The recommendation to use a 1024-bit RSA key worries me. In an era of passive, bulk surveillance, that seems too weak if you're not going to be using any additional transport-layer security.
The performance argument is only relevant for the establishment of the VPN connection and any periodic rekeying — it shouldn't have any impact on the tunnel's perf.
It's a shame openvpn's easy-rsa doesn't provide a straightforward mechanism to generate ECDSA certificates, which would've removed any performance concerns.
--
edit: easy-rsa does support ECDSA[1]:
Support for generating an ECDSA certificate chain is available in EasyRSA (in
spite of it's name) since EasyRSA 3.0. The parameters you're looking for are
'--use-algo=ec' and '--curve=<curve_name>'. See the EasyRSA documentation for
more details on generating ECDSA certificates.
Careful if you're using this for something dangerous. I'm not a computer security expert by any stretch and I don't know whether the people who have written these articles are. Chances are that this is completely broken and will reveal your IP address and identity.
Yeah, I use SOCKS5 over SSH all the time, although I didn't follow that particular guide. I am also not an expert but after making sure DNS requests were tunneled, I wasn't able to see any cleartext at all using Wireshark.
It is not a Tor replacement or anything. I think it should be effective at simple things like: masking personal browsing at work[0], masking browsing habits from your ISP.
[0] Obviously if you use a company computer, you could be keylogged/monitored in other ways. Use your judgement.
Regarding DigitalOcean VPNs, I think enough people have been doing this that it is starting to show in unpleasant ways. While using my DO VPN I've encountered captchas while using YouTube, of all sites, likely because of abuse they've seen at the hands of DO VPN users. I've also seen my DO IP range outright banned by other sites.
Probably similar for any other popular VM provider. Many webmasters, for example, block AWS IP ranges because there tends to be a lot of abusive traffic, crawlers, etc, from there.
Going with a smaller company for a VPS intended for use as a VPN is a good idea.
This. I tried a DO OpenVPN in my daily mobile usage and got captchas everywhere. Also the throughput was not that great. Happily paying for F-Secure now.
I prefer to use layer2 bridging in OpenVPN with a separate hardware device (openwrt on a wallwart router, rackmount atom board). This way my client machines have no idea they are on a VPN and everything gets tunneled though the VPN (no DNS leaks unless my router is misconfigured).
In OpenWRT, it's basically:
-setup OpenVPN with a TAP device
-create a VLAN, assign some ports on the switch (optionally, a wifi SSID for VPNed wifi)
this is not secure; it will leak your ipv6 address by default. use openvpn's ipv6 features to route ipv6 traffic as well[0]. using openvpn ipv6 is a PITA on digitalocean because they only provide a /124, when openvpn requires at least a /112. you can get around this using ip6tables to route a /112 address range you don't actually have access to, and the only consequence will be a loopback if you try to access one of the digitalocean IPs you are claiming to have in your available pool while connected to the VPN.
also, 1024 dh prime is unsafe depending on your threat model[1]. use 2048 if nation states bother you, or 4096 if truly paranoid or at high risk / performance isn't an issue. no reason not to bump up the RSA keys too.
Nice post. I actually just wrote a post myself on setting up a native Cisco IPsec VPN sever on a Raspberry Pi 3. Cisco IPsec works natively on macOS and iOS with no 3rd party software which was a requirement for me.
Is there an easy way to enable DNS over OpenVPN? That appears to be the biggest hole in this tutorial. Untrusted networks get to observe/spoof DNS, and the clients can't use the LAN DNS server to find stuff behind the firewall. (Or am I missing something?)
If your aim is to hide your traffic from third-party networks you might be on (free wifi, school, hotels, etc) then a yearly VPN subscription is almost certainly cheaper than the cheapest DigitalOcean droplet. If you get a good provider (I use PIA but am not affiliated with them) then you get unlimited traffic, multiple clients, endpoints all over the world, tech support, all without having to setup and administer the server yourself.
If your aim is to disassociate traffic with yourself, your DigitalOcean IP will be tied back to you anyway.
If your aim is to stop government snooping, DigitalOcean is hosted in the USA so you may as well just send the NSA your browsing history.
Rolling one's own often makes sense, and not just from an audit perspective.
Where I am for example almost all VPN vendors are blocked, so there's not much choice other than to roll your own. And once you've figured out how to do it on one provider you can pretty much do the same anywhere.
I trust Digital Ocean much more than I trust PrivateInternetAccess. I also don't want to be associated with the other traffic going through PIA or similar VPNs.
Interesting. I have set up a few VPN servers of various kinds (and other network trickery) in Virtual Machine hosting services, and ultimately gave up due to issues with TSO (TCP Segmentation Offload https://en.wikipedia.org/wiki/Large_receive_offload) interacting badly with PMTUD (https://en.wikipedia.org/wiki/Path_MTU_Discovery). The result was that TCP streams (often Downton Abbey, fwiw) inbound from a remote server, tunneled to me via the VPN, would stall and generally suffer from poor QoS.
I spent some time submitting support tickets to all the hosting providers I had tried (many). Every one of them told me that they had no way to disable TSO and the other common TCP offload features on their hosts.
So now I use Packet.net which gives me a honest to goodness actual bare metal machine (over which I have complete control), for much the same price.
