Shameless plug: my new app and service, Cloak (https://www.getcloak.com/), is a zero-hassle VPN. It's currently in beta for OS X.
I'd love feedback from the HN community!
Grab the app, enter your Cloak credentials, and you're done. If Cloak sees you're on on a password-less wireless network, it automatically activates. Cloak's servers are cloud-hosted; the client selects the back-end server that will give the lowest latency. Under the hood, Cloak for OSX is built on industry-standard OpenVPN.
I expect Cloak will exit beta when the iPhone/iPad client is finished, probably in early September. But if you'd like to try it sooner, drop me a line [davepeck at getcloak dot com] and I'll send you a special HN invite code. Cheers!
Might be worth checking Rackspace's policies on hosting proxies - you want to make sure you're not responsible if users use your proxies for illegal activity.
Interesting. How do you plan to handle the GPL constraints on OpenVPN? Are you just using your own frontend running the compiled binaries or have you pulled the source in?
Will the iPhone/iPad version only work on jail broken devices? Because you can't access/change network settings on an non-jail broken iPhone/iPad from within a app.
> Here’s why I picked PPTP and I believe using it with very long passwords/passphrases is acceptable.
Bear in mind that the author is looking to use this in open hotspots such as coffee shops etc. I would not advise that people implement this.
As the author points out, there are a number of vulnerabilities in PPTP, the most serious of which is that the initiation protocol is susceptible to an offline brute force attack using tools like asleap[1].
To be clear, the attacker does not need a rogue access point, nor association with an access point for this to work. They can just passively sniff away, then at some point later go through the pcaps, crack it offline and do what they want. There's an episode of Hak5[2] covering this as well as this useful straight to the point video of asleep and THC pptp-bruter[3]
Author here. Like I said in the post, the third constraint I had was something that would work with dd wrt - and that doesn't support l2tp. Thanks for the bit on the offline cracking though.
How large is the risk of an offline attack if I choose a 16 character mixed case alphanumeric randomly generated password? Is there much of an exposure in that case?
I've got 3 low quality VPSs, priced from $0.99 to $2.50 per month, that I picked up on a whim over the years from deals posted to http://www.lowendbox.com (no affiliation). On one server, I have squid running and bound to localhost. On my machine, I have autossh set up to maintain a constant port-forwarding connection established (via port 443 for maximum firewall/filter accessibility) with the squid server. I have my local web browsers proxying over that connection.
So I'm pretty safe from snooping by my employer, home ISP, or whatever 133t hackers are sniffing traffic at McDonald's when I'm browsing and sipping a coffee.
It's not the most elegant solution, but it does the trick. I supposed some day I'll mess around with OpenVPN (which I have deployed before, and do really like), but only when I'm bored or otherwise have nothing else better to do with my time.
this is a fine solution, and what i've used before.
it's worth pointing out that you only gain privacy for browsers and apps that _choose_ to use IE's proxy settings. your native IM client, even if it is using HTTP, may or may not use the proxy. Your remote desktop client probably isn't using HTTP so it can't use the proxy.
with VPN you just don't care, all network traffic is routed through the VPN at network-driver level.
I have the same, but then use sshuttle [1] for a quick secure connection. Only does TCP, but if that doesn't bother you you can get it set up in 2 minutes.
Just a quick note. Make sure your VPS is Xen/KVM/Vmware and not OpenVZ or some other container based virtualization if you want to use OpenVPN since it needs access to tun/tap devices. On OpenVZ based virtual machines, the administrator has to specifically grant you that access, which might not be possible on a $1/month machine.
Care to share your squid.conf? I just want a non-caching anonymous forwarding proxy and am finding the huge amount of options a bit of a muddle to work through. Seeing yours would be a help, if you are ok with that.
For the other 50% of smartphone users that are on Android (as per this http://news.ycombinator.com/item?id=2855717 ): you can use OpenVPN and certificate authentication, Cyanogenmod supports it natively. Tunnelblick is the OSX client of choice for OpenVPN.
I use this, but it can be a little annoying now that some sites like StackExchange block EC2 netblocks (I guess because they have lots of juicy content ripe for scraping). Yelp is another one that comes to mind that does this as well.
It was a huge pain in the neck to get native support on Mac & various windows flavours. But our normal clients needed a good solution for testing flash & silverlight apps.
I was contemplating setting up a VPS for this, but a turn key solution at $5\month would be much better.
Can you comment on how you can offer 100GB\month VPN for $5 but the basic proxy plan is 2GB\month for $20? What use case does the proxy plan meet over the VPN other than more server locations?
If you want a fast, free, easy-to-use VPN, just get AnchorFree's HotSpot Shield. Most downloaded free VPN in the world. AnchorFree's CEO was also selected as one of Inc's 30 Under 30 this year.
DISCLAIMER: AnchorFree's CEO is one of my dearest of friends for nearly 12 years, but that's not why I'm promoting HotSpot Shield here. It just really is that good, and I use it all the time on public hotspots.
I've been traveling abroad and set up a VPN on a Linode box for some basic security and to bounce through the US for things like Netflix and Hulu. If nothing else this post's comments have unveiled some good turnkey VPN solutions, so thanks!
So even after reading the article, I'm unsure if its an appropriate set up for me.
I just want a way to access my NAS at home from my iphone (mainly just web traffic). I'm not worried about securing my traffic from a public hotspot because I almost never use them. I just want to be able to connect over 3G or from my work wifi. Is PPTP still a high risk with a long passphrase? Or is the risk related to connecting to the VPN from an unsecured network?
Also I should mention that I have a DD-WRT capable router, and I don't want to have another machine running just for VPN purposes.
