60 comments

[ 5.1 ms ] story [ 128 ms ] thread
For the other 50% of smartphone users that are on Android (as per this http://news.ycombinator.com/item?id=2855717 ): you can use OpenVPN and certificate authentication, Cyanogenmod supports it natively. Tunnelblick is the OSX client of choice for OpenVPN.
From TFA:

> Here’s why I picked PPTP and I believe using it with very long passwords/passphrases is acceptable.

Bear in mind that the author is looking to use this in open hotspots such as coffee shops etc. I would not advise that people implement this.

As the author points out, there are a number of vulnerabilities in PPTP, the most serious of which is that the initiation protocol is susceptible to an offline brute force attack using tools like asleap[1].

To be clear, the attacker does not need a rogue access point, nor association with an access point for this to work. They can just passively sniff away, then at some point later go through the pcaps, crack it offline and do what they want. There's an episode of Hak5[2] covering this as well as this useful straight to the point video of asleep and THC pptp-bruter[3]

[1] http://www.willhackforsushi.com/Asleap.html [2] http://revision3.com/hak5/asleap [3] http://blip.tv/g0tmi1k/cracking-vpns-asleap-and-thc-pptp-bru...

The solution is to use L2TP and IPSec if you can and aren't jailbreaking, or to use a TLS VPN if you have jailbroken or don't have iDevices.

Author here. Like I said in the post, the third constraint I had was something that would work with dd wrt - and that doesn't support l2tp. Thanks for the bit on the offline cracking though.
No worries, I understand your reasons for choosing PPTP, but I thought it important to highlight the consequences.

It is clear you have put a lot of effort into it though and it's more well written than a lot of guides I've seen, hence my interest in the first place!

How large is the risk of an offline attack if I choose a 16 character mixed case alphanumeric randomly generated password? Is there much of an exposure in that case?
The characters are largely irrelevant. If an attacker is an opportunist and (for example) just wants to run any traffic passing his house through something quick and dirty then it's going to boil down to whether or not his wordlist contains your password.

If the adversary is reasonably well organised they might use something like AWS to offload the cracking, in which case they may well expend more resources on a bigger and more wordlist. Cloud-based cracking is really interesting, especially when GPU support comes into play as most of the traditional models of attack complexity fall like a house of cards once your average joe can get the kind of supercomputing power only previously available to three letter agencies.

In all honesty I would just avoid PPTP and stick to L2TP or an SSL-based VPN. In TFA the author chose PPTP because he wanted to stick what was available on his router and compatible with his devices. I understand their decision, although personally I don't see this as being any more secure than running a password protected browser-based file manager and port forwarding it to the world. You'd still have to obtain a password, but it's not hard.

For the same use-case, a very quick howto on a disposable EC2 proxy for coffee shop browsing...

http://flatterline.com/index.php/2009/04/23/disposable-proxy...

I've been using this technique, but simply piggy backing on one of the several EC2 instances I already have.
When using my laptop, I do the same thing using the VPS my site runs on. The VPN thing is just for iOS
I use this, but it can be a little annoying now that some sites like StackExchange block EC2 netblocks (I guess because they have lots of juicy content ripe for scraping). Yelp is another one that comes to mind that does this as well.
What??? For real? Fuck. I was going to set up an EC2 vpn endpoint this very day.
Yep. Some more discussion here:

http://news.ycombinator.com/item?id=2441535

It sucks, but I can see the reason why they just blanket block EC2 rather than trying to find any more nuanced way to identify scrapers.

If I were running scraping bots on EC2, rate-limiting me isn't a real threat since the instant I get throttled for misuse I can just destroy the instance, start up a brand new one on a different IP address, and continue as I was before.

Contrary to the article's assertion, OpenVPN is not natively supported by iOS.
The entire article is based on PPTP for this exact reason..
"If you’re ok with not being able to use this from non-jailbroken iOS devices, you should use OpenVPN instead of PPTP as I do so below"

I had to read it three times, but you are both in agreement.

Sorry about the terrible phrasing. Late night post written in the excitement of getting it to work. Didn't expect to find myself on HN in the morning :) If you're not using iOS, you should be using OpenVPN.
The post was edited after I posted. Guess I have to start Pinboard-ing everything I respond to now.
I couldn't let that awful phrasing stand :)
If you'd rather not have to mess around with stuff, and have $5 to spare, we can help: https://wonderproxy.com/signup/vpn

It was a huge pain in the neck to get native support on Mac & various windows flavours. But our normal clients needed a good solution for testing flash & silverlight apps.

