OpenVPN Service

[drew.phillips]

For those of us who know just enough networking to be dangerous (I understand basic TCP/IP addressing, setting up a home network, NAT, etc).. Is this mostly just to allow all traffic from your home machines to be hitting the 'net from ovpn.sonic.net, rather than someIP@att.net, and to be routed through sonic's pipes, instead of at&t's pipes to the next peering partner? I get the privacy features - your real IP is hidden.

Yes, but additionally, your traffic is encrypted over ATT's network (the main motivator for this). So as soon as your net traffic leaves your computer, it's encrypted meaning ATT et al cannot see it. Once it hits Sonic's VPN the traffic is decrypted and routed where it needs to go (note HTTPS traffic would still be encrypted between the VPN endpoint and the destination - we couldn't decrypt the contents since the SSL/TLS handshake took place between your computer and the remote server).

I have torguard BT proxy + VPN service and have used it at times to make it appear an individual machine is originating elsewhere (for location-based reasons). I am guessing this is similar, except you don't get to pick your exit node (it's always sonic.net in CA), but it's free with sonic service. Does the Pace modem support this, or do I need a custom router? Can this work together with torguard's bittorrent proxy?

Right, you don't get any choice of where your traffic appears to come from. The goal is more privacy than being able to appear to come from a particular region or location. Pace modems don't have OpenVPN built in, you can either run the software on your computer, or buy a router that does support it and bridge the modem to your router. Note: I have FTTN x2 and it was pretty easy to bridge the connection. Running the software on a computer only encrypts traffic for that machine, running it on a router can force it for everything.

Does it allow for a reverse-connection? That is, can I ssh to ovpn.sonic.net (or similar) with my sonic userid/password and have it connect back to my modem, which is set up to forward port 21 back to my main linux desktop (hosts.allow/hosts.deny configured to only allow connections from a few domains - I would add sonic.net)? That's the main thing I'd like to add to my setup. I'm pretty sure torguard vpn can do that, but then I need to have some kind of dyn-dns service, whereas with sonic, wouldn't they know my "current" ip and can just forward it there?

Yes. You wouldn't ssh to ovpn.sonic.net but to the IP your VPN client gets assigned. For this reason, if you connect to the VPN using software on your PC, you should make sure your firewall rules are sufficient. Connecting from your computer opens you up to the internet just like plugging your PC directly into a modem and getting a WAN IP on your PC. If your router handles the connection, you're still firewalled and would need to set up port forwards to allow traffic from the VPN through to a service.

Hope that helps, let me know if you have any further questions.

[tonyquan68]

(Might be a stupid question)

Is there any chance that the OpenVPN service will utilize IPv6 anytime soon?

I have the uverse FTTN service and decided to enable IPv6 for the hell of it to test out if ATT's IPv6 implementation still lags / times out sites. I currently run the VPN on my Asus AC87 router and did a IPv6 test which showed an IPv6 connection via ATT while the IPv4 connection via went through Sonic.

While it isn't much of a problem as I've kept IPv6 off for years, it's a tad concerning that IPv6 traffic goes through att as their traffic shaping and subsequent buffering annoys the hell out of me and defeats the purpose of running the VPN.

This question never got answered. I'm in the same boat, but unlike the poster do need ipv6 and would prefer to have the Sonic VPN handle it as well. It looks to be supported in newer versions of OpenVPN: https://community.openvpn.net/openvpn/wiki/IPv6 Could Sonic consider deploying this?

[pratik]

I would like to know, around what speed should I expect by using VPN.

I've following setup:
FTTN service (50MBPs)
PACE modem 5268AC.
ASUS RT-AC68R/U router configured with Sonic VPN (all traffic goes through VPN)

I run speedtest at speedtest.sonic.net from wired connected computer and I consistently get around 13MBPs. Is this normal or should I check any settings / ask for support?


[EDIT]: And I want to know how would port forwarding work in this case. I've all port forwards defined and saved in router, is that all that would be required?

Thanks

[tonyquan68]

(Might be a stupid question)

Is there any chance that the OpenVPN service will utilize IPv6 anytime soon?

I have the uverse FTTN service and decided to enable IPv6 for the hell of it to test out if ATT's IPv6 implementation still lags / times out sites. I currently run the VPN on my Asus AC87 router and did a IPv6 test which showed an IPv6 connection via ATT while the IPv4 connection via went through Sonic.

While it isn't much of a problem as I've kept IPv6 off for years, it's a tad concerning that IPv6 traffic goes through att as their traffic shaping and subsequent buffering annoys the hell out of me and defeats the purpose of running the VPN.

This question never got answered. I'm in the same boat, but unlike the poster do need ipv6 and would prefer to have the Sonic VPN handle it as well. It looks to be supported in newer versions of OpenVPN: https://community.openvpn.net/openvpn/wiki/IPv6 Could Sonic consider deploying this?

