The recommendation to use a 1024-bit RSA key worries me. In an era of passive, bulk surveillance, that seems too weak if you're not going to be using any additional transport-layer security.
The performance argument is only relevant for the establishment of the VPN connection and any periodic rekeying — it shouldn't have any impact on the tunnel's perf.
It's a shame openvpn's easy-rsa doesn't provide a straightforward mechanism to generate ECDSA certificates, which would've removed any performance concerns.
--
edit: easy-rsa does support ECDSA[1]:
Support for generating an ECDSA certificate chain is available in EasyRSA (in
spite of it's name) since EasyRSA 3.0. The parameters you're looking for are
'--use-algo=ec' and '--curve=<curve_name>'. See the EasyRSA documentation for
more details on generating ECDSA certificates.
Careful if you're using this for something dangerous. I'm not a computer security expert by any stretch and I don't know whether the people who have written these articles are. Chances are that this is completely broken and will reveal your IP address and identity.
Yeah, I use SOCKS5 over SSH all the time, although I didn't follow that particular guide. I am also not an expert but after making sure DNS requests were tunneled, I wasn't able to see any cleartext at all using Wireshark.
It is not a Tor replacement or anything. I think it should be effective at simple things like: masking personal browsing at work[0], masking browsing habits from your ISP.
[0] Obviously if you use a company computer, you could be keylogged/monitored in other ways. Use your judgement.
What I don't get is why people think that random VPS and VPN providers would somehow be better for your privacy than to let your ISP see the content of your traffic.
I live in a country where metadata is recorded at the ISP level for government perusal. More than 60 agencies want access this data without a warrant [0]. Why does the Taxi Services Commission need to know my web browsing history? Or Greyhound Racing Victoria?
There's also a law specifically making it a crime to post any information about government actions deemed a "special intelligence operation" [1], which makes me think that they're recording this data in bad faith.
So fuck 'em. Fuck the government that seeks to monitor everyone in order to entrench their power structure. Fuck them for lying to us, by claiming it's about terrorism. Fuck them for indicating a willingness to prosecute anyone who shines a light on their shady actions.
That's why I use a VPN, running on a VPS I have provisioned myself. No, I don't trust the VPS provider, but they have no power to imprison people, nor have they demonstrated a desire to expand their power over others.
Your ISP and your government have a strong interest in monitoring what you do, and they are more likely to take action against you if they don't like what you do.
A random VPS service (preferably in another country) only cares about you insofar as you pay them and don't cause any trouble to them. They don't have as much of an incentive to invade your privacy as your home ISP does, and I trust incentive structures a lot more than I trust boilerplate words on a privacy policy.
It can also be a matter of opportunistic encryption. Most public wi-fi is vulnerable to anyone in the vicinity, in addition to the usual ISP and the NSA. Use a VPN and now you're only vulnerable to the VPS service and the NSA. That's quite a bit of improvement.
You also have the freedom to choose a VPS service with good connectivity in a relatively less snoopy country, a luxury you often don't have in choosing your home ISP.
> Use a VPN and now you're only vulnerable to the VPS service and the NSA
You can always try 'chaining' VPNs together, or stacking them on top of each other so that if one of the VPS servers is compromised, a TLA gets nothing but encrypted traffic and can't see what you're doing. The only caveat here is the 'exit' VPS is always going to have to be unencrypted. This is why it's worth looking into offshore VPS providers in non-five-eyes countries. I'm not sure what countries these are. I haven't done the research.
Typically I achieve chaining by doing the following:
- Hardware VPN that I connect to as normal. Personally I use http://www.pivpn.io/
- Then I connect to another VPN on my host/hypervisor machine
- Then I fire up Virtualbox and run another VPN inside the VM
- The chain now has three hops, and the exit VPN is on a box that I control. I avoid Digital Ocean like the plague as it's a US company.
> They don't have as much of an incentive to invade your privacy as your home ISP does
The have a much better opportunity of correlating traffic than anyone else. It's not separated by an IP anymore. They've got a specific account they can connect to a specific person. (via billing) I believe if they wanted to sell the traffic logs, they'd easily find customers.
Regarding DigitalOcean VPNs, I think enough people have been doing this that it is starting to show in unpleasant ways. While using my DO VPN I've encountered captchas while using YouTube, of all sites, likely because of abuse they've seen at the hands of DO VPN users. I've also seen my DO IP range outright banned by other sites.
Probably similar for any other popular VM provider. Many webmasters, for example, block AWS IP ranges because there tends to be a lot of abusive traffic, crawlers, etc, from there.
Going with a smaller company for a VPS intended for use as a VPN is a good idea.
I'm the founder of SSD Nodes, Inc., which is a bootstrapped SSD-based hosting provider for startups that I've been working on since 2011. We have several locations which are great for VPNs: NYC, Dallas, Seattle, and Montreal. We're really good about curbing abuse, so our IPs usually don't have any issues (there's also a 14-day refund if it doesn't work out, we're very generous with refunds).
See the below forums for providers. A simple search on WHT (Web Hosting Talk) of the company name will yield you some reviews that you can use to base your purchasing decision on. If a company has no reviews, well, sink or swim.
This. I tried a DO OpenVPN in my daily mobile usage and got captchas everywhere. Also the throughput was not that great. Happily paying for F-Secure now.
