
Don't Get Pwned on Public WiFi: Use Your Own VPN - bensedat
https://www.tinfoilsecurity.com/blog/dont-get-pwned-on-public-wifi-use-your-own-vpn-tutorial-guide-how-to
======
chrismonsanto
I use a VPN for much of my private traffic. Here is where I differ from the
article's recommendations, and why:

\- I don't recommend rolling your own on EC2: pick a VPN with a good
reputation and a policy of not retaining logs. See:
[http://torrentfreak.com/vpn-services-that-take-your-
anonymit...](http://torrentfreak.com/vpn-services-that-take-your-anonymity-
seriously-2013-edition-130302/) (you don't have to use torrents to need a VPN,
btw!!)

\- I recommend using a Debian VM w/ OpenVPN for your private traffic. That
way, 'am I using my VM?' is a quick test for whether your traffic is private
or public.

\- I can't stress this enough: _be sure to firewall your VM from any traffic
not to your VPN provider_. __If OpenVPN drops its connection, it will fallback
to sending packets normally! __At least if you firewall, your connection will
just die, instead of potentially sending private traffic in the clear. The
article doesn 't mention this, and it should.

\- Be sure not to log in to your usual services on your VPN, or there is a
possibility that someone can connect your real traffic and your VPN traffic. I
use LastPass with random passwords to manage all of my accounts, so I solve
this problem by simply not installing LastPass on my VM, which makes logging
in a very deliberate action on my VM.

~~~
sillysaurus2
How do you firewall your connection from any traffic not to your VPN provider?

~~~
chrismonsanto
On Linux, I use a shell script like this:

    
    
       servers=( ip1 ip2 ip3 ... )
       
       # Can fwd over internal network
       iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
    
       # Can fwd over loopback
       iptables -A OUTPUT -o lo -j ACCEPT
    
       # Can fwd over the tunnel
       iptables -A OUTPUT -o tun0 -j ACCEPT
    
       # Can send packets to VPN
       for server in "${servers[@]}"; do
          echo "Installing rules for $server"
          iptables -A OUTPUT -d $server -j ACCEPT
       done
    
       # Otherwise drop
       iptables -A OUTPUT -j DROP
    

Use it with a package like iptables-persistent so you don't have to run this
every time at boot.

~~~
nly
You can do this without IPtables, just make wlan0/eth0 the host route for
$server and then make the default gateway the tunnel interface. Decent OpenVPN
clients do this by default.

------
davepeck
Hi folks. I'm one of the three guys who runs Cloak
([https://www.getcloak.com/](https://www.getcloak.com/)).

Cloak is a super simple VPN where both the back-end service and front-end apps
are tightly integrated. (We think of it as the "Dropbox of VPNs" in the sense
that, like Dropbox, it's so easy to use.)

Basically, it's the VPN service+applications I wanted for myself when I
started looking around and couldn't find anything (1) easy enough and (2) non-
sketchy. Right now Cloak supports OS X (10.7+) and iOS (6+). We've been around
for a while and I know there are a number of happy customers here on HN.

In any case, please let me know if you have any questions, and please do give
it a spin. Cheers!

(EDIT for clarity, and because X of Y descriptions are not always loved.)

~~~
computer
The "Dropbox of VPNs"? What does that even mean?

~~~
davepeck
We think Dropbox is great because it's so easy to use and "just works". We
designed Cloak with that thought in mind.

~~~
chrischen
While Dropbox is simple to use, it's hardly the first thing that comes to mind
when you make a comparison to Dropbox. I'd change that phrase because it's
very confusing.

------
Scramblejams
Good writeup, but why does this piece recommend running the VPN over TCP?
Tunneling TCP over TCP, which will be the end result, is known to provide
terrible performance in the presence of even minor packet loss.

~~~
bensedat
Good point! I made the change when using the VPN at DefCon but haven't updated
the post. I'll do that now.

~~~
Scramblejams
Cool. I was looking around a few weeks ago for a good howto on setting up an
OpenVPN server, but didn't find anything straightforward enough for the time
constraints I was under. Thanks for writing this up, it'll come in handy for
me.

------
Nux
I too use (open)vpn for 99% of my traffic because _terrorism_ etc.

I can't recommend it enough, the damn thing is super stable and secure, works
via NAT via NAT via NAT etc and super flexible (push routes, push dns, proxy
and other settings), works in routed mode, bridged mode and so on.

I recommend you get a server or a VPS somewhere "nearby" and install openvpn
software on that.

