Seems like a perfect use case for EC2 on demand. Only run the VPN node when you are on an open wireless network and need the VPN security. Shut it down otherwise.
That would make it harder to run, but it would greatly reduce the cost. I'd pay $0.02 for an hour's worth of security while stopping off at a coffee shop.
Ah, so easy! Only 28 steps filled with remote Linux shell commands, certificate creation, and downloaded software! I'm sure that's exactly what his wife wanted to hear when she asked how to avoid being Firesheeped.
Whatever happened to good old ssh -ND ? Wouldn't that solve 90% of most casual hotspot users' problems ? And I'd be wary suggesting even that one-liner to someone who isn't a techie, which I'm assuming his wife isn't since she asked the question.
I was wondering the same thing. The post went through all the steps to setup SSH VPN while SSH tunneling works pretty well and requires almost-zero config on the server…
OTOH I saw the value of using PPTP or L2TP-based VPN. It is supported on most systems by default. I set up one for iPhone because you cannot do SSH tunneling on it. On non-*nix systems there is usually no SSH installed by default. I opened my PPTP/L2TP VPN for friends running Windows.
It's also slightly easier to connect to PPTP/L2TP VPN with a single click on the menubar of OS X without installing any additional software.
Otherwise I stick with SSH tunneling with SOCKS proxy.
Could someone explain the benefits of SSH VPN please?
I've never used OpenVPN (and am not a network expert), but my guess is that it shims into your network stack somehow, so it's transparent to any application? Maybe, it's just a guess. Otherwise, it doesn't seem to make much sense.
I'm running a low-tech setup like this with sshd on my home router and PuTTY on my laptop, acting as a SOCKS proxy, and there are several applications that don't know how to talk to a SOCKS proxy. Luckily FF knows how to.
ssh -D: socks proxy. only works with some apps. tunnels at the "data stream" level.
ssh vpn: tunnels all packets at the "network" level. bad because running TCP over TCP can have erratic performance. good because it covers all traffic.
openvpn: tunnels using UDP, so you don't have the TCP on TCP problems. it's just more work to set up than ssh vpn, but still probably easier than full blown ipsec.
Better choice than a lot of the VPN services out there. The free services should be presumed to have some sort of ulterior motive to get a look at your traffic (including, potentially, much more nefarious ones than a firesheep user). Even premium services should be considered carefully, you have little way of knowing what amount of tracking or inspection of your packets is going on - and such concentrators make an excellent target for hackers.
Just curious, if you already have decent hosting couldn't you just implement this by installing openvpn on your existing virtual machine (or whatever)? Is there anything which specifically requires EC2?
Also, the -f flag will cause it to fail if you don't have passwordless auth set up. If you don't have it set to use private/public key pairs, just tunnel like so:
this sounds like a pretty viable business idea, actually. in the past, i've looked for a simple VPN service provider to help secure non-techie friends' laptop work at a starbucks or whatever. couldn't find anything decent. seems like people might be willing to pay some $ for this if it were turned into something commercialized.
SparkLabs also has a sweet/simple OpenVPN client for OS X that I use and will be coming out with a server sometime in the near future that should make setup a lot easier.
With default Ubuntu configuration you just have to enable/install OpenVPN server (1) (server), generate one user certificate (2) (server) and configure NetworkManager profile (3) (client).
All the other steps are just intro to using Linux and/or Amazon EC2 infrastructure or such technicalities as copying files or (unnecessary) configuring time zone.
Apologies in advance for being off-topic, but am I the only one who hates people hunched over their laptops while hogging starbucks' chairs for hours . I work in a downtown location and its impossible to have your coffee at starbucks as there is no place to sit. I really wish Starbucks could charge for seating ;-)
I just found out a few weeks ago that my ISP, Sonic.net, offers an IPsec VPN endpoint to all of its customers, with no additional fees. I highly recommend them if you're in the SF Bay Area.
