FTTN, AT&T, and Privacy

[johns]

I wish I had known about the privacy issue before I had the FTTN installed (5/1/15). For me one of the real benefits of using Sonic was the privacy policy.

I called tech support today to ask and was informed about the VPN.

However, the VPN does not cover all of the devices attached to my network. For instance I cannot use the VPN with my android tablet and phone and the DVD player which serves Netflix. Nor does it cover the Amazon fire stick and Google streaming device. The network traffic from these would all be done through the AT&T network.

Also, I would have to install VPN software on all of my PCs. It would be more beneficial if my non-AT&T network router could connect to the VPN and then use that connection for all the devices that connect to it. Then each device connected to the router would have the tunneling benefits of the VPN. But my router only supports OPEN VPN and not the CISCO IPSec protocol.

Note: It took me a while, but I was able to use my existing router to manage my network devices without having to use the local routing capabilities of the AT&T router. Only my existing router and the VOIP box are connected to the AT&T modem. That doesn't solve the privacy issue, but it allowed me to continue using the home network as I did before the switch to FTTN.

I'm not a VPN expert, but I think if you your home router goes through the VPN to Sonic's VPN servers, then ATT can only see encrypted VPN traffic. In theory they can't really glean any useful info from that. All a Fusion FTTN user has to do is provide a VPN portal (hardware or software) at home that handles all the privacy sensitive traffic.

Johnny

[joss]

I'm not a VPN expert, but I think if you your home router goes through the VPN to Sonic's VPN servers, then ATT can only see encrypted VPN traffic. In theory they can't really glean any useful info from that. All a Fusion FTTN user has to do is provide a VPN portal (hardware or software) at home that handles all the privacy sensitive traffic.

Johnny

The issue is that my home router cannot connect to the Sonic VPN because Sonic uses Cisco's protocols and my router only supports an OpenVPN client.

My concern is that I didn't understand this before the FTTN was installed. I might have had enough time prior to the installation to find a router or firmware for my router that would have worked with the Sonic VPN.

[leeep]

I'm not a VPN expert, but I think if you your home router goes through the VPN to Sonic's VPN servers, then ATT can only see encrypted VPN traffic. In theory they can't really glean any useful info from that. All a Fusion FTTN user has to do is provide a VPN portal (hardware or software) at home that handles all the privacy sensitive traffic.

Johnny

The issue is that my home router cannot connect to the Sonic VPN because Sonic uses Cisco's protocols and my router only supports an OpenVPN client.

My concern is that I didn't understand this before the FTTN was installed. I might have had enough time prior to the installation to find a router or firmware for my router that would have worked with the Sonic VPN.

What kind of router do you run? I believe Tomato firmware has support for IPSec VPN with the more comprehensive "Mega" or "AIO" builds, but since my little base model Asus N10P is flash size-limited, I can't test them. Might be time to upgrade my router, I suppose.

The flipside is to run local VPN clients on every machine in your home network, I guess, but that gets cumbersome in a hurry.

[Guest]

The flipside is to run local VPN clients on every machine in your home network, I guess, but that gets cumbersome in a hurry.

Unfortunately Sonic restricts one instance of the VPN client so you can't have multiple computers use the same login.

[joss]

What kind of router do you run? I believe Tomato firmware has support for IPSec VPN with the more comprehensive "Mega" or "AIO" builds, but since my little base model Asus N10P is flash size-limited, I can't test them. Might be time to upgrade my router, I suppose.

The flipside is to run local VPN clients on every machine in your home network, I guess, but that gets cumbersome in a hurry.

I have two routers to test with. One runs the vendor software, the other has Tomato 1.28 (with Shippy's USB mods). The vendor software only supports PPTS/LPTS/OpenVPN clients. None of these seem to work with the Cisco IPSec.

With Tomato: I have been researching the versions that support IPSec, but it is a tough bit of forum threads to slog through. So far, it seems the only support I have found involves installing additional software and running shell scripts on the router. But the links go back to 2011, so I can't tell if the test versions I am reading about have been incorporated into the GUI of one of the many versions of Tomato. It's early days for solving this for me. And it would have been nice to do this research in the week leading up to the installation instead of after.

[dherr]

The flipside is to run local VPN clients on every machine in your home network, I guess, but that gets cumbersome in a hurry.

Unfortunately Sonic restricts one instance of the VPN client so you can't have multiple computers use the same login.

Sonic might have changed that since you last tested. I just had an iPad and an iPod Touch both using the Sonic VPN at the same time. They did get different IP as expected but they did not have trouble connecting or to browsing whatismyip.com. I did double check the settings to make sure they were both configured to use my account.

[leeep]

The flipside is to run local VPN clients on every machine in your home network, I guess, but that gets cumbersome in a hurry.

Unfortunately Sonic restricts one instance of the VPN client so you can't have multiple computers use the same login.

Sonic might have changed that since you last tested. I just had an iPad and an iPod Touch both using the Sonic VPN at the same time. They did get different IP as expected but they did not have trouble connecting or to browsing whatismyip.com. I did double check the settings to make sure they were both configured to use my account.

