BBCode is ON
[img] is OFF
[flash] is OFF
[url] is ON
Smilies are OFF
Topic review

Topic review: OpenVPN Service

by tonyquan68 » Sat Dec 31, 2016 8:11 pm

tonyquan68 wrote:
timyu94 wrote:
(Might be a stupid question)

Is there any chance that the OpenVPN service will utilize IPv6 anytime soon?

I have the uverse FTTN service and decided to enable IPv6 for the hell of it to test out if ATT's IPv6 implementation still lags / times out sites. I currently run the VPN on my Asus AC87 router and did a IPv6 test which showed an IPv6 connection via ATT while the IPv4 connection via went through Sonic.

While it isn't much of a problem as I've kept IPv6 off for years, it's a tad concerning that IPv6 traffic goes through att as their traffic shaping and subsequent buffering annoys the hell out of me and defeats the purpose of running the VPN.


This question never got answered. I'm in the same boat, but unlike the poster do need ipv6 and would prefer to have the Sonic VPN handle it as well. It looks to be supported in newer versions of OpenVPN: https://community.openvpn.net/openvpn/wiki/IPv6 Could Sonic consider deploying this?


OpenVPN 2.4 is now out with further improvements on the ipv6 side:

https://openvpn.net/index.php/download/ ... loads.html

would Sonic consider providing ipv6 enabled VPN?

by pratik » Fri Dec 16, 2016 10:24 pm

I would like to know, around what speed should I expect by using VPN.

I've following setup:
FTTN service (50MBPs)
PACE modem 5268AC.
ASUS RT-AC68R/U router configured with Sonic VPN (all traffic goes through VPN)

I run speedtest at speedtest.sonic.net from wired connected computer and I consistently get around 13MBPs. Is this normal or should I check any settings / ask for support?


[EDIT]: And I want to know how would port forwarding work in this case. I've all port forwards defined and saved in router, is that all that would be required?

Thanks

by tonyquan68 » Sun Nov 13, 2016 11:21 am

timyu94 wrote:
(Might be a stupid question)

Is there any chance that the OpenVPN service will utilize IPv6 anytime soon?

I have the uverse FTTN service and decided to enable IPv6 for the hell of it to test out if ATT's IPv6 implementation still lags / times out sites. I currently run the VPN on my Asus AC87 router and did a IPv6 test which showed an IPv6 connection via ATT while the IPv4 connection via went through Sonic.

While it isn't much of a problem as I've kept IPv6 off for years, it's a tad concerning that IPv6 traffic goes through att as their traffic shaping and subsequent buffering annoys the hell out of me and defeats the purpose of running the VPN.


This question never got answered. I'm in the same boat, but unlike the poster do need ipv6 and would prefer to have the Sonic VPN handle it as well. It looks to be supported in newer versions of OpenVPN: https://community.openvpn.net/openvpn/wiki/IPv6 Could Sonic consider deploying this?

by drew.phillips » Tue Aug 23, 2016 5:34 pm

Guest wrote:
For those of us who know just enough networking to be dangerous (I understand basic TCP/IP addressing, setting up a home network, NAT, etc).. Is this mostly just to allow all traffic from your home machines to be hitting the 'net from ovpn.sonic.net, rather than someIP@att.net, and to be routed through sonic's pipes, instead of at&t's pipes to the next peering partner? I get the privacy features - your real IP is hidden.


Yes, but additionally, your traffic is encrypted over ATT's network (the main motivator for this). So as soon as your net traffic leaves your computer, it's encrypted meaning ATT et al cannot see it. Once it hits Sonic's VPN the traffic is decrypted and routed where it needs to go (note HTTPS traffic would still be encrypted between the VPN endpoint and the destination - we couldn't decrypt the contents since the SSL/TLS handshake took place between your computer and the remote server).


Guest wrote:
I have torguard BT proxy + VPN service and have used it at times to make it appear an individual machine is originating elsewhere (for location-based reasons). I am guessing this is similar, except you don't get to pick your exit node (it's always sonic.net in CA), but it's free with sonic service. Does the Pace modem support this, or do I need a custom router? Can this work together with torguard's bittorrent proxy?