I was contemplating setting up a VPS for this, but a turn key solution at $5\month would be much better.

Can you comment on how you can offer 100GB\month VPN for $5 but the basic proxy plan is 2GB\month for $20? What use case does the proxy plan meet over the VPN other than more server locations?

The VPN locations are places with easy access to cheap bandwidth, the Proxy plan includes locations like South Africa, Columbia, and New Zealand where the cost of maintaining a presence is significantly higher. We're considering including the VPN locations (London, San Antonio) in the Proxy plan free of charge.
Also worth nothing: the typical 4MB WRT54G router doesn't have enough room for OpenVPN if you use the stock OpenWRT images.

I've got a stripped down .config and image that does include OpenVPN, if anyone's interested.

Shameless plug: my new app and service, Cloak (https://www.getcloak.com/), is a zero-hassle VPN. It's currently in beta for OS X.

I'd love feedback from the HN community!

Grab the app, enter your Cloak credentials, and you're done. If Cloak sees you're on on a password-less wireless network, it automatically activates. Cloak's servers are cloud-hosted; the client selects the back-end server that will give the lowest latency. Under the hood, Cloak for OSX is built on industry-standard OpenVPN.

I expect Cloak will exit beta when the iPhone/iPad client is finished, probably in early September. But if you'd like to try it sooner, drop me a line [davepeck at getcloak dot com] and I'll send you a special HN invite code. Cheers!

Interesting. How do you plan to handle the GPL constraints on OpenVPN? Are you just using your own frontend running the compiled binaries or have you pulled the source in?
Yeah, it's a custom frontend on a vanilla OpenVPN binary, so no GPL issues. That said, I'm actually considering what would happen if I went ahead and open-sourced the client anyway. Probably the only truly interesting code there is the Obj-C code to talk to OpenVPN via its management port. The rest would seem specific to the Cloak service. But perhaps there are other useful bits too...
Another shameless plug here... We provide a cheap (39.95$/year) unmetered VPN service at https://www.privateinternetaccess.com

We support all devices (OpenVPN, PPTP, IPSEC/L2TP) and have servers in US west/midwest/east, UK, and Switzerland.

What is your logging policy?
We don't keep any logs.
Hum, I see this on your privacy policy page:

INFO WE COLLECT

From Clients of our Service

Date and time you connect/disconnect to/from the service. Source IP you use to connect to the service. Bandwidth usage E-mail provided by Paypal. Paypal payment data.

And then this:

DISCLOSURE

If under subpoena, PrivateInternetAccess.com may release data in order to comply with legal obligations or in order to enforce the PrivateInternetAccess.com Terms of Service and/or other agreements.

PrivateInternetAccess.com may release data in order to protect the rights, property and/or safety of PrivateInternetAccess.com, its constituents, and/or other visitors and clients.

That's correct, we log connections TO our VPN but log absolutely nothing in terms of traffic sent THROUGH the VPN. So whatever you do while connected is not logged and therefore un-subpoena-able.
I'm intrigued, but one question: Who's Steve?
I tried this.sadly all servers are blocked at the ip level. One was working for a week but then that was blocked also. Im based in China.
Will the iPhone/iPad version only work on jail broken devices? Because you can't access/change network settings on an non-jail broken iPhone/iPad from within a app.
Might be worth checking Rackspace's policies on hosting proxies - you want to make sure you're not responsible if users use your proxies for illegal activity.
And Linode has an outage in their datacenter which has brought down my site. Nice timing, Linode.
I've got 3 low quality VPSs, priced from $0.99 to $2.50 per month, that I picked up on a whim over the years from deals posted to http://www.lowendbox.com (no affiliation). On one server, I have squid running and bound to localhost. On my machine, I have autossh set up to maintain a constant port-forwarding connection established (via port 443 for maximum firewall/filter accessibility) with the squid server. I have my local web browsers proxying over that connection.

So I'm pretty safe from snooping by my employer, home ISP, or whatever 133t hackers are sniffing traffic at McDonald's when I'm browsing and sipping a coffee.

It's not the most elegant solution, but it does the trick. I supposed some day I'll mess around with OpenVPN (which I have deployed before, and do really like), but only when I'm bored or otherwise have nothing else better to do with my time.

this is a fine solution, and what i've used before.

it's worth pointing out that you only gain privacy for browsers and apps that _choose_ to use IE's proxy settings. your native IM client, even if it is using HTTP, may or may not use the proxy. Your remote desktop client probably isn't using HTTP so it can't use the proxy.

with VPN you just don't care, all network traffic is routed through the VPN at network-driver level.

