
Show HN: Automatic VPN Generator – Protect Yourself at Sochi and Starbucks - borski
https://www.tinfoilsecurity.com/vpn/new
======
chrissnell
A couple of things that I'd like to see in this script:

1\. Go ahead and apply all of the software updates. The RAX Ubuntu images are
behind on a lot of security updates.

    
    
       apt-get -q upgrade
       apt-get -q dist-upgrade
       reboot (at the end)
    
    

2\. While you're at it, enable automatic security-related upgrades. It's
likely that the user of your service is less technical and not Linux-saavy.
Let's keep their cloud server from being owned.

3\. Force public key auth (disable password auth) on their OpenSSH server and
(preferably) disable root logins entirely. Create a user account for them if
needed, with sudo access.

4\. Set up IPtables as default-deny with holes punched for OpenVPN and
OpenSSH.

5\. Configure OpenSSH to listen on port 443 in addition to 22. Some hotspots
block port 22. Almost nobody blocks port 443/tcp. This is super-handy if
you're ever working from some place with a restrictive or filtering firewall.
SOCKS over SSH is awesome, especially when you're dealing with censorship or
malevolence at the DNS level. I used this technique when I was in the Army and
our Army housing had horrible DNS servers that censored a lot of legitimate
sites.

6\. I would prefer you not ask for people's cloud provider API keys. This has
huge potential for abuse. Instead, give them a script that they can run on any
Mac or Linux box that takes the root password and IP and provisions their
server for them.

I suppose I should make a PR for you; maybe later this weekend

~~~
gibbonsd1
I'd also install fail2ban. I looked at the auth logs for my DigitalOcean VM,
and it's amazing how many bots/people try to log into it, even though it
doesn't contain anything necessarily valuable.

~~~
j45
I've noticed the same on DO. Lots of weird proxying attempts trying to use the
webserver too.

------
KMag
The script is currently generating a 512-bit (EDIT: 2048-bit after merging my
pull request) DH modulus. DH over a finite field modulo a 512-bit prime is
weak sauce, about as hard to break as a 56-bit or 64-bit key for a symmetric
cipher.[1] You're using DH over a finite field, not ECDH.

Please upgrade your script to generate a 4096-bit DH modulus. EDIT: A 2048-bit
safe prime provides over 100 bits of security and is much faster to generate.

I'm not sure why OpenSSL hasn't upgraded their default modulus size, but to
have the same strength as a 150-bit symmetric cipher key, against the best
attack techniques 2004 had to offer, you'd need about a 4575-bit DH
modulus.[1] AES-128 is about as hard to break as a 3200-bit DH modulus given
the best techniques of 2001.[2]

EDIT: Times to generate different sized safe primes on my MBP maxing out one
core:

512 bits = 0.5 sec

1024 bits = 0.8 sec

2048 bits = 2 min

3072 bits = more than 30 minutes

4096 bits = more than 60 minutes

[1] [https://tools.ietf.org/html/rfc3766](https://tools.ietf.org/html/rfc3766)
(see table in section 5)

[2] [http://tools.ietf.org/html/rfc3526](http://tools.ietf.org/html/rfc3526)

~~~
borski
Would you mind submitting a pull request? We're happy to take a look, and if
we merge it it will update for all future VPN provisions.

That would be awesome.

------
akerl_
Need secure internet? Just drop your API key in here. Yes, I know they link to
the script, but you don't have any assurance that they're running the same
script when you give them your creds.

Promoting the use of VPNs and secure browsing habits is awesome, and I applaud
them for open sourcing the script. But asking people to trust them to do the
work negates much of the benefit they're trying to provide.

~~~
borski
We hear you. We think that getting more people using VPNs is more important,
so we made that trade-off. We built this for people who are mostly non-
technical, but we wanted to provide the script such that those who are more
technical are able to run this on their own. :)

I get that you can make the argument that we're training people to stick their
API keys in random textboxes on the internet, but we thought getting more
people on a VPN was worth the risk.

~~~
akerl_
Can you possibly link the script more prominently, with a suggestion that
folks run it themselves? I found it easily enough, but I was also browsing
with the primary intention of finding out what it was you were running on the
servers, not as someone looking to make a VPN.

~~~
borski
Pushing to production as we speak. :)

------
WizzleKake
If you just need secure browsing and you have a shell somewhere (like a VPS,
EC2 instance, a Linode, etc.) just use ssh.

ssh -D <port> user@host

Then configure your browser (I use a plugin called FoxyProxy) to use
localhost:<port> as SOCKS5 proxy.