This reminded me of https://www.softether.org which is purported to be a faster and just as secure Alternative to openVPN and looks pretty straightforward to setup. I did post another thread in this but I'm not sure if it's inappropriate to post here too....wondering if anyone has had experience with it
Also shoutout to Dr Duh who gave a nice run down of setting up vpn on a VPS
If it's just for yourself, install the OpenVPN AS (Access Server), and call it a day. You get 2 free simultaneous users, and it deals with all of the certificates, etc for you.
[+] [-] lwf|9 years ago|reply
The performance argument is only relevant for the establishment of the VPN connection and any periodic rekeying — it shouldn't have any impact on the tunnel's perf.
It's a shame openvpn's easy-rsa doesn't provide a straightforward mechanism to generate ECDSA certificates, which would've removed any performance concerns.
--
edit: easy-rsa does support ECDSA[1]:
Support for generating an ECDSA certificate chain is available in EasyRSA (in spite of it's name) since EasyRSA 3.0. The parameters you're looking for are '--use-algo=ec' and '--curve=<curve_name>'. See the EasyRSA documentation for more details on generating ECDSA certificates.
https://github.com/OpenVPN/openvpn/blob/master/README.ec
[+] [-] fauigerzigerk|9 years ago|reply
But crucially you'd want to make your browser use the tunnel for DNS as well: http://superuser.com/questions/103593/how-to-do-dns-through-...
Careful if you're using this for something dangerous. I'm not a computer security expert by any stretch and I don't know whether the people who have written these articles are. Chances are that this is completely broken and will reveal your IP address and identity.
[+] [-] sshtunnels|9 years ago|reply
It is not a Tor replacement or anything. I think it should be effective at simple things like: masking personal browsing at work[0], masking browsing habits from your ISP.
[0] Obviously if you use a company computer, you could be keylogged/monitored in other ways. Use your judgement.
[+] [-] noarchy|9 years ago|reply
[+] [-] tyingq|9 years ago|reply
Going with a smaller company for a VPS intended for use as a VPN is a good idea.
[+] [-] pimeys|9 years ago|reply
[+] [-] freestockoption|9 years ago|reply
In OpenWRT, it's basically:
-setup OpenVPN with a TAP device
-create a VLAN, assign some ports on the switch (optionally, a wifi SSID for VPNed wifi)
-bridge VLAN with TAP device
[+] [-] tribby|9 years ago|reply
also, 1024 dh prime is unsafe depending on your threat model[1]. use 2048 if nation states bother you, or 4096 if truly paranoid or at high risk / performance isn't an issue. no reason not to bump up the RSA keys too.
0. https://community.openvpn.net/openvpn/wiki/IPv6
1. https://weakdh.org/
[+] [-] maulwuff|9 years ago|reply
[+] [-] Perceptes|9 years ago|reply
[+] [-] spaceboy|9 years ago|reply
https://github.com/sovereign/sovereign
https://github.com/Nyr/openvpn-install
https://github.com/ttlequals0/autovpn
https://github.com/robbintt/popup-openvpn
https://github.com/jlund/streisand
[+] [-] nodesocket|9 years ago|reply
https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec...
[+] [-] akoster|9 years ago|reply
[+] [-] hedora|9 years ago|reply
[+] [-] sigmar|9 years ago|reply
[+] [-] suprjami|9 years ago|reply
If your aim is to hide your traffic from third-party networks you might be on (free wifi, school, hotels, etc) then a yearly VPN subscription is almost certainly cheaper than the cheapest DigitalOcean droplet. If you get a good provider (I use PIA but am not affiliated with them) then you get unlimited traffic, multiple clients, endpoints all over the world, tech support, all without having to setup and administer the server yourself.
If your aim is to disassociate traffic with yourself, your DigitalOcean IP will be tied back to you anyway.
If your aim is to stop government snooping, DigitalOcean is hosted in the USA so you may as well just send the NSA your browsing history.
[+] [-] zhte415|9 years ago|reply
Where I am for example almost all VPN vendors are blocked, so there's not much choice other than to roll your own. And once you've figured out how to do it on one provider you can pretty much do the same anywhere.
[+] [-] withzombies|9 years ago|reply
[+] [-] dboreham|9 years ago|reply
I spent some time submitting support tickets to all the hosting providers I had tried (many). Every one of them told me that they had no way to disable TSO and the other common TCP offload features on their hosts.
So now I use Packet.net which gives me a honest to goodness actual bare metal machine (over which I have complete control), for much the same price.
[+] [-] no_wizard|9 years ago|reply
Also shoutout to Dr Duh who gave a nice run down of setting up vpn on a VPS
https://github.com/drduh/Debian-Privacy-Server-Guide/blob/ma...
Edit: Just realized that others have already noted and commented about SoftEther. Sorry guys!
[+] [-] git-sgmoore|9 years ago|reply
[+] [-] btgeekboy|9 years ago|reply
[+] [-] leni536|9 years ago|reply
[+] [-] jonatbergn|9 years ago|reply
[+] [-] unsignedint|9 years ago|reply
[+] [-] scandox|9 years ago|reply
http://www.selectedintelligence.com/post/128701492804/softet...
[+] [-] caspereeko|9 years ago|reply
[+] [-] unknown|9 years ago|reply
[deleted]