Note that while their help page suggests that you use the Cisco client software to connect to their VPN endpoint, the service works just fine with Mac OS X's built-in Cisco IPsec client, as well as with the IPsec client in iOS. Dunno about other platforms, but Sonic.net provides the Cisco client for Windows and GNU/Linux, at least.
To anyone who desires this level of security but doesn't want to have to go through the trouble of a VPN, using SSH tunnels works just as effectively.
Assuming you have access to a remote Linux/BSD box, you can (from Linux) `ssh -D 1025 remote.host.address` then proxy your browser's SOCKS proxy to localhost:1025.
On Windows, using PuTTY, one can simply go into the Tunnel menu, hit the "Dynamic" radio button, type in 1025 and click "add" to achieve the same effect.
This looks like a great way to get started with EC2, VPN or no. I've been thinking about it, but one thing still puzzles me. You choose an AMI, but does Amazon effectively create an EBS instance for you and populate it with a copy of the AMI?
I don't see any mention of an EBS instance being created, so I'm not quite sure how you can write to the filesystem at all. I'm sure I'm missing something here, but I'm not quite sure what. Thoughts?
You can just run the instance as normal. It has a root filesystem, you can write to it etc. However if you stop the instance, then all your changes are lost. The EBS is only needed if you actually need disk space.
You can replace the install of openvpn with openswan to provide a strong tunnel that's compatible with iOS. There should be prebuilt packages for ubuntu.
I keep a server up-n-running 24/7 anyway, doing lots of things (file server, UPnP, the whole nine yards), it's on cable Internet with a dynamic DNS. So I installed OpenVPN on it and all my laptops automatically connect to it when they boot up. The server also runs a proxy.
So I've a secure proxy available any time, from anywhere.
How's your latency? An advantage of connecting to an EC2 instance seems to be that you're getting your traffic onto the backbone without eating a "last mile" roundtrip to your house.
EC2 scenario:
coffee shop -> backbone -> EC2 -> backbone -> remote site (probably hosted somewhere close to your EC2 instance, especially if a CDN is in use)
Home scenario:
coffee shop -> backbone -> cable provider -> home -> cable provider -> backbone -> remote server
Good timing - I just had this thought "in the shower" a day or two ago. I wouldn't utilize a VPN enough to make some of the more traditional providers cost-effective, so something along these lines is probably Just Right.
[+] [-] tessro|15 years ago|reply
[+] [-] MicahWedemeyer|15 years ago|reply
That would make it harder to run, but it would greatly reduce the cost. I'd pay $0.02 for an hour's worth of security while stopping off at a coffee shop.
[+] [-] dfranke|15 years ago|reply
[+] [-] rbranson|15 years ago|reply
[+] [-] joelvh|15 years ago|reply
[+] [-] ronnier|15 years ago|reply
I wrote up how I did it,
http://ronnie.me/articles/rdp_over_ssh_with_a_linksys_router
[+] [-] chopsueyar|15 years ago|reply
I'm sure comcast would not like it, and the dynamic ip issue.
[+] [-] slay2k|15 years ago|reply
Whatever happened to good old ssh -ND ? Wouldn't that solve 90% of most casual hotspot users' problems ? And I'd be wary suggesting even that one-liner to someone who isn't a techie, which I'm assuming his wife isn't since she asked the question.
[+] [-] spindritf|15 years ago|reply
YouTube doesn't work.
Also, it's not a one-liner on a Windows client. OpenVPN is really, really easy to use once someone set it up for you. Two clicks and you're connected.
[+] [-] trueluk|15 years ago|reply
[+] [-] riobard|15 years ago|reply
OTOH I saw the value of using PPTP or L2TP-based VPN. It is supported on most systems by default. I set up one for iPhone because you cannot do SSH tunneling on it. On non-*nix systems there is usually no SSH installed by default. I opened my PPTP/L2TP VPN for friends running Windows.