Yeah, I'd want a Sonic.net rep to validate the "single instance" restriction... I'm pretty sure when I set it up last night, I had my Android phone set to "always-on" VPN mode/connected and also linked up my Android tablet and an iPhone5 with the same credentials from inside my home network.

The downside, of course, is that while connected from my home LAN to the Sonic VPN, I cannot browse any internal network shares, which would be problematic for desktop/laptops.

I checked my Chromebook as well, but ChromeOS does not support IPSec Xauth PSK VPN connections, so SOL there.

What I'd envision, if I can figure out how to connect my Tomato router to Sonic's VPN, is to do something like:

Code: Select all

Home LAN --> Tomato Router --> Sonic VPN --> Internet
                      |
                      |_ OpenVPN <-- Remote clients

Would be great if anyone else has figured out a similar setup. Mainly, it'd be great if I could get remote clients access to my internal shares, but if that won't work easily with the WAN-based Sonic VPN, I'll reconsider.

[dc01hxx42]

Yeah, I'd want a Sonic.net rep to validate the "single instance" restriction... I'm pretty sure when I set it up last night, I had my Android phone set to "always-on" VPN mode/connected and also linked up my Android tablet and an iPhone5 with the same credentials from inside my home network.

The downside, of course, is that while connected from my home LAN to the Sonic VPN, I cannot browse any internal network shares, which would be problematic for desktop/laptops.

I checked my Chromebook as well, but ChromeOS does not support IPSec Xauth PSK VPN connections, so SOL there.

What I'd envision, if I can figure out how to connect my Tomato router to Sonic's VPN, is to do something like:

Code: Select all

Home LAN --> Tomato Router --> Sonic VPN --> Internet
                      |
                      |_ OpenVPN <-- Remote clients

Would be great if anyone else has figured out a similar setup. Mainly, it'd be great if I could get remote clients access to my internal shares, but if that won't work easily with the WAN-based Sonic VPN, I'll reconsider.

What I am doing is, I have a box running Freeproxy (free) and Shrewsoft VPN (free and will auto reconnect properly unlike ciscos dated soft) client on a win box (with aes128 instead of 3des and 28800 timeout instead of 3600), this way only 1 system is running the vpn/proxy bounce head and everything else can socks5/http/ftps proxy connect over that (eg browsers, chat programs, mail clients, anything critical generally supports socks5 connections anyway).

Alternatively, I was working on a virtualbox image with pfsense firewall with a proxy extension, but haven't had time to try to finish it. (pfsense vm would be a fairly low resource way to get a vpn/proxy node on your network without making the entire system slave to the vpn connect)

The biggest downside to sonic's current vpn setup, is it will outright disconnect you at 13hours, it would be nice if that disconnect time was removed or extended to a week for the time being until the new vpn stuff is deployed. The biggest upside to how I am doing it, netflix and other stream or game related content don't take the latency or bandwidth overhead hit since only the critical apps are being pushed over the vpn, it keeps the overhead down to a minimum.

My network is just as functional as it was pre-vpn use before I got my bonded FTTN, maybe something similar could work for you as well.

So the tl;dr: I do not run the vpn connection at my actual router which runs ip passthrough behind a nvg589, rather I run a box behind the router and use that as a socks relay so I can proxy connect critical apps through it instead of pushing the entire network over vpn all the time.

[leeep]

The biggest downside to sonic's current vpn setup, is it will outright disconnect you at 13hours, it would be nice if that disconnect time was removed or extended to a week for the time being until the new vpn stuff is deployed. The biggest upside to how I am doing it, netflix and other stream or game related content don't take the latency or bandwidth overhead hit since only the critical apps are being pushed over the vpn, it keeps the overhead down to a minimum.

Well that's a bummer... I'll have to rethink this a bit if that's how it's set up. Maybe a 3rd party VPN service that we pay for is the only real option.

Good call on not proxying Netflix or gaming traffic though... that's definitely a consideration. I could care less if ATT snoops on my Netflix or other streaming TV providers. Once I figure out the VPN part of things, I might just create a subnet on the LAN for things like the ChromeCast or Nexus Player since they don't need VPN.

Thanks for the good info!

[rtrinh]

A question to those who has gotten their FTTN installed.

During the last part of the installation my install the technician runs a speedtest and records the IP address. He makes a call with I believe ATT enterprise and answers some questions. The tech is asked some questions that seems normal like if the old Sonic/POTS line is disconnected or not, then starts to ask for the speedtest results, IP address, if the wifi is on and one thing that surprised me is the guy on the other end wants the access code to the modem.

Did anyone else hear this? Looking around and having restarted the modem a few times, it looks like we are on a static IP. Handing them the IP and the access code to the device sounds a bit too much. Even if we have the ability to change it which I've already done, who knows if they have a backdoor in.

Maybe I'm thinking too much and this is just so they keep a backup if somehow the sticker on the modem magically fades away and the access code cannot be retrieved and I need it.