OpenVPN Open Beta

[vpnquestions]

I wish you guys would allow any username linked to the main account to connect to the VPN. Having only one account that can connect is such an inconvenience.

Can the main account at least be used on more than one Internet connection?

[m2m3]

I wish you guys would allow any username linked to the main account to connect to the VPN. Having only one account that can connect is such an inconvenience.

Can the main account at least be used on more than one Internet connection?

Yes. I can connect simultaneously on my laptops and desktop.

[forest]

At 10:16 this morning, I suddenly started experiencing very high (83%) packet loss through the VPN to the first remote hop (69.12.223.193). My EdgeRouter's OpenVPN client didn't log anything during that time. After about 20 minutes of looking for causes and finding nothing obvious, I restarted the OpenVPN client, and the problem was gone.

Does someone at Sonic know what happened? Perhaps some logs on your end reveal the cause?

[mediahound]

At 10:16 this morning, I suddenly started experiencing very high (83%) packet loss through the VPN to the first remote hop (69.12.223.193). My EdgeRouter's OpenVPN client didn't log anything during that time. After about 20 minutes of looking for causes and finding nothing obvious, I restarted the OpenVPN client, and the problem was gone.

Does someone at Sonic know what happened? Perhaps some logs on your end reveal the cause?

It was because of this: https://corp.sonic.net/status/2015/10/02/outage/

[johndoe]

For those of you who have the VPN set up on your router, are you still able to communicate with other devices on the LAN? When I was connected to the software VPN client, I couldn't print until I disconnected from the VPN. Will a VPN installed on the router intercept inter-LAN traffic?

[virtualmike]

When the VPN runs on an end device (computer, smartphone, tablet, etc.), that device is then "virtually" on another network, and it no longer sees the other devices. It's really no longer a part of the LAN.

If the VPN runs on the router, then all devices are still on the LAN, and the entire LAN is virtually on another network. The devices on the LAN can talk to each other.

[Guest]

For those of you who have the VPN set up on your router, are you still able to communicate with other devices on the LAN? When I was connected to the software VPN client, I couldn't print until I disconnected from the VPN. Will a VPN installed on the router intercept inter-LAN traffic?

You want to enable split tunnelling. I don't use OpenVPN and am awaiting IPsec, but take a look at https://forums.openvpn.net/topic7161.html.

[johndoe]

When the VPN runs on an end device (computer, smartphone, tablet, etc.), that device is then "virtually" on another network, and it no longer sees the other devices. It's really no longer a part of the LAN.

If the VPN runs on the router, then all devices are still on the LAN, and the entire LAN is virtually on another network. The devices on the LAN can talk to each other.

That's good to know, but wouldn't it cause security problems if all the devices on my LAN are part of the Sonic VPN network?

Normally when I use a router without a VPN, NAT acts as a firewall and protects me, but with a VPN, the NAT basically doesn't exist. Here's an example I thought might be similar. I'm quoting from a DSLReports FAQ (https://www.dslreports.com/faq/9787):

AOL BYOA connects to your computer by creating a "tunnel" through the Internet. With AOL BYOA, tunneling uses your real IP address to connect you to AOL's network where you have a second IP address. Traffic using that second IP address is inside the tunnel.

With AOL, the far end of the tunnel is other AOL customers and the Internet, so it is untrusted. »www.mynetwatchman.com/kb ··· ndex.htm

The solution is to use a software firewall. A software firewall will effectively filter the traffic after it leaves AOL's tunnel and before it gets into the rest of your computer. In some countries AOL9 Max includes the free option of installing the McAfee Firewall Express software firewall.

If the FAQ is correct, that AOL BYOA sounds like a VPN. Now I'm not an expert on security, so I don't really know how NAT mixes with VPNs, but based on what you said about my LAN being virtually a part of Sonic's VPN network, it sounds like there's a tunnel going through my router, and everything that goes through Sonic's end of that tunnel will get to my computer. So I have a couple questions about this:

1. If I don't use a software firewall, how do I prevent other Sonic VPN users and the rest of the Internet from pinging, port scanning, or accessing the devices connected to my LAN? When you're on a public Wifi, you can't rely on NAT to protect you from other Wifi users because they're all behind the router, just like you are. Isn't Sonic's VPN situation similar?

2. Can the tunnel be secured on Sonic's end with NAT? I'm thinking if Sonic's VPN used NAT, then it would prevent unauthorized traffic from entering the tunnel and getting to me. I did a port scan on my VPN IP address when I was connected to the old Cisco VPN, and no ports were open, but pings were being responded to. Is the situation different with the OpenVPN server?

[pmbell]

treat the openvpn interface as an untrusted interface and firewall it at your router - it is effectively one of your public IP addresses. bind the tunnel to an address and interface that is not on your inside lan.

you absolutely will see attack traffic on the sonic vpn, ports 22 and 1433 are popular.

for the folks who used to have static IP addresses with sonic, and whom the VPN was originally expected to be most important to, Nat would not be helpful.

a big advantage to openvpn over ipsec in device to device mode is the ease of applying firewall rules to the interface.

[johndoe]

treat the openvpn interface as an untrusted interface and firewall it at your router - it is effectively one of your public IP addresses. bind the tunnel to an address and interface that is not on your inside lan.

Sorry I am a total newbie at networking and I couldn't really understand this completely. How would I set it up, and what effect would it have on traffic? More important yet, how could I test this to make sure it's working? I could fumble around with settings but the only way to really know it works is to test it. I need to make sure this works with both the VPN client software and at the router level.

From what little I know, it sounds like there are 2 security problems when connecting to Sonic's VPN:

1. Port scans/attacks from other Sonic VPN users
2. Port scans/attacks from the rest of the world. If what you're saying is correct, the other end of the tunnel has no NAT against outside traffic, so any attacks from the rest of the Internet would go through the tunnel and pass right through the router to whatever devices are connected.