It's also slightly easier to connect to PPTP/L2TP VPN with a single click on the menubar of OS X without installing any additional software.
Otherwise I stick with SSH tunneling with SOCKS proxy.
Could someone explain the benefits of SSH VPN please?
[+] [-] Splines|15 years ago|reply
I'm running a low-tech setup like this with sshd on my home router and PuTTY on my laptop, acting as a SOCKS proxy, and there are several applications that don't know how to talk to a SOCKS proxy. Luckily FF knows how to.
[+] [-] tedunangst|15 years ago|reply
ssh vpn: tunnels all packets at the "network" level. bad because running TCP over TCP can have erratic performance. good because it covers all traffic.
openvpn: tunnels using UDP, so you don't have the TCP on TCP problems. it's just more work to set up than ssh vpn, but still probably easier than full blown ipsec.
[+] [-] trotsky|15 years ago|reply
[+] [-] chopsueyar|15 years ago|reply
[+] [-] epo|15 years ago|reply
[+] [-] delano|15 years ago|reply
[+] [-] chopsueyar|15 years ago|reply
[+] [-] m0shen|15 years ago|reply
[+] [-] jey|15 years ago|reply
[+] [-] jjcm|15 years ago|reply
[+] [-] hung020185|15 years ago|reply
[+] [-] noodle|15 years ago|reply
[+] [-] dacort|15 years ago|reply
SparkLabs also has a sweet/simple OpenVPN client for OS X that I use and will be coming out with a server sometime in the near future that should make setup a lot easier.
[+] [-] crocowhile|15 years ago|reply
[+] [-] ary|15 years ago|reply
[+] [-] deno|15 years ago|reply
All the other steps are just intro to using Linux and/or Amazon EC2 infrastructure or such technicalities as copying files or (unnecessary) configuring time zone.
[+] [-] badmash69|15 years ago|reply
[+] [-] dhess|15 years ago|reply
Note that while their help page suggests that you use the Cisco client software to connect to their VPN endpoint, the service works just fine with Mac OS X's built-in Cisco IPsec client, as well as with the IPsec client in iOS. Dunno about other platforms, but Sonic.net provides the Cisco client for Windows and GNU/Linux, at least.
http://www.sonic.net/features/vpn/
[+] [-] david_shaw|15 years ago|reply
Assuming you have access to a remote Linux/BSD box, you can (from Linux) `ssh -D 1025 remote.host.address` then proxy your browser's SOCKS proxy to localhost:1025.
On Windows, using PuTTY, one can simply go into the Tunnel menu, hit the "Dynamic" radio button, type in 1025 and click "add" to achieve the same effect.
[+] [-] tpahax0r|15 years ago|reply
[+] [-] mfringel|15 years ago|reply
I don't see any mention of an EBS instance being created, so I'm not quite sure how you can write to the filesystem at all. I'm sure I'm missing something here, but I'm not quite sure what. Thoughts?
[+] [-] rmc|15 years ago|reply
You can just run the instance as normal. It has a root filesystem, you can write to it etc. However if you stop the instance, then all your changes are lost. The EBS is only needed if you actually need disk space.
[+] [-] tpahax0r|15 years ago|reply
[+] [-] jorgem|15 years ago|reply
[+] [-] trotsky|15 years ago|reply
http://www.openswan.org/
[+] [-] chopsueyar|15 years ago|reply
[+] [-] Florin_Andrei|15 years ago|reply
So I've a secure proxy available any time, from anywhere.
[+] [-] ShabbyDoo|15 years ago|reply
EC2 scenario:
coffee shop -> backbone -> EC2 -> backbone -> remote site (probably hosted somewhere close to your EC2 instance, especially if a CDN is in use)
Home scenario:
coffee shop -> backbone -> cable provider -> home -> cable provider -> backbone -> remote server
[+] [-] marklabedz|15 years ago|reply
[+] [-] andre|15 years ago|reply