This is also very cool:
[https://github.com/apenwarr/sshuttle](https://github.com/apenwarr/sshuttle)

Edit: I should add that I do not think your DNS requests will go over the
proxy. You might be able to configure your browser to do that. Caveat emptor.

~~~
gabemart
Am I correct in thinking that browser plugins like flash, java and silverlight
will not use the browser proxy and will leak data?

~~~
mjn
Flash will honor browser proxies for HTTP connections initiated within an app
(e.g. via getURL()), but Flash apps can also open arbitrary sockets, which go
directly. For Flash video, recent versions will first try a direct RTMP
connection, but will fall back to RTMPT (RTMP tunneled over HTTP) if that
fails, so they'll successfully go via the browser proxy if you block other
outgoing connections at your firewall.

But yes, if you allow plugins that have the ability to initiate arbitrary
connections, there's no way to guarantee they aren't making un-proxied
connections, unless you either use firewall rules to block outgoing un-proxied
connections, or you transparently proxy everything (VPN). Same as with running
arbitrary non-browser apps that might open socket connections.

------
pixelcort
If you're looking for an L2TP setup (iOS, etc), check out this script for EC2:

[http://www.sarfata.org/posts/setting-up-an-amazon-vpn-
server...](http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md/)

I'm still trying to find a VPN solution that can stream 1080p video across the
Pacific Ocean, but I still haven't been able to get something working with
enough bandwidth.

~~~
ainsleyb
That's awesome. We used OpenVPN because that's what we were familiar with, but
your L2TP script looks great. Would you mind if we tried to integrated that at
some point?

~~~
pixelcort
I didn't create it; I just linked to it, lol.

------
revelation
Note that deep packet inspection will be able to identify this as OpenVPN
traffic the way its configured right now. You can configure OpenVPN to use a
fixed key [1] at which point the traffic is indistinguishable from random
noise and no longer has any protocol data. The big tradeoff here is that this
disables perfect forward secrecy; you can't add this as an extra layer on top.

You may also want to specify "cipher AES-256-CBC" in both client and server
config to upgrade from the default AES-128 it uses.

[1]: [https://openvpn.net/index.php/open-
source/documentation/misc...](https://openvpn.net/index.php/open-
source/documentation/miscellaneous/78-static-key-mini-howto.html)

~~~
borski
Would you mind making a pull request? We're happy to take a look. :)

------
jpdlla
This is awesome, but there's always something that makes me feel uneasy when
asked for API keys like this. They could probably list and delete any and all
of my droplets with that kind of credentials, couldn't they?

~~~
bensedat
Definitely agree. We hopefully answer some of those questions on our FAQ
([https://www.tinfoilsecurity.com/vpn/faq](https://www.tinfoilsecurity.com/vpn/faq)).
We also link to the script we run if you want to set it up yourself.

~~~
jpdlla
Thanks for the info! That's definitely helpful. Maybe it should be a bit more
prominent, like adding that "Why should I trust you?" section to the main page
below(or above) "What is a VPN?".

~~~
judk
On a site claiming to be about security, the FAQ should explain how and why it
works even if the user doesn't trust the server. That's the whole point.

~~~
borski
We already do?
[https://www.tinfoilsecurity.com/vpn/faq](https://www.tinfoilsecurity.com/vpn/faq)

Do we need more detail? :)

------
znowi
Good timing to piggyback on the Sochi hate. You may also like to put up this
NBC story on the site :)

 _NBC: All Visitors to Sochi Olympics Immediately Hacked_

[http://www.youtube.com/watch?v=waEeJJVZ5P8](http://www.youtube.com/watch?v=waEeJJVZ5P8)

~~~
voltagex_
It's better not to lie to people about what really happened. They were owned
because they executed mysterious applications.

------
umami
Is anyone else getting their DigitalOcean IPs banned from certain sites? I use
it as a personal VPN sometimes and lately any application hosted on Google App
Engine is inaccessible. Sometimes Gmail, Google Analytics and Google Drive are
also inaccessible.

The strange part is that the server I am using should not be sending email or
doing much really except hosting some git repos and a basic website.

~~~
bensedat
I've run into that before on VPNs using AWS. Likely the public IP my server is
using was used for abuse before I got it, especially as they usually only
stick very ephemerally unless you upgrade to an Elastic IP.

------
abuehrle
This is cool. Thanks.

The site talks about deleting or pausing servers, then going back to the
TinFoil page to start over in the future. However, it looks like DigitalOcean
charges a flat $5 per month for the lowest tier. Is there any harm in leaving
it running 24/7 and connecting when I'm in public? The most I'd be charged is
$5/month, right?

