

Secure your browsing using a home VPN - cek
http://sriramk.com/blog/2011/08/ddwrt-pptp-vpn.html

======
davepeck
Shameless plug: my new app and service, Cloak (<https://www.getcloak.com/>),
is a zero-hassle VPN. It's currently in beta for OS X.

I'd love feedback from the HN community!

Grab the app, enter your Cloak credentials, and you're done. If Cloak sees
you're on on a password-less wireless network, it automatically activates.
Cloak's servers are cloud-hosted; the client selects the back-end server that
will give the lowest latency. Under the hood, Cloak for OSX is built on
industry-standard OpenVPN.

I expect Cloak will exit beta when the iPhone/iPad client is finished,
probably in early September. But if you'd like to try it sooner, drop me a
line [davepeck at getcloak dot com] and I'll send you a special HN invite
code. Cheers!

~~~
coderrr
Another shameless plug here... We provide a cheap (39.95$/year) unmetered VPN
service at <https://www.privateinternetaccess.com>

We support all devices (OpenVPN, PPTP, IPSEC/L2TP) and have servers in US
west/midwest/east, UK, and Switzerland.

~~~
nodata
What is your logging policy?

~~~
coderrr
We don't keep any logs.

~~~
St-Clock
Hum, I see this on your privacy policy page:

INFO WE COLLECT

From Clients of our Service

Date and time you connect/disconnect to/from the service. Source IP you use to
connect to the service. Bandwidth usage E-mail provided by Paypal. Paypal
payment data.

And then this:

DISCLOSURE

If under subpoena, PrivateInternetAccess.com may release data in order to
comply with legal obligations or in order to enforce the
PrivateInternetAccess.com Terms of Service and/or other agreements.

PrivateInternetAccess.com may release data in order to protect the rights,
property and/or safety of PrivateInternetAccess.com, its constituents, and/or
other visitors and clients.

~~~
coderrr
That's correct, we log connections TO our VPN but log absolutely nothing in
terms of traffic sent THROUGH the VPN. So whatever you do while connected is
not logged and therefore un-subpoena-able.

------
iuguy
From TFA:

> Here’s why I picked PPTP and I believe using it with very long
> passwords/passphrases is acceptable.

Bear in mind that the author is looking to use this in open hotspots such as
coffee shops etc. I would not advise that people implement this.

As the author points out, there are a number of vulnerabilities in PPTP, the
most serious of which is that the initiation protocol is susceptible to an
offline brute force attack using tools like asleap[1].

To be clear, the attacker does not need a rogue access point, nor association
with an access point for this to work. They can just passively sniff away,
then at some point later go through the pcaps, crack it offline and do what
they want. There's an episode of Hak5[2] covering this as well as this useful
straight to the point video of asleep and THC pptp-bruter[3]

[1] <http://www.willhackforsushi.com/Asleap.html> [2]
<http://revision3.com/hak5/asleap> [3] [http://blip.tv/g0tmi1k/cracking-vpns-
asleap-and-thc-pptp-bru...](http://blip.tv/g0tmi1k/cracking-vpns-asleap-and-
thc-pptp-bruter-3375795)

The solution is to use L2TP and IPSec if you can and aren't jailbreaking, or
to use a TLS VPN if you have jailbroken or don't have iDevices.

~~~
sriramk
Author here. Like I said in the post, the third constraint I had was something
that would work with dd wrt - and that doesn't support l2tp. Thanks for the
bit on the offline cracking though.

~~~
iuguy
No worries, I understand your reasons for choosing PPTP, but I thought it
important to highlight the consequences.

It is clear you have put a lot of effort into it though and it's more well
written than a lot of guides I've seen, hence my interest in the first place!

------
SageRaven
I've got 3 low quality VPSs, priced from $0.99 to $2.50 per month, that I
picked up on a whim over the years from deals posted to
<http://www.lowendbox.com> (no affiliation). On one server, I have squid
running and bound to localhost. On my machine, I have autossh set up to
maintain a constant port-forwarding connection established (via port 443 for
maximum firewall/filter accessibility) with the squid server. I have my local
web browsers proxying over that connection.

So I'm pretty safe from snooping by my employer, home ISP, or whatever 133t
hackers are sniffing traffic at McDonald's when I'm browsing and sipping a
coffee.

It's not the most elegant solution, but it does the trick. I supposed some day
I'll mess around with OpenVPN (which I have deployed before, and do really
like), but only when I'm bored or otherwise have nothing else better to do
with my time.

~~~
coderrr
Just fyi, all your non-HTTP Flash traffic (Flash sockets) is probably not
being proxied at all. Even if you have a SOCKS proxy set in the browser.

The easiest way around this is VPN, but you can also do crazier stuff like use
ProxyCap (for windows or OSX) or iptables redirect/transocks setup in Linux:
[http://coderrr.wordpress.com/2009/07/29/how-to-force-
flash-o...](http://coderrr.wordpress.com/2009/07/29/how-to-force-flash-or-any-
program-to-use-a-socks-proxy-using-transocks-and-iptables-in-linux/)

~~~
tuomasb
Linux has tsocks and proxychains which override the connect() method with a
LD_PRELOAD library and force traffic to go through a socks proxy. Easier than
iptables since at least proxychains can be installed with apt-get on
Ubuntu(don't know about other OSes).

