|
|
VPN
|
What is VPN?
In layman's terms VPN is a way to encrypt all your internet traffic between you and us and pass it out through
us. Those on your local network, whether a public wifi or other unsecure location, will be unable to see what you
do or the data you pass.
In addition, your IP is shielded for everything you do, meaning sites you connect to will be unable to determine
your true physical location. Should you make forum posts, send IM messages, send e-mail, skype, or any other form
of Internet communication the IP shown will be that of the VPN server.
How does it differ from SSH tunneling?
The VPN differs from the SSH tunnels or socks proxies in that those types of proxies only work with TCP traffic
and only with applications you configure to use them. This is why you must change your proxy settings in your browser
when using SSH tunneling.
In addition, some applications are unable to be configured to use a proxy, so you just cannot use those with SSH
tunnels. Even worse, some applications can bypass the proxy deliberately (which is why it is recommended that you
shut off Java and such with the SSH tunnels).
VPN solves these issues. It works with all traffic. You don't have to change settings in anything. It all passes
through an encrypted tunnel from your machine to ours and out our network. No more need to disable java because
it might try to bypass the proxy.
No more issues with some sites not working right. No more issues with some Internet applications not working with
the proxy. Just connect to the VPN and use everything normally, no special proxy settings are needed.
Just as with SSH tunneling, you should continue to use SSL connections (ie. https, imaps, pop3s, smtps, etc), the
VPN is an encrypted pipe only between you and us, SSL is between you and your destination. You still want to be
using encryption where available for that.
Sounds great, what are the drawbacks?
First we have speed. While much more reliably faster than our SSH tunnels, and certainly not slow, it probably
won't be as fast as your ISP connection. Many of you are on fast connections, some 10 Mbit and even 50 Mbit residential
(your ISP is seriously overselling, not to mention likely quoting speeds only found on their internal network and
not available to the outside Internet).
Anyway, you won't see those many megabit speeds through the VPN. That would cost far more than $14.95 a mo. That
would be more like $499-$999 a month (depending upon whether 10 Mbit or 50 Mbit dedicated stream). It will be fast
enough, though. Web pages will be quick, Internet radio will work, Skype will work, video streaming will work,
everything should work.
We cannot guarantee steady HD streaming in all it's glory, that's a lot
of bandwidth and someone steadily using large amounts of bandwidth is going to have an adverse effect on others,
we will have to address heavy bandwidth use. You'll be able to do some (depending upon stability of your route
to us), but not 24 hours a day.
Pretty much anything you run should work and although maybe not optimal, it all will be fast enough to be comfortably
useable. Some of you on DSL and other slower connections will notice no speed drop at all.
Caveat: Connection.
To connect to our VPN you will likely be passing through fourteen (14) or so different routers getting from your
ISP to us. If any one of those routers starts experiencing packet loss (such as your local ISP's seriously oversold
links), this will affect your VPN connection. ISPs oversell their residential customers, banking on not everyone
using their bandwidth at once. Unfortunately many do. So they compensate by prioritizing packets, working to keep
the web snappy and customers thinking they are fast.
Unfortunately, prioritizing one type of traffic means you are doing so at the detriment of other types of traffic.
VPN and SSH may be at the low end of what your ISP considers priority traffic. This can cause slow speeds and disconnects.
There may even be times you cannot connect to the VPN (if one router between you and us temporarily has issues
(nothing runs flawlessly forever)).
Connection drops can be dangerous, depending upon why you are using the VPN. They are dangerous because if you
are not paying attention your computer might automatically route the traffic normally again. So if you were trying
to hide your traffic from your ISP, or your location from some site, it might just become visible to them.
SSH handles this better because your application simply stops working if the tunnel drops. With VPN you can always
continue to use SSH within it so that traffic is guarateed to stop if you need to do so. In addition, there are
utilities to monitor your VPN and automatically reconnect if it drops.
Caveat: DNS Leaks
VPN connections, especially PPTP VPN connections, are susceptible to DNS leaks under certain operating systems and configurations. To find out more
visit our page on DNS Leaks.
Tell me more
We offer two types of VPN service, PPTP and OpenVPN. PPTP is so widespread that it is likely that even your phone
supports it. However, it is the weaker of the two. OpenVPN is stronger and works more reliably in blocked locations.
However, support for OpenVPN is not as widespread and there may not be a client for your device or OS, or the
one available may be difficult to install and configure.
PPTP drawbacks
PPTP must be correctly configured on the server to be fairly secure. We have configured ours in a secure manner.
It is not a Microsoft VPN server, we run BSD, it does require 128 bit encryption, we do deny mschapv1, it is stateless,
and we do force a longer non-dictionary password (for those of you who do not understand what all of that means,
it means it's configured to be as safe and secure as possible).
That said, a determined attacker with local access to your datastream may be able to capture your encrypted VPN
password hash from the stream and attempt to decrypt it. If he can get the hash, whether or not he can crack it
depends upon your choice of password. A strong password won't be cracked.
What do they get if they do crack your VPN password? Well assuming it is not also the password to everything you
own, they just get access to our VPN server, meaning they can log in as you and use it. In addition, the main weakness
of the encryption is that it uses your password as a key. This means that if you use a stupidly simple password
that can be easily cracked, they can also theoretically decrypt your VPN traffic.
The main issue with a PPTP VPN, as touched on above, is that while it does use 128 bit encryption, it uses your
password as a key to the encryption. In effect, this means that if you use a weak password, you have weak encryption.
If you use a strong one, the encryption is stronger. It is extremely important with PPTP to use a strong password.
If you are going to use a word from a dictionary, you may as well not even bother using PPTP and just connect directly
instead.
(this is why we force non-dictionary alphanumeric terms. A word in any
dictionary will have your password hash cracked in less than 10 minutes, a password using just lowercase random
letters may take a half hour, a shorter random upper and lower case password, perhaps a few hours to a day, while
l0phtcrack will just run forever trying to brute force a longer mixed case alphanumeric password.
Addendum: Using numbers for your vowels is old news, a simple regex to run that against dictionary words will crack
those. We recommend that you be more creative).
PPTP VPN is only secure if the drawbacks are understood and countered.
We do expect that you'll still use strong GPG/PGP encryption and SSL within the VPN for your e-mail and other services.
So in that manner it's a big step up in protection from what you are already doing. To be the safest, you may even
continue to use your SSH tunnels within the VPN (although this will slow it down some for you) and have all the
safety of the SSH tunnels with the additional protection and functionality of the VPN.
Open VPN
OpenVPN has none of the weaknesses of PPTP. It is a certificate based
encryption using Blowfish, a strong uncrackable algorythm. It uses a strong TLS authentication. Your password
hash can not be retrieved from it's data stream like with PPTP. It is not as subject to connection issues. Where
PPTP is weak, OpenVPN is strong.
OpenVPN, unlike PPTP can also be proxied via a socks or http proxy. It runs on common ports looking to your firewall
like it is either a https web site, an encrypted e-mail connection, or an encrypted IM connection.
The big drawback of OpenVPN, it can be difficult to install, run, and configure for non Windows users.
With our service you can choose which VPN you want to use and/or bounce between them as needed. |
|
|
|
|
