OpenVPN Open Beta

[Guest]

Could you guys raise the key size to 256?

Are you asking that we change the cipher used from AES-128-CBC to AES-256-CBC? We believe that AES-128-CBC provides a reasonable balance of security in performance, especially when lower-end systems are taking into account.

there are some limited and rather academic scenarios in which aes-256 is weaker than aes-128!

https://www.schneier.com/blog/archives/ ... w_aes.html

I think it's useful to ask "who is the adversary?" here. in my thinking, for this VPN, att is the adversary and the design is fine - so long as att only sees a static tunnel leaving their network, they're unlikely to be able to do much, as traffic analysis is broken.

if the adversary is the government, nothing I do on a networked computer is secure and I need to be able to go out of band for privacy. traffic analysis is the least of my worries, but I do enjoy making it harder, and running VPN to multiple hosts helps. and the more of us running VPN, the more it helps.

Yes, that is what I meant: AES-256-CBC instead of AES-128-CBC. Is it possible to set up the OpenVPN server with several different ciphers so that users can choose one, or is that not possible? That way, users with slower computers or routers will be able to choose the cipher that best suits their purposes. Maybe you can give users a choice of different profiles to download.

As for your point, pmbell, I believe the "limited and academic" scenario you're talking about is a related key attack. Doesn't this require the attacker to have plaintext? I don't think plaintext will be available for Sonic's adversaries, whoever they might be.

Your point that nothing you do on a networked computer is secure sounds needlessly paranoid. Snowden himself said that properly implemented encryption works: http://techcrunch.com/2013/06/17/encryp ... d-snowden/

That said, my concern is not about the government at all. If they wanted to know what someone was doing on Sonic's VPN, they would simply serve a warrant. Aside from performance issues, however, I see no reason not to use the strongest type of encryption possible. Schneier, the cryptographer you quoted, said in the same article that attacks only get better, never worse.

[kgc]

OpenVPN configuration is, generally speaking, global to the server. The only way it is possible to have a profile with a different cipher is to run another instance. Changing many options means that everyone needs to either import a new connection or update their local configuration which is less than ideal.

[liamk]

I need some help with OpenVPN on DD-WRT...
Never mind! I got it working. I will post this here for anyone else who needs to do this.

I added to the configuration:
auth-user-pass /tmp/openvpncl/user.conf
reneg-sec 604800
sndbuf 100000
rcvbuf 100000

I added to Administration-->Commands
echo "my-sonic-user-name
my-sonic-password" > /tmp/openvpncl/user.conf

[liamk]

Okay, I have improved this slightly, and written a blog post on it, which is here:
http://www.freespeechnow.org/2015/09/17 ... -networks/

In addition to getting Sonic OpenVPN working with DD-WRT, I describe configuration of the DD-WRT and NVG589 devices, preventing DNS leaks, and other stuff.

[vpnonly]

Hey kgc, what's the minimum number of services I have to have with Sonic to get access to your VPN? Can I cancel phone and Internet and just pay for the VPN? Or maybe I can pay for something cheap like e-mail only and keep the VPN?

[pmbell]

Okay, I have improved this slightly, and written a blog post on it, which is here:
http://www.freespeechnow.org/2015/09/17 ... -networks/

In addition to getting Sonic OpenVPN working with DD-WRT, I describe configuration of the DD-WRT and NVG589 devices, preventing DNS leaks, and other stuff.

Very nice walkthrough, Liam.

Am I reading correctly that you've got an IPSEC connection to Sonic from your router, and you're able to get internet traffic passing though it? If so, you might want to put a pointer to that in the discussion about the result of the VPN poll as well. A number of folks there would really like to see that.

viewtopic.php?f=10&t=2819

On IPSEC: I run 'em for work, and I find that if I'm always pushing traffic down the tunnel, it tends to be more stable. My openvpn setup monitors my connection by pinging the secondary Google DNS server (8.8.4.4) all the time, something like that might help an IPSEC tunnel, also.

In your openVPN settings page - what happens if you enable adaptive LZO compression? IIRC, the Sonic vpn server supports it, and I think your performance would improve.