~~~
borski
There's no harm in that at all, and you're correct. But keep in mind it's
$5/mo/server at the lowest tier, so if you have multiple running
simultaneously you'll get charged more.

If you don't mind paying the $5, by all means leave it up 24/7\. :)

------
btgeekboy
I've been kicking around a similar idea for some time now, only that it would
be a standalone iOS/Android app. On iOS, it'd output a .ovpn file that could
be directly loaded into the OpenVPN app and started up. I'm sure Android would
have a similar process, though I admit to not being as familiar with it.

~~~
finnn
Android is basically the same, you have a .ovpn file that gets put into the
OpenVPN app. I think you have to put it in /sdcard/openvpn/ or something, but
im not 100% sure

------
ferrouswheel
What I would love is one of these that lets you chain your VPN.

E.g. I want a 10 chain VPN proxy, here is my API keys for N servives, please
distribute the VPN across these.

Obviously this is a slightly different use case than just protecting against
passive monitoring, but I think it'd be cool.

------
StavrosK
Very nice! You could make the linked script a bit more prominent, but the API
key way is a good tradeoff between security and convenience. I'd still use the
script myself, but I know that most people wouldn't bother with it.

~~~
borski
We're totally OK with you using the script. :) Most people, especially those
just looking for a way to be secure without knowing anything about the command
line, was whom this tool was built for. Glad you liked it!

------
mrblues
Since the script is meant for less technical people I would advise to add a
guide on how to use the VPN

~~~
borski
There is one, actually, later in the process. This is intended to help you
through the process in real-time, I suppose.

------
sstanfie
New droplets are now being created in San Francisco datacenter instead of
Amsterdam.

------
dietsprite
Can you use these services' VPN (Rackspace et al) for using BitTorrent?

~~~
bensedat
This VPN won't anonymize any traffic, just encrypt the traffic between you and
the server. The Rackspace account would be tied to you, so any piracy-type
violations will go to them first, which they will pass along to you.

------
nblavoie
You're abusing your refcode in the DO link. DO prohibits this linking.

~~~
borski
We got it cleared with them first. In fact, they're the ones who told us to do
it; originally that link contained no refcode.

------
unepipe
Why not just use Sidestep?

~~~
pbhjpbhj
[http://chetansurpur.com/projects/sidestep/](http://chetansurpur.com/projects/sidestep/)
:

>"Sidestep is an open-source application for Mac OS X that sits quietly in the
background, protecting your security and privacy as you browse the web."

>[...]

>"When Sidestep detects you connecting to an unprotected wireless network, it
automatically encrypts all of your Internet traffic and reroutes it through a
secure connection to a server of your choosing, which acts as your Internet
proxy. And it does all this in the background so that you don’t even notice
it."

------
just3ws
Did they take the site down? The link is 404'ing.

~~~
bensedat
Sorry about that! Things should be working again now :)

~~~
just3ws
Thanks! I was able to get to it via the blog post link. Just configured my own
VPN. Been meaning to do that for a while and was already planning to use
DigitalOcean. Thanks for the boostrapping!

~~~
just3ws
Okay, followed the script but the VPN won't connect to the internet. :( Even
blew away the first build of the VPN server and rebuilt from scratch, no dice.
:(

------
scottydelta
Isn't setting up a ssh tunnel easier?

~~~
revelation
This relies on properly configuring all relevant software to use the SSH
tunnel as a proxy. That's very difficult to do in a way that you don't end up
leaking information over the real connection.

OpenVPN works on a lower level and just tells the operating system to use it
as a gateway (as configured here) and every software will magically start
routing traffic over it. This is generally what you want for security, but can
be annoying for bandwidth or latency sensitive applications.

------
coherentpony

        ssh -D port host

------
inanov
sochi sells.

------
ekianjo
"vpns are too painful to set up for everyone else"

Its been a long time i did not not see as much bullshit. In linux, its as
simple as going into the vpn tab of your connections, entering your username,
password and crt file, and you are done.

~~~
xur17
They are referring to the server side of the setup process, which is painful.

~~~
kh_hk
Just use tinc

[http://www.tinc-vpn.org/](http://www.tinc-vpn.org/)

