier like Verizon.

Cheers,

Keith
Guitars: PRS Singlecut S2, Fender Tele Lite Ash, G&L Legacy Tribute, Freshman Apollo 2 OCBX
Amps: Bugera G5 Head, Boss Katana 100
All sorts of other stuff.

Offline TB-AV

  • Honorable Ex-Mod
  • All Time Legend
  • *****
  • Posts: 14966
  • Good Vibes 329
Re: Tell me about VPN
« Reply #9 on: March 12, 2014, 07:03:36 pm »
I would rather not do remote desktop because I would prefer to turn off main desktop sometimes like a vacation.

What I'm trying to decide is should I invest in a new ITX mini box that serves as NAS, VPN, etc... and can all that even be done in one box... I have an old P4 but it seems like FreeNAS is using multi-Core cpus.

I was just just going ot hang some old drives internal and usb off this old P4 and try to do this but if I can make a fairly cheap low wattage draw NAS/VPN/FTP  maybe I should do that... BUT.... if I can't access it remotely and securely... then it kinda blows out my whole plan.

I wish I could just find a good YT video where I can see someone actually doing this in a simple over view, "this is how this setup works" type thing... and I can't seem to find one....

Gone

Offline TB-AV

  • Honorable Ex-Mod
  • All Time Legend
  • *****
  • Posts: 14966
  • Good Vibes 329
Re: Tell me about VPN
« Reply #10 on: March 12, 2014, 07:13:54 pm »
I pretty much know everything that anyone wants to listen to, if they want it bad enough they can get it. I'm not really concerned about that.

I just want to set something up that I can reasonably trust in. I'm not going to a hacker convention and expect to be doing something privately.... by if I go to some reasonably safe place like a friends home, a library ... even some of the sites I send to... once I long in and use that session, it's dead after that. I can't even log back in. They have to send me another link to access. Others are not... if someone got my password they could use it... well like this site for instance.

BTW - either of you... In Kali... is there a tool that might show if someone were running any of the sniffing tools on the wifi I chose to connect to?  IOW, could I potentially scan the WiFi for any sort of specific activity that might point to something.



Gone

Offline Majik

  • Stadium Superstar
  • ******
  • Posts: 2010
  • Good Vibes 122
Re: Tell me about VPN
« Reply #11 on: March 12, 2014, 07:21:56 pm »

BTW - either of you... In Kali... is there a tool that might show if someone were running any of the sniffing tools on the wifi I chose to connect to?  IOW, could I potentially scan the WiFi for any sort of specific activity that might point to something.

The main attack tool is arp spoofing. This allows you to spoof another device on the network, including the router itself. If you can pretend to be the router than you can bypass all of the traffic on the wifi so it goes through your computer which, as you can appreciate, is pretty powerful. You can also do things like change the DNS being used by the computers, which allows you to redirect where they are browsing to.

Unfortunately about the only way to detect it as a user on a public wifi is to look at your arp cache and see if there are any suspicious entries, such as duplicates, and even that's not authoritative. Checking the MAC address entries against the hardware database might also detect it: if the mac address of the router seems to have been issued by "Dell" instead of "Netgear" then that would be immediately suspicious. I would say there's no easy, reliable way though.

Cheers,

Keith



Guitars: PRS Singlecut S2, Fender Tele Lite Ash, G&L Legacy Tribute, Freshman Apollo 2 OCBX
Amps: Bugera G5 Head, Boss Katana 100
All sorts of other stuff.

Offline Majik

  • Stadium Superstar
  • ******
  • Posts: 2010
  • Good Vibes 122
Re: Tell me about VPN
« Reply #12 on: March 12, 2014, 07:28:00 pm »
I would rather not do remote desktop because I would prefer to turn off main desktop sometimes like a vacation.

What I'm trying to decide is should I invest in a new ITX mini box that serves as NAS, VPN, etc... and can all that even be done in one box... I have an old P4 but it seems like FreeNAS is using multi-Core cpus.

Personally I would run NAS separately. Not only does it distribute the load a bit, but it's also considered a security risk to run something like a NAS on a security device on the basis that apps like file servers aren't built inherently with security, and may have vulnerabilities which may be used to infiltrate or weaken your firewall or VPN.

What you might want to consider doing is taking that P4 and installing pfSense on it (www.pfsense.org). Pfsense is FreeBSD based, but it's an excellent, well regarded firewall which will give you a lot more control and better security than any standard home router, as well as built-in OpenVPN and IPSec VPN capability. It's also fairly easy to use.

Quote
I was just just going ot hang some old drives internal and usb off this old P4 and try to do this but if I can make a fairly cheap low wattage draw NAS/VPN/FTP  maybe I should do that... BUT.... if I can't access it remotely and securely... then it kinda blows out my whole plan.

Given the other reports on how well the Raspberry Pi works as a NAS, perhaps you should try using this for the NAS?

Cheers,

Keith
Guitars: PRS Singlecut S2, Fender Tele Lite Ash, G&L Legacy Tribute, Freshman Apollo 2 OCBX
Amps: Bugera G5 Head, Boss Katana 100
All sorts of other stuff.

Offline TB-AV

  • Honorable Ex-Mod
  • All Time Legend
  • *****
  • Posts: 14966
  • Good Vibes 329
Re: Tell me about VPN
« Reply #13 on: March 12, 2014, 07:53:41 pm »
10-4 of the pfsense... haven't heard of that one before.

RPi as NAS.... I have 2 RPis.. one will be RaspBMC.. the other I intend to play around with.

I also haven't seen that many RPi NAS setups... I thought it was popular but then when I started looking into things it seems like people are using more powerful systems.... but.. yes,, I'm ok with that as well and actually was going that route until I started reading the FreeNAS site and watching a few vids.

So on that pfsense... if I went that route it would be ISP-MODEM-P4box-WiFi router-Network as normal?



Gone

Offline Majik

  • Stadium Superstar
  • ******
  • Posts: 2010
  • Good Vibes 122
Re: Tell me about VPN
« Reply #14 on: March 12, 2014, 08:00:34 pm »
10-4 of the pfsense... haven't heard of that one before.

It's one of the best kept secrets of the Free software world IMO.

Quote
So on that pfsense... if I went that route it would be ISP-MODEM-P4box-WiFi router-Network as normal?

Yes, but if you can configure your Wifi router just to act as a fairly dumb wifi access point that would be best. You don't want two things handing out DHCP addresses, for instance.

Typically you wouldn't use the router WAN port any more, and would just plug the backend of the pfSense box into a LAN port on the router.

Cheers,

Keith
Guitars: PRS Singlecut S2, Fender Tele Lite Ash, G&L Legacy Tribute, Freshman Apollo 2 OCBX
Amps: Bugera G5 Head, Boss Katana 100
All sorts of other stuff.

 

Get The Forum As A Mobile App