On various things to enhance privacy: it turns out that running bittorrent over a VPN and over Tor at the same time is a bad idea, as the Bitorrent folks aren't as privacy-minded as you might think. Bittorrent packets from at least some clients go looking for your IP address and stuff whatever they find into the headers. There's also a protocol called uTP which is supposed to help Bittorrent manage traffic better on a slow circuit. In the process, it also tries punch holes through NAT and as a side effect tries to bypass VPN tunnels - it's pretty remarkable at doing that.

Also, it's worth considering adding a discussion of dnscrypt. My primary VPN provider uses DNS to resolve their incoming gateway, so I need DNS for a bit when my firewall first boots up. I run dnscrypt on my gateway, which is also the only resolver my LAN clients have access to. DNS runs in plaintext by default; I prefer to encrypt mine and trust only the DNS providers I choose with my requests.

Under normal circumstances, all of my DNS is flowing to my vpn provider, but if the tunnel is down, it's permitted to bypass to get the tunnel back up, so the added dnscrypt layer means that ATT sees very, very little in the way of live DNS requests from me even if the tunnel is down.

[pmbell]

Hey kgc, what's the minimum number of services I have to have with Sonic to get access to your VPN? Can I cancel phone and Internet and just pay for the VPN? Or maybe I can pay for something cheap like e-mail only and keep the VPN?

Take a look at a few of the folks who provide VPN and nuffin' but VPN. My commercial provider costs me 40 bucks a year, and they just enabled payment with a gift card.

Another feature with them is that the egress IP address you get is shared - essentially, you're behind NAT on their end, so no one account is obviously generating all the traffic on their egress node. A good thing for privacy, not so much if you want to host a service accessible over VPN. Also, a bit of PITA at times - there are plenty of black hats sharing the address space, so the egress addresses are refused service at a few sites (Craigslist for one) and do raise red flags at other sites. Plus you want to pay attention to your firewall settings on the tunnel interface.

But for the truly twitchy, you would:

Configure a forged MAC address for your laptop while you weren't on your network at home

go to starbucks and buy a gift card.

Sit down with a latte and your laptop and sign onto their network with your laptop and it's shiny and disposable MAC address.

Create a throway email account with a service that doesn't require validation of a cell # via SMS.

Sign up for a year of service using that email account as the place to have your credentials sent and the gift card you just paid cash for to pay the bill.

Get your credential and test your setup.

Disconnect and let your MAC address return to default - and never check that email address again, except from a public hotspot.

Go home and configure your router to use your fairly anonymous account. (the fake MAC address at Starbucks is easy; spoofing the MAC on your router will probably be a little harder.)

Basically, with no billing information on your account beyond a disposable email address, you become a chore to track down by IP address. By metadata, not very hard - email correspondent pools, mail servers connected to, typical time of day activity - you're very trackable to an outfit with the right tools to do it.

Fortunately, here in the land of the free we have No Such Agency.

[vpnonly]

I do know about VPN only providers. I'll even venture a guess that the provider you're talking about with the gift card payment method is PIA. Ironically, I also happen to know nothing about VPN providers when it comes to trustworthiness. All you have is a company name. Who actually owns those companies? Are the companies publicly traded? Who works for them? How long have they been in business?

I'm not doing anything illegal; nor are my activities interesting enough to warrant government attention. I know my options and I want to use Sonic's VPN service if possible. Even though service to my area is absolutely atrocious, privacy is one thing Sonic gets right. My question stands.

[pmbell]

fair enough - I really like having the billing link severed. fact is, they're in the us and since they're still in business they probably are feeding the plaintext as a sidestream to the feds, wittingly or not. nothing I do online is anything I'd expect to make it worth anyone's while to admit that level of access. the best of these outfits I've run across is one that a lot of folks got very annoyed by when they put up a notice to their customers that due to node abuse they were going to run a packet capture and punt a user who was making a lot of trouble.

I think that's a better approach than pia takes, claiming that they have no means to look at their network.

[kgc]

Just to throw it out there, we're seeing a substantial amount of abuse sourcing from PIA's NAT pools. In particular, lots of compromised hosts running spambots.