OpenVPN 2.4 is now out with further improvements on the ipv6 side:

https://openvpn.net/index.php/download/ ... loads.html

would Sonic consider providing ipv6 enabled VPN?

[esm]

Any updates here? I just signed up for service, and was surprised to not see IPv6 support via OpenVPN. (I'm tunnelling my home network via the VPN, since I'm on re-sold ATT VDSL.)

It looks like my fallback here will wind up being an IPv6 tunnel over OpenVPN, but that's...well, non-ideal.

[ankh]

I'm from the "know just enough to be dangerous" side -- I see mention of a new version of OpenVPN.
I've been using TunnelBlick on a Mac.

Anything we need to do about this?

https://guidovranken.wordpress.com/2017 ... g-bonanza/

[bmah]

I'd like to report a success story (mostly) with the OpenVPN client in pfSense 2.3.4p1 on a Netgate SG-2440. I'm on an AT&T FTTN connection (trying to migrate from Comcast), and I am trying to get as much of my traffic as possible to go through the sonic.net VPN. Right now I seem to have gotten all of my outbound NAT-ed IPv4 traffic to go over the VPN, but I don't have a solution yet for IPv6.

I'd like to thank people here (and on other searchable forums) who've posted pfSense instructions before. Those were a lot of help getting this to work. A few hints hints I have are:

1. If you're using firewall rules in pfSense to direct outbound/NAT traffic towards the OpenVPN tunnel, it's helpful to add a rule that sends outbound UDP port 1194 (the OpenVPN port) to some non-tunnel interface. This is useful if you have some single devices on your home network that may themselves be doing OpenVPN (it avoids nesting VPNs, and if those devices might be trying to connect to the sonic.net VPN it avoids them failing to connect altogether).

2. The AES-NI crypto hardware support on the SG-2440 (and presumably other similar platforms) is not used by pfSense by default. It needs to be enabled from the Advanced -> Miscellanous menu in pfSense to make FreeBSD load the correct crypto-driver.

3. My custom options in the pfSense OpenVPN client configuration:

Code: Select all

setenv FORWARD_COMPATIBLE 1;
server-poll-timeout 4;
ns-cert-type server;
reneg-sec 604800;
sndbuf 100000;
rcvbuf 100000;
comp-lzo no;
setenv PUSH_PEER_INFO;
verify-x509-name 'CN=OpenVPN Server';

I freely admit there's a bit of "cargo cult programming".

With this hardware/software combination, it doesn't appear to be a bottleneck for my 20Mbps FTTN connection, using the "download the sonic.net test file" test and wget on my rather elderly Mac Mini desktop. I've only had this running for a day or so but so far so good.

The one thing I'd really really really like to have at this point is (perhaps not a surprise here)...IPv6. In my fantasy world, I'd love to get an IPv6 address and a /60 IPv6 prefix delegation from the OpenVPN server at connect time. If not that, how about a /64? If not that...hmmm...has anyone tried doing an IPv6-in-IPv4 tunnel (a la Hurricane Electric) inside OpenVPN? (Limitations in the AT&T FTTN CPE prevent me from doing a tunnel to my pfSense box, at least in any way I've tried so far.)

Thanks to the crew at sonic.net for making this service work!

Bruce.

[ankh]

For the Sonic folks -- that link I posted about a new version begins with this scary text:

----begin quote------
" Posted on June 21, 2017 by guidovranken

UPDATE: OpenVPN fuzzers now released.
Summary

I've discovered 4 important security vulnerabilities in OpenVPN.
Interestingly, these were not found by the two recently completed audits of OpenVPN code.
-----end quote----

So, ah, anything we need to be doing about this?

[bmah]

For the Sonic folks -- that link I posted about a new version begins with this scary text:

----begin quote------
" Posted on June 21, 2017 by guidovranken

UPDATE: OpenVPN fuzzers now released.
Summary

I've discovered 4 important security vulnerabilities in OpenVPN.
Interestingly, these were not found by the two recently completed audits of OpenVPN code.
-----end quote----

So, ah, anything we need to be doing about this?

Not a sonic.net person but I dabble in Internet security (others here probably know more than I do). You mentioned Tunnelblick in your earlier post. My read is that if you're running one of the latest Tunnelblicks (3.7.1b for stable, 3.7.2beta03 for unstable), both of them include OpenVPN 2.4.3, which addresses the vulnerabilities you mentioned in your prior two posts. You can usually find this sort of information in the release notes for Tunnelblick (or Viscosity or whatever OpenVPN front-end you're running).

https://www.tunnelblick.net/cRlsNotes.html
https://community.openvpn.net/openvpn/w ... OpenVPN243

As for what changes required to mitigate these problems on sonic's OpenVPN server, I'm not sure (because I'm not sure what the server-side software is...that might require someone from sonic.net to answer).

Bruce.

[ankh]

Thank you. I'd missed the Tunnelblick update.
I've now subscribed to https://groups.google.com/forum/#!forum ... k-announce