Thanks
I have noticed that I'm sometimes unable to connect to my VPN from, for example, the wireless network of a hotel I'm staying at. Has anyone else run into this issue and is there a straightforward workaround?
the simplest and pretty easy to do is ssh tunnel to the trusty home machine running vncserver, and then vncviewer into it via the tunnel. vpn is too heavy for home. and the home machine does not even need to run a full blown xserver, i.e. no video card needed.
[+] [-] davepeck|14 years ago|reply
I'd love feedback from the HN community!
Grab the app, enter your Cloak credentials, and you're done. If Cloak sees you're on on a password-less wireless network, it automatically activates. Cloak's servers are cloud-hosted; the client selects the back-end server that will give the lowest latency. Under the hood, Cloak for OSX is built on industry-standard OpenVPN.
I expect Cloak will exit beta when the iPhone/iPad client is finished, probably in early September. But if you'd like to try it sooner, drop me a line [davepeck at getcloak dot com] and I'll send you a special HN invite code. Cheers!
[+] [-] coderrr|14 years ago|reply
We support all devices (OpenVPN, PPTP, IPSEC/L2TP) and have servers in US west/midwest/east, UK, and Switzerland.
[+] [-] fuzzmeister|14 years ago|reply
[+] [-] _b8r0|14 years ago|reply
[+] [-] oscarp|14 years ago|reply
[+] [-] _b8r0|14 years ago|reply
> Here’s why I picked PPTP and I believe using it with very long passwords/passphrases is acceptable.
Bear in mind that the author is looking to use this in open hotspots such as coffee shops etc. I would not advise that people implement this.
As the author points out, there are a number of vulnerabilities in PPTP, the most serious of which is that the initiation protocol is susceptible to an offline brute force attack using tools like asleap[1].
To be clear, the attacker does not need a rogue access point, nor association with an access point for this to work. They can just passively sniff away, then at some point later go through the pcaps, crack it offline and do what they want. There's an episode of Hak5[2] covering this as well as this useful straight to the point video of asleep and THC pptp-bruter[3]
[1] http://www.willhackforsushi.com/Asleap.html [2] http://revision3.com/hak5/asleap [3] http://blip.tv/g0tmi1k/cracking-vpns-asleap-and-thc-pptp-bru...
The solution is to use L2TP and IPSec if you can and aren't jailbreaking, or to use a TLS VPN if you have jailbroken or don't have iDevices.
[+] [-] sriramk|14 years ago|reply
[+] [-] tshtf|14 years ago|reply
[+] [-] SageRaven|14 years ago|reply
So I'm pretty safe from snooping by my employer, home ISP, or whatever 133t hackers are sniffing traffic at McDonald's when I'm browsing and sipping a coffee.
It's not the most elegant solution, but it does the trick. I supposed some day I'll mess around with OpenVPN (which I have deployed before, and do really like), but only when I'm bored or otherwise have nothing else better to do with my time.
[+] [-] coderrr|14 years ago|reply
The easiest way around this is VPN, but you can also do crazier stuff like use ProxyCap (for windows or OSX) or iptables redirect/transocks setup in Linux: http://coderrr.wordpress.com/2009/07/29/how-to-force-flash-o...
[+] [-] dustingetz|14 years ago|reply
it's worth pointing out that you only gain privacy for browsers and apps that _choose_ to use IE's proxy settings. your native IM client, even if it is using HTTP, may or may not use the proxy. Your remote desktop client probably isn't using HTTP so it can't use the proxy.
with VPN you just don't care, all network traffic is routed through the VPN at network-driver level.
[+] [-] pieter|14 years ago|reply
[1] https://github.com/apenwarr/sshuttle [2] For Lion: https://github.com/thatha/sshuttle/blob/macos_10_7_only_hack...
[+] [-] tuomasb|14 years ago|reply
[+] [-] Nick_C|14 years ago|reply
Care to share your squid.conf? I just want a non-caching anonymous forwarding proxy and am finding the huge amount of options a bit of a muddle to work through. Seeing yours would be a help, if you are ok with that.
[+] [-] drivebyacct2|14 years ago|reply
[+] [-] bahman2000|14 years ago|reply
[+] [-] evilswan|14 years ago|reply
http://flatterline.com/index.php/2009/04/23/disposable-proxy...
[+] [-] ben1040|14 years ago|reply
[+] [-] cek|14 years ago|reply
[+] [-] preinheimer|14 years ago|reply
It was a huge pain in the neck to get native support on Mac & various windows flavours. But our normal clients needed a good solution for testing flash & silverlight apps.
[+] [-] aquark|14 years ago|reply
Can you comment on how you can offer 100GB\month VPN for $5 but the basic proxy plan is 2GB\month for $20? What use case does the proxy plan meet over the VPN other than more server locations?
[+] [-] sriramk|14 years ago|reply
[+] [-] hoag|14 years ago|reply
DISCLAIMER: AnchorFree's CEO is one of my dearest of friends for nearly 12 years, but that's not why I'm promoting HotSpot Shield here. It just really is that good, and I use it all the time on public hotspots.
[+] [-] mikeflynn|14 years ago|reply
[+] [-] micmcg|14 years ago|reply
[+] [-] sigil|14 years ago|reply
I've got a stripped down .config and image that does include OpenVPN, if anyone's interested.
[+] [-] lylejohnson|14 years ago|reply
[+] [-] peterbotond|14 years ago|reply
[+] [-] windexh8er|14 years ago|reply
[+] [-] pnathan|14 years ago|reply
[+] [-] Legion|14 years ago|reply
[+] [-] Wilya|14 years ago|reply
[+] [-] cromulent|14 years ago|reply
I had to read it three times, but you are both in agreement.