~~~
coderrr
Only problem with the LD_PRELOAD method is that it doesn't work for all (many)
apps. I believe one case it breaks for is non blocking connect()s, not sure if
there are others. Although the iptables setup is a lot more complicated it
pretty much works for everything.

~~~
keeperofdakeys
An example I have found is rtorrent. There is also
<https://github.com/apenwarr/sshuttle>, which looks promising, but I haven't
used it. My vps provider doesn't provide tap for openvpn to work.

------
bahman2000
For the other 50% of smartphone users that are on Android (as per this
<http://news.ycombinator.com/item?id=2855717> ): you can use OpenVPN and
certificate authentication, Cyanogenmod supports it _natively_. Tunnelblick is
the OSX client of choice for OpenVPN.

------
evilswan
For the same use-case, a very quick howto on a disposable EC2 proxy for coffee
shop browsing...

[http://flatterline.com/index.php/2009/04/23/disposable-
proxy...](http://flatterline.com/index.php/2009/04/23/disposable-proxy-for-
secure-coffee-shop-browsing/)

~~~
ben1040
I use this, but it can be a little annoying now that some sites like
StackExchange block EC2 netblocks (I guess because they have lots of juicy
content ripe for scraping). Yelp is another one that comes to mind that does
this as well.

~~~
ldar15
What??? For real? Fuck. I was going to set up an EC2 vpn endpoint this very
day.

~~~
ben1040
Yep. Some more discussion here:

<http://news.ycombinator.com/item?id=2441535>

It sucks, but I can see the reason why they just blanket block EC2 rather than
trying to find any more nuanced way to identify scrapers.

If I were running scraping bots on EC2, rate-limiting me isn't a real threat
since the instant I get throttled for misuse I can just destroy the instance,
start up a brand new one on a different IP address, and continue as I was
before.

------
preinheimer
If you'd rather not have to mess around with stuff, and have $5 to spare, we
can help: <https://wonderproxy.com/signup/vpn>

It was a huge pain in the neck to get native support on Mac & various windows
flavours. But our normal clients needed a good solution for testing flash &
silverlight apps.

~~~
aquark
I was contemplating setting up a VPS for this, but a turn key solution at
$5\month would be much better.

Can you comment on how you can offer 100GB\month VPN for $5 but the basic
proxy plan is 2GB\month for $20? What use case does the proxy plan meet over
the VPN other than more server locations?

~~~
preinheimer
The VPN locations are places with easy access to cheap bandwidth, the Proxy
plan includes locations like South Africa, Columbia, and New Zealand where the
cost of maintaining a presence is significantly higher. We're considering
including the VPN locations (London, San Antonio) in the Proxy plan free of
charge.

------
sriramk
And Linode has an outage in their datacenter which has brought down my site.
Nice timing, Linode.

------
hoag
If you want a fast, free, easy-to-use VPN, just get AnchorFree's HotSpot
Shield. Most downloaded free VPN in the world. AnchorFree's CEO was also
selected as one of Inc's 30 Under 30 this year.

DISCLAIMER: AnchorFree's CEO is one of my dearest of friends for nearly 12
years, but that's not why I'm promoting HotSpot Shield here. It just really is
that good, and I use it all the time on public hotspots.

------
mikeflynn
I've been traveling abroad and set up a VPN on a Linode box for some basic
security and to bounce through the US for things like Netflix and Hulu. If
nothing else this post's comments have unveiled some good turnkey VPN
solutions, so thanks!

------
micmcg
So even after reading the article, I'm unsure if its an appropriate set up for
me. I just want a way to access my NAS at home from my iphone (mainly just web
traffic). I'm not worried about securing my traffic from a public hotspot
because I almost never use them. I just want to be able to connect over 3G or
from my work wifi. Is PPTP still a high risk with a long passphrase? Or is the
risk related to connecting to the VPN from an unsecured network? Also I should
mention that I have a DD-WRT capable router, and I don't want to have another
machine running just for VPN purposes. Thanks

------
sigil
Also worth nothing: the typical 4MB WRT54G router doesn't have enough room for
OpenVPN if you use the stock OpenWRT images.

I've got a stripped down .config and image that does include OpenVPN, if
anyone's interested.

------
lylejohnson
I have noticed that I'm sometimes unable to connect to my VPN from, for
example, the wireless network of a hotel I'm staying at. Has anyone else run
into this issue and is there a straightforward workaround?

------
peterbotond
the simplest and pretty easy to do is ssh tunnel to the trusty home machine
running vncserver, and then vncviewer into it via the tunnel. vpn is too heavy
for home. and the home machine does not even need to run a full blown xserver,
i.e. no video card needed.

------
windexh8er
So VPN by someone who knows nothing about security. Fail.

~~~
pnathan
Why don't you update your comment with a detailed breakdown of why it's so
fail?

~~~
windexh8er
Anybody still implementing PPTP deserves the insecurities that are inherent. A
much more elegant, and secure, solution would just be tunneling via SSH
dynamically. It's easy to do, requires no setup and if done right (i.e. certs
for auth) it is a more maintainable solution. I generally use IPsec - because,
it is still by and far, the most secure of the VPN solutions with platform
interop today. Setting up and maintaining an IPsec tunnel for the masses is
not trivial unfortunately - which is why I'd recommend SSH or potentially
OpenVPN (which has nice IPv6 support).

The author of the article on how to implement references the below...

<http://www.schneier.com/pptp-faq.html>

...I think there's plenty there to disuade you. Would you build your webapp on
a framework that stores user credentials in plaintext as a feature? No. Enough
said.

Why go through the trouble of implementing something that's known broken?
_sigh_

------
Legion
Contrary to the article's assertion, OpenVPN is _not_ natively supported by
iOS.

~~~
cromulent
"If you’re ok with not being able to use this from non-jailbroken iOS devices,
you should use OpenVPN instead of PPTP as I do so below"

I had to read it three times, but you are both in agreement.

~~~
Legion
The post was edited after I posted. Guess I have to start Pinboard-ing
everything I respond to now.

~~~
sriramk
I couldn't let that awful phrasing stand :)

