OpenVPN Open Beta

[whorfin]

Are any of the folks in this thread using pfSense today, with our new OpenVPN platform?

Yes, been using pfSense to establish whole-house OpenVPN connection through your platform, to good effect.
The 24-hour timeout is an annoyance I hope to see fixed for the rollout.

I'm on pair-bonded FTTN. speedtest.sonic.net shows approx 50mbps down/5.5 mbps up w/o OpenVPN.
With OpenVPN in effect, I see approx 100mbps down/5.1 mbps up. I presume therefore that the
"speedtest" data has low entropy; maybe that should be fixed.

I had to migrate off Mips and Arm platforms to get full line speed. Dual-core 800 MHz ARM was not sufficient.
In the end I went to a Netgate/ADI quad-core 2.4 GHz Atom platform to get full speed. Looking at performance metrics while the system is under load leads me to suspect that 1.7 GHz wouldn't be enough on that platform, but I can not say for certain.

OpenVPN is not threaded, so it's the single-core performance that mattered, not the jump from dual- to quad-core.

[dane]

I had to migrate off Mips and Arm platforms to get full line speed. Dual-core 800 MHz ARM was not sufficient.
In the end I went to a Netgate/ADI quad-core 2.4 GHz Atom platform to get full speed. Looking at performance metrics while the system is under load leads me to suspect that 1.7 GHz wouldn't be enough on that platform, but I can not say for certain.

What did that bit of hardware cost?

[whorfin]

What did that bit of hardware cost?

It was rather ouchey - $550, plus some things I had lying around.
The price jump from dual- to quad- core on that platform is significant.
This is definitely not the cost-optimal solution, but low power was critical for my needs, and I ultimately needed the additional NICs and could avoid a managed switch, so it worked well for me.

[pmbell]

I'm on the slightly less expensive Netgate/pfsense platform, the 1.7 ghz dual core. I paid about as much as I would have for the 2.4 ghz quad, but have some level of pfsense support (unused) and wireless built into the box.

But yes, these appliances are each stupid money for most people - I can justify the spend as research, but not that many folks can.

I think the fastest speeds I've seen while running openVPN are about 35 to maybe 40 mbit (while downloading the Win 10 ISO.) Very close (within 5 megabit) to the best speeds I've seen without openVPN.

What really loads the box up for me is suricata - which is multithreaded, and which might have benefitted from the quad core platform. I don't feel that the openVPN connection puts a super heavy load on the system as I have it configured.

Has anyone at sonic tried benchmarking the Edgerouter from their home to the office over the Sonic openVPN? I lent my edgerouter out longish term, but some real world metrics on its performance would be nice. I know that it is even faster at IPSEC than at openVPN, but I haven't seen solid metrics on how it does at openVPN outside of what looked like a lab test.

[pcvcolin]

Not trying to be pushy or anything, but in light of the passage of CISA as part of the 2015 omnibus https://www.congress.gov/bill/114th-con ... 4F817EC583, which was opposed by an overwhelming number of people who appealed in vain to dinosaur legislators to stop this flawed bill, including a substantial number of civil society groups, security experts, and academics who opposed CISA formally https://www.newamerica.org/oti/coalitio ... sing-cisa/, I have a couple of questions:

1) When is this VPN going to get from "beta" to "being available for (FTTN and any other interested Sonic customers)"?

2) What assurances or contract, if any, can Sonic provide with its users that it will not share information under the terms of CISA with the federal government about its VPN users?

3) Since Sonic FTTN users are in fact subject to AT&T policies (AT&T data retention, logging, reporting, and other AT&T practices) unless they are using a VPN (or chained VPNs, or possibly other methods https://trac.torproject.org/projects/to ... TorPlusVPN), and Sonic claims to "have your back,"
(see: "WE’VE GOT YOUR BACK - When you use Sonic as your Internet Access Provider, we work hard to guard your privacy. Sonic instituted strong privacy practices when the company was founded nearly 20 years ago and we’ve had your back all these years," as shown at https://www.sonic.com/sites/default/fil ... _Part2.pdf, why doesn't Sonic yet provide protection from AT&T data retention and logging to all of its customers as a default aspect of their service (protection of the whole home network of every customer without expecting the customer to discover and configure a "open beta" VPN)? The VPN protection should be a default aspect of the installation and the all aspects of the user's home network should be protected from AT&T following a Sonic installation.

[pmbell]

when a customer signs up for fttn, sonic reads a different, longer tos script than for any other product. my memory of that script is that the person reading it mentioned that it was an outlier because att had some required language.

it would be good to see the introduction to that script revisited with an eye toward clearly explaining which sonic policies apply on that product and which can not.

