Personal computing discussed

Moderators: renee, Steel, notfred

 
just brew it!
Administrator
Topic Author
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Proxy security and VPNs

Mon Jul 06, 2015 8:12 pm

This article makes me glad I use a proxy I set up myself whenever I surf via public WiFi. Performance of OpenSSH's SOCKS proxy kind of sucks though; I'm wondering whether I might be better off setting up a full-blown VPN...
Nostalgia isn't what it used to be.
 
bthylafh
Maximum Gerbil
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: Proxy security and VPNs

Mon Jul 06, 2015 8:34 pm

I've got OpenVPN set up on my router (RT-N16 running Tomato Shibby). I haven't benchmarked it, but performance seems to be acceptable. Bit of work to set up; once the keys and certificates are generated it's not so bad.

edit: sorry about the image size, it's late and I'm tired.

Basic config:
Image

Advanced:
Image

Key files:
[*]Static key: ta.key (optional, if using extra HMAC auth)
[*]Certificate authority: ca.crt
[*]Server certificate: server.crt
[*]Server key: server.key
[*]Diffie-Hellman parameters: dh2048.pem

and how to create them:
https://openvpn.net/index.php/open-sour ... o.html#pki
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
Aphasia
Grand Gerbil Poohbah
Posts: 3710
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden
Contact:

Re: Proxy security and VPNs

Mon Jul 06, 2015 10:40 pm

Yeah, having access to a VPN to home whenever you are at a public wifi is a good thing. Or having access to a vpn service... not free ones though ;)
Paid VPS are probably the best bet for anonymity, and any VPN, home or paid, is probably advisable on public networks. Beyond running a few extra utilities like EMET if you are on windows.

And for things like TOR, you pretty much have to assume everything you send are being monitored. So all in all, paid VPN's is probably the best bet since the ones operating them are pretty much dependent on their customers and having a decent service to continue to exist.

Yeah, you don't want anything going in cleartext passing somebody that might do anything with it, because no, you might not know if it's been tampered with. Either locally, or somewhere down the line. But there is a few funny things out there.

I watched this when it came out.
t107 A Year in the Backdoor Factory Joshua Pitts
https://www.youtube.com/watch?v=LjUN9MACaTs

Then put the above together with things like the old sslstrip, nowdays really old.
Defeating Ssl Using Sslstrip (Marlinspike Blackhat)
https://www.youtube.com/watch?v=MFol6IMbZ7Y

DEFCON 17: More Tricks For Defeating SSL
https://www.youtube.com/watch?v=ibF36Yyeehw
 
MarkG509
Gerbil Elite
Posts: 744
Joined: Thu Feb 21, 2013 6:51 pm

Re: Proxy security and VPNs

Tue Jul 07, 2015 1:30 am

Aphasia wrote:
And for things like TOR, you pretty much have to assume everything you send are being monitored.
Soon after the whole TOR thing first appeared, I was intrigued. So, I set it up and spent most of a weekend doing traceroute's to various interesting sites - nothing too interesting, mind you. A large percentage of the paths passed through, or exited from, 3 sites in northern Virginia. Based on that limited, early testing, I concluded TOR is a honeypot, and never played with it again.

Back on topic, I picked up an Asus RT-AC68P and set up a VPN to use with my Samsung GN4 running the OpenVPN Connect Android app. It has been very stable with good performance, but what annoys me is that each time I return home, I have to manually fiip several settings, or occasionally reboot the phone to get T-Mo's WiFi calling to work again. What I'd really like is to find one magic/golden setup that "just works" everywhere, and doesn't require me futzing with the phone depending on where I am.
 
just brew it!
Administrator
Topic Author
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Proxy security and VPNs

Tue Jul 07, 2015 5:28 am

MarkG509 wrote:
Soon after the whole TOR thing first appeared, I was intrigued. So, I set it up and spent most of a weekend doing traceroute's to various interesting sites - nothing too interesting, mind you. A large percentage of the paths passed through, or exited from, 3 sites in northern Virginia. Based on that limited, early testing, I concluded TOR is a honeypot, and never played with it again.

TOR was invented by the US Naval Research Laboratory, which is based in DC. I'm not saying it isn't being monitored... just that there's a potentially benign explanation for the nexus being in northern Virginia early on!
Nostalgia isn't what it used to be.
 
NovusBogus
Graphmaster Gerbil
Posts: 1408
Joined: Sun Jan 06, 2013 12:37 am

Re: Proxy security and VPNs

Tue Jul 07, 2015 10:32 pm

Being created by the government doesn't exactly bolster its privacy cred, either. :lol:

I use Tor for a lot of not-terribly-interesting site vusuts, mostly to generate noise, and based on language settings most of my exit nodes these days are in Germany. Eventually I want to set up a hidden service for the lulz, but figuring out how to do it safely is efforts and I'm lazy. If I wanted to do something really sensitive I'd use a Tails USB stick and someone else's Internet connection...

Free proxy/VPN always struck me as an obvious case of "if it's free, you're the product" so that angle is hardly surprising.
 
just brew it!
Administrator
Topic Author
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Proxy security and VPNs

Tue Jul 07, 2015 10:43 pm

NovusBogus wrote:
Being created by the government doesn't exactly bolster its privacy cred, either. :lol:

No argument there! :lol: But the Internet itself was essentially a US government/military creation, so it has had its roots there from the very start. The Internet we've come to know and love/hate was essentially an accident, catalyzed in large part by the invention of the WWW (which came out of academia).

(And for the most part, the general public believes that the Internet *is* the WWW... or Google.)
Nostalgia isn't what it used to be.
 
Flatland_Spider
Graphmaster Gerbil
Posts: 1324
Joined: Mon Sep 13, 2004 8:33 pm

Re: Proxy security and VPNs

Wed Jul 08, 2015 8:24 am

You should probably setup your own VPN.

L2TP/IPSec VPNs are the fastest, lowest level, most non-portable, and the hardest to setup. The configuration it's that hard, but getting everything to support an L2TP/IPSec and to play nice together is the hard part. L2TP/IPSec is usually built into the TCP/IP stack, and some devices don't have that. Most implementations are proprietary and can have quirks, so only the most basic settings may work between devices. Linux can be setup as an L2TP/IPSec server.

OpenVPN is a middle solution. It's not as low level or as fast as L2TP/IPSec, but it's faster then application layer solutions. It has good support across the board, and it's relatively easy to get setup on clients. The FOSS server can be tricky to setup, from what I hear. The commercial server (https://openvpn.net/index.php/access-se ... rview.html) is very easy to get working, and the licensing is cheap, compared to other VPN solutions. $96.00 for the first ten licenses then $9.60 for each additional license. OpenVPN is a full software solution, and it will benefit from fast procs with crypto extensions.

Another interesting project is Neorouter (http://www.neorouter.com/compare). I haven't used it, but I've looked at it in the the past. It has some interesting features in that it claims to be able to run off of a USB flash drive.

SSL VPNs aren't much different from your SSH SOCKS proxy, and I don't know of any FOSS packages for this.

NovusBogus wrote:
Being created by the government doesn't exactly bolster its privacy cred, either. :lol:


It doesn't, except it was the Navy who designed it as a way to securely communicate across compromised networks. Creating a weak design with compromised crypto would put lives at risk, and the military is pretty serious about keep communications secure. If it was designed by any other branch, I would be more suspicious.

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On