Right, you don't get any choice of where your traffic appears to come from. The goal is more privacy than being able to appear to come from a particular region or location. Pace modems don't have OpenVPN built in, you can either run the software on your computer, or buy a router that does support it and bridge the modem to your router. Note: I have FTTN x2 and it was pretty easy to bridge the connection. Running the software on a computer only encrypts traffic for that machine, running it on a router can force it for everything.


Guest wrote:
Does it allow for a reverse-connection? That is, can I ssh to ovpn.sonic.net (or similar) with my sonic userid/password and have it connect back to my modem, which is set up to forward port 21 back to my main linux desktop (hosts.allow/hosts.deny configured to only allow connections from a few domains - I would add sonic.net)? That's the main thing I'd like to add to my setup. I'm pretty sure torguard vpn can do that, but then I need to have some kind of dyn-dns service, whereas with sonic, wouldn't they know my "current" ip and can just forward it there?


Yes. You wouldn't ssh to ovpn.sonic.net but to the IP your VPN client gets assigned. For this reason, if you connect to the VPN using software on your PC, you should make sure your firewall rules are sufficient. Connecting from your computer opens you up to the internet just like plugging your PC directly into a modem and getting a WAN IP on your PC. If your router handles the connection, you're still firewalled and would need to set up port forwards to allow traffic from the VPN through to a service.

Hope that helps, let me know if you have any further questions.

by Guest » Tue Aug 23, 2016 12:17 pm

For those of us who know just enough networking to be dangerous (I understand basic TCP/IP addressing, setting up a home network, NAT, etc).. Is this mostly just to allow all traffic from your home machines to be hitting the 'net from ovpn.sonic.net, rather than someIP@att.net, and to be routed through sonic's pipes, instead of at&t's pipes to the next peering partner? I get the privacy features - your real IP is hidden.

I have torguard BT proxy + VPN service and have used it at times to make it appear an individual machine is originating elsewhere (for location-based reasons). I am guessing this is similar, except you don't get to pick your exit node (it's always sonic.net in CA), but it's free with sonic service. Does the Pace modem support this, or do I need a custom router? Can this work together with torguard's bittorrent proxy?

Does it allow for a reverse-connection? That is, can I ssh to ovpn.sonic.net (or similar) with my sonic userid/password and have it connect back to my modem, which is set up to forward port 21 back to my main linux desktop (hosts.allow/hosts.deny configured to only allow connections from a few domains - I would add sonic.net)? That's the main thing I'd like to add to my setup. I'm pretty sure torguard vpn can do that, but then I need to have some kind of dyn-dns service, whereas with sonic, wouldn't they know my "current" ip and can just forward it there?

Sorry if I'm de-railing the discussion..

by orm » Thu Jun 30, 2016 10:11 pm

Just wanted to iterate in the production thread:
current version of Tunnelblick (https://www.tunnelblick.net/)
an opensource Mac OS OpenVPN client, WILL remember your username and password in keychain!

That means, no plain-text unixy work around for people that are uncomfortable with either or both of those conditions.

Working great for me ATM, as in this very moment. It was a little clunky on the set-up, I think you should reboot after you install, it wasn't letting me drag the client config file to the menubar item until after a reboot, and I was on to the official client. but decided to give tunnelblick on last try before kicking it to the uninstalled curb, and it works great. prefer it over the official client at this point. p.s., it's free and opensource, did i mention that?

by forest » Thu Jun 23, 2016 1:18 am

After about an hour of down time, it's now back.

That announcement was really misleading. The outage was not brief, and VPN was not mentioned at all.

by ashes » Thu Jun 23, 2016 12:48 am

I'm guessing the ovpn.sonic.net outage (no ping) is related to https://corp.sonic.net/status/2016/06/2 ... enance-10/

Unfortunately the old beta.vpn.sonic.net service is up but is not accepting VPN connections. This means I have no Sonic-VPN redundancy.

Sonic's OVPN offering is core to the Fusion FTTN offering. I do not wish to expose my network traffic to AT&T.

by kgc » Tue May 17, 2016 12:51 pm

I'm sorry for the recent group of outages. We've been trying to resolve some relatively minor issues that affect network performance on the VM infrastructure that these systems are on and haven't had a lot of luck with the various changes we've made to date.

by netllama » Tue May 17, 2016 7:11 am