[Craig]

when a customer signs up for fttn, sonic reads a different, longer tos script than for any other product. my memory of that script is that the person reading it mentioned that it was an outlier because att had some required language.

it would be good to see the introduction to that script revisited with an eye toward clearly explaining which sonic policies apply on that product and which can not.

I call bullshit on that. I switched from DSL to FTTN when I moved and I was NEVER told I would be on AT&T instead of Sonic. I only found out when I did a speedtest and saw AT&T instead of sonic, then read about it on these forums.

Sonic needs to provide a preconfigured gateway for FTTN people that puts us on the sonic network so we actually get the award-winning privacy protecting sonic service they advertise.

[Craig]

You guys all know all the technical stuff, but I have a question. How do I know if this VPN is actually working?

I did a google search for 'vpn test' and the first choice, dnsleaktest.com, shows me on AT&T (pasted below). Is there something more to do besides running the openvpn thing?

The fourth search result, ipleak.net, shows sonic for my IP adress, even for WebRTC in Firefox, which I read somewhere else that I might have to disable completly. I dont know what the third test there (DNS) really means as besdies the ip address #s, it just shows 'united states'.

DNS Link Test.com results:

Query round Progress... Servers found
1 ...... 6

. 6
IP Hostname ISP Country
IP Hostname ISP Country
151.164.110.35 none AT&T Internet Services United States
151.164.110.26 none AT&T Internet Services United States
151.164.110.34 none AT&T Internet Services United States
151.164.110.38 none AT&T Internet Services United States
151.164.110.28 none AT&T Internet Services United States
151.164.110.57 none AT&T Internet Services

[dherr]

The main test is to show that you are not "visible" via your AT&T ip address. If speed tests or "what is my IP" stuff shows a Sonic IP then the VPN is working. The DNS servers that you use will get to "see" what you are doing to some degree, so you would want to either use a Sonic name server while using the VPN or something else that you trust.

One big caveat is to consider IPv6. A test:

1. check http://whatismyv6.com/
2. enable vpn
3. check http://whatismyv6.com/

If you get an IPv6 address that is the *same* each time then the VPN is not handling your IPv6 traffic. That was the case when I tested but I can't remember all the details of test to ipsec versus openvpn.

So, my notes for using the two VPN include a note about how to disable IPv6.

[pcvcolin]

when a customer signs up for fttn, sonic reads a different, longer tos script than for any other product. my memory of that script is that the person reading it mentioned that it was an outlier because att had some required language.

it would be good to see the introduction to that script revisited with an eye toward clearly explaining which sonic policies apply on that product and which can not.

I call bullshit on that. I switched from DSL to FTTN when I moved and I was NEVER told I would be on AT&T instead of Sonic. I only found out when I did a speedtest and saw AT&T instead of sonic, then read about it on these forums.

Sonic needs to provide a preconfigured gateway for FTTN people that puts us on the sonic network so we actually get the award-winning privacy protecting sonic service they advertise.

It's absolutely true that Sonic needs to get FTTN people back on the Sonic network in a preconfigured way. I think that because of the way that FTTN is (the agreement that Sonic has with AT&T, basically), that Sonic has had difficulty doing this and it has taken far too long to implement. From an e-mail I got from Dane Jasper of Sonic, regarding Sonic's FTTN service:

"Sonic has entered into a commercial agreement for bulk access to AT&T's new IP DSLAMs, in COs, RTs and VRADs. We will resell access via this network, bundled with Sonic VoIP, as a "Fusion FTTN" product. The customer is a Sonic customer, while the network is AT&T's. It's a bit like the old DSL, where they ran the DSLAMs and interconnected with us via ATM. However, it's not layer-2, it's layer-3, so the IP address space and Internet transit is provided by AT&T.(...)" He also stated that: "For customers on this network, the IP transit will be provided by AT&T - so AT&T's policies regarding data retention etc apply.

We don't like this much either, so we'll be bundling this product with our VPN service, both to provide static IP addresses, and to allow for a Sonic-controlled (and policies) address. Customers can establish VPN connection from a client PC, portable device, tablet, etc - or can deploy a whole-home VPN solution so everything behind their connection goes via our network."

I got this message from Dane Jasper a long time ago -- actually, 9 months ago (for context, see [this reddit post](https://www.reddit.com/r/technology/com ... er_offers/) and since then, the FTTN product has not been bundled with VPN service nor has it been offered with an option to be deployed with whole-home VPN, which would be much preferable.