One interesting benefit of using a local proxy tunnel (instead of VPN) is that you get rid of one round trip when making TCP connections. Since your browser will connect to localhost (~0ms) it will be able to send the HTTP request immediately rather than having to wait for a connection to be established to a remote host. Whether this actually ends up being faster or not depends on the distance between you and your proxy server and your proxy server and the remote host you're connecting to.
IM clients, anything that sends UDP, DNS requests are all possibly and probably leaking out.
At least on OSX, that isn't the case. Even the DNS requests are being proxied through the tunnel.
Where are you setting the proxy at, and what method of proxying are you using?
Just fyi, all your non-HTTP Flash traffic (Flash sockets) is probably not being proxied at all. Even if you have a SOCKS proxy set in the browser.

The easiest way around this is VPN, but you can also do crazier stuff like use ProxyCap (for windows or OSX) or iptables redirect/transocks setup in Linux: http://coderrr.wordpress.com/2009/07/29/how-to-force-flash-o...

Linux has tsocks and proxychains which override the connect() method with a LD_PRELOAD library and force traffic to go through a socks proxy. Easier than iptables since at least proxychains can be installed with apt-get on Ubuntu(don't know about other OSes).
Only problem with the LD_PRELOAD method is that it doesn't work for all (many) apps. I believe one case it breaks for is non blocking connect()s, not sure if there are others. Although the iptables setup is a lot more complicated it pretty much works for everything.
Just a quick note. Make sure your VPS is Xen/KVM/Vmware and not OpenVZ or some other container based virtualization if you want to use OpenVPN since it needs access to tun/tap devices. On OpenVZ based virtual machines, the administrator has to specifically grant you that access, which might not be possible on a $1/month machine.
I recently bought the same for $15/year.

Care to share your squid.conf? I just want a non-caching anonymous forwarding proxy and am finding the huge amount of options a bit of a muddle to work through. Seeing yours would be a help, if you are ok with that.

I think the only magic lines deviating from the defaults are:

    no_cache deny all
    forwarded_for off
    via off

The first disables caching, and the last two are for a little extra privacy. You can verify if you're caching by checking your cache spool for files:

    find /var/spool/squid/ -type f
So VPN by someone who knows nothing about security. Fail.
Why don't you update your comment with a detailed breakdown of why it's so fail?
Anybody still implementing PPTP deserves the insecurities that are inherent. A much more elegant, and secure, solution would just be tunneling via SSH dynamically. It's easy to do, requires no setup and if done right (i.e. certs for auth) it is a more maintainable solution. I generally use IPsec - because, it is still by and far, the most secure of the VPN solutions with platform interop today. Setting up and maintaining an IPsec tunnel for the masses is not trivial unfortunately - which is why I'd recommend SSH or potentially OpenVPN (which has nice IPv6 support).

The author of the article on how to implement references the below...

http://www.schneier.com/pptp-faq.html

...I think there's plenty there to disuade you. Would you build your webapp on a framework that stores user credentials in plaintext as a feature? No. Enough said.

Why go through the trouble of implementing something that's known broken? sigh

I've been traveling abroad and set up a VPN on a Linode box for some basic security and to bounce through the US for things like Netflix and Hulu. If nothing else this post's comments have unveiled some good turnkey VPN solutions, so thanks!
I have noticed that I'm sometimes unable to connect to my VPN from, for example, the wireless network of a hotel I'm staying at. Has anyone else run into this issue and is there a straightforward workaround?
So even after reading the article, I'm unsure if its an appropriate set up for me. I just want a way to access my NAS at home from my iphone (mainly just web traffic). I'm not worried about securing my traffic from a public hotspot because I almost never use them. I just want to be able to connect over 3G or from my work wifi. Is PPTP still a high risk with a long passphrase? Or is the risk related to connecting to the VPN from an unsecured network? Also I should mention that I have a DD-WRT capable router, and I don't want to have another machine running just for VPN purposes. Thanks
the simplest and pretty easy to do is ssh tunnel to the trusty home machine running vncserver, and then vncviewer into it via the tunnel. vpn is too heavy for home. and the home machine does not even need to run a full blown xserver, i.e. no video card needed.
If you want a fast, free, easy-to-use VPN, just get AnchorFree's HotSpot Shield. Most downloaded free VPN in the world. AnchorFree's CEO was also selected as one of Inc's 30 Under 30 this year.

DISCLAIMER: AnchorFree's CEO is one of my dearest of friends for nearly 12 years, but that's not why I'm promoting HotSpot Shield here. It just really is that good, and I use it all the time on public hotspots.