I prefer to use layer2 bridging in OpenVPN with a separate hardware device (openwrt on a wallwart router, rackmount atom board). This way my client machines have no idea they are on a VPN and everything gets tunneled though the VPN (no DNS leaks unless my router is misconfigured).
In OpenWRT, it's basically:
-setup OpenVPN with a TAP device
-create a VLAN, assign some ports on the switch (optionally, a wifi SSID for VPNed wifi)
this is not secure; it will leak your ipv6 address by default. use openvpn's ipv6 features to route ipv6 traffic as well[0]. using openvpn ipv6 is a PITA on digitalocean because they only provide a /124, when openvpn requires at least a /112. you can get around this using ip6tables to route a /112 address range you don't actually have access to, and the only consequence will be a loopback if you try to access one of the digitalocean IPs you are claiming to have in your available pool while connected to the VPN.
also, 1024 dh prime is unsafe depending on your threat model[1]. use 2048 if nation states bother you, or 4096 if truly paranoid or at high risk / performance isn't an issue. no reason not to bump up the RSA keys too.
Nice post. I actually just wrote a post myself on setting up a native Cisco IPsec VPN sever on a Raspberry Pi 3. Cisco IPsec works natively on macOS and iOS with no 3rd party software which was a requirement for me.
Is there an easy way to enable DNS over OpenVPN? That appears to be the biggest hole in this tutorial. Untrusted networks get to observe/spoof DNS, and the clients can't use the LAN DNS server to find stuff behind the firewall. (Or am I missing something?)
If your aim is to hide your traffic from third-party networks you might be on (free wifi, school, hotels, etc) then a yearly VPN subscription is almost certainly cheaper than the cheapest DigitalOcean droplet. If you get a good provider (I use PIA but am not affiliated with them) then you get unlimited traffic, multiple clients, endpoints all over the world, tech support, all without having to setup and administer the server yourself.
If your aim is to disassociate traffic with yourself, your DigitalOcean IP will be tied back to you anyway.
If your aim is to stop government snooping, DigitalOcean is hosted in the USA so you may as well just send the NSA your browsing history.
Rolling one's own often makes sense, and not just from an audit perspective.
Where I am for example almost all VPN vendors are blocked, so there's not much choice other than to roll your own. And once you've figured out how to do it on one provider you can pretty much do the same anywhere.
I trust Digital Ocean much more than I trust PrivateInternetAccess. I also don't want to be associated with the other traffic going through PIA or similar VPNs.
You can replace PIA with any other VPN provider. I'd trust a commercial VPN provider with good reviews more than I'd trust myself to get good crypto right.
Interesting. I have set up a few VPN servers of various kinds (and other network trickery) in Virtual Machine hosting services, and ultimately gave up due to issues with TSO (TCP Segmentation Offload https://en.wikipedia.org/wiki/Large_receive_offload) interacting badly with PMTUD (https://en.wikipedia.org/wiki/Path_MTU_Discovery). The result was that TCP streams (often Downton Abbey, fwiw) inbound from a remote server, tunneled to me via the VPN, would stall and generally suffer from poor QoS.
I spent some time submitting support tickets to all the hosting providers I had tried (many). Every one of them told me that they had no way to disable TSO and the other common TCP offload features on their hosts.
So now I use Packet.net which gives me a honest to goodness actual bare metal machine (over which I have complete control), for much the same price.
This reminded me of https://www.softether.org which is purported to be a faster and just as secure Alternative to openVPN and looks pretty straightforward to setup. I did post another thread in this but I'm not sure if it's inappropriate to post here too....wondering if anyone has had experience with it
Also shoutout to Dr Duh who gave a nice run down of setting up vpn on a VPS
If it's just for yourself, install the OpenVPN AS (Access Server), and call it a day. You get 2 free simultaneous users, and it deals with all of the certificates, etc for you.
Not really that knowledgeable about maintaining servers, but is it really enough, but is it really enough to just straight away 'apt-get openvpn'.
Surely for it to be a 'secure VPN server' there has got to be some stuff set up first, like setting up key only login, disabling root ssh login, disabling everything ssh, setting up firewall, disabling ipv6 entirely in the case of openvpn?
I run a vpn on digital ocean and its amazing looking at the logs and seeing how quickly, and how many attempts there are to break into the server straight after setting it up. As a person who isnt completely sure of what i am doing when it comes to firewalls and setting up 'jails' or whatever, this kinda makes me uneasy. I wouldnt even be sure how to tell if anyone had broken in to my server...
This has been the most useful guide that I have found on setting up an openvpn server. It has a bunch of steps to go through before you get to actually installing openvpn. But as I said, I am not that knowledgeable myself when it comes to running a server, so this may all just be unnecessary.
That's good advice. It's necessary and worth it to harden any server that you deploy bash recipes on. The amount of tutorials online that leave out the IPV6 advice in that Linode article is astonishing.
The performance argument is only relevant for the establishment of the VPN connection and any periodic rekeying — it shouldn't have any impact on the tunnel's perf.
It's a shame openvpn's easy-rsa doesn't provide a straightforward mechanism to generate ECDSA certificates, which would've removed any performance concerns.
--
edit: easy-rsa does support ECDSA[1]:
Support for generating an ECDSA certificate chain is available in EasyRSA (in spite of it's name) since EasyRSA 3.0. The parameters you're looking for are '--use-algo=ec' and '--curve=<curve_name>'. See the EasyRSA documentation for more details on generating ECDSA certificates.
https://github.com/OpenVPN/openvpn/blob/master/README.ec