I can't trust VPN providers that they do not monitor or log my traffic and
neither should you.

------
beagle3
Much more practical on Linux/OSX:
[https://github.com/apenwarr/sshuttle](https://github.com/apenwarr/sshuttle)

No root/admin privileges required on your "VPN server" \- just the ability to
ssh. It solves the tcp-over-tcp issue. It just works.

It only does TCP (with a specific hack for DNS, but no general UDP or IP). But
it works exceptionally well, and just needs an sshable account on the server.

~~~
newman314
While possible, using ssh on iOS as a tunnel is a giant pain and it times out
after 10mins. PPTP is not an option and there is preciously little info out
there about properly setting up roadwarrior IPSec in a relatively easy manner.

~~~
btgeekboy
So then why not use OpenVPN?

------
mapgrep
Does anyone know why this is better than a simple SOCKS proxy, which can be
set up with one SSH command to your VPS and a quick visit to your system
settings?

I use sheepsafe to pull these up automatically when I'm away from a trusted
network
[https://github.com/nicksieger/sheepsafe](https://github.com/nicksieger/sheepsafe)

~~~
bensedat
This answer possibly explains some of the differences between the two:
[http://superuser.com/a/423615](http://superuser.com/a/423615)

~~~
mapgrep
Ah thanks. The TLDR seems to be "VPN can handle UDP and other non TCP
connections, e.g. for YouTube".

------
dotBen
For this audience, one would assume this isn't anything new.

The next level of 'detail'/risk to consider here is the fact that so many
apps, and even browsers, will bind to the "on connection" event of connecting
to a wifi hotspot - before you can initiate your VPN your twitter client* has
already sent your authenticated token over the wire, etc.

I've tried to hack something together with iptables but that doesn't work
either in airports/etc where there are splash screens to negotiate, etc.

 _(_ = yes, you could use a better client, but then the reason we need VPNs in
the first place is that so many apps and sites don't use https) _

~~~
mitchty
A lame workaround would be to close all apps prior to putting your laptop to
sleep, then engaging the vpn and only afterwards restarting the apps.

Shouldn't be too big of a deal now that tabs/sessions are mostly saved in
chrome/firefox no? And well not like losing your twitter credentials is a big
deal anyway. (i'm not a huge twitter fan btw :D)

------
spindritf
Ironically, Ghostery prevents the article from being displayed and there are
nine trackers detected on that page.

~~~
pokoleo
Ironically, Ghostery is owned by Evidon who sells GhostRank data to
businesses.

~~~
pyrocat
Can you expand on this? I use Ghostery all the time. What exactly is being
sold to businesses?

~~~
pokoleo
The wikipedia article[1] of Ghostery gives a quick & fast overview of what
they do. MIT Technology review posted[2]:

> Evidon sells two main services based on the data it collects. One allows
> website operators to see which tracking code, from which companies, is
> active on their site and how it affects the speed with which its pages load.
> The other provides ad companies with figures on how common the tracking code
> from different companies is around the Web.

[1]
[https://en.wikipedia.org/wiki/Ghostery#History_and_use](https://en.wikipedia.org/wiki/Ghostery#History_and_use)

[2] [http://m.technologyreview.com/news/516156/a-popular-ad-
block...](http://m.technologyreview.com/news/516156/a-popular-ad-blocker-also-
helps-the-ad-industry/)

~~~
fixanoid
Sadly, that article is full of shit. And I'll edit our entry later to remove
the Criticism, which is only partly correct.

GhostRank is explicitly for collecting tracker information, and in no way does
it allow an advertiser (tho most of the customers are publishers) to somehow
improve their targeting.

This explains article what GhostRank does and what its for:
[http://purplebox.ghostery.com/?p=1016023438](http://purplebox.ghostery.com/?p=1016023438)

------
ef4
If you're planning to run a VPN server on Amazon EC2, be forewarned that lots
of sites are going to block you. For example, Yelp, Craigslist, the
StackOverflow family, Hulu, and Bank of America.

~~~
skrebbel
Any idea why they do that?

~~~
borski
Because often, EC2 is used by spammers, botnets, and the like. Turns out when
you make starting a box really simple, evildoers will use your service as
well. Craigslist & Co. dislike EC2 in general, for that reason.

------
post_break
The easiest defense against a pineapple is to create a wifi network titled
"Pineapple Connected ALERT ALERT" or something similar to that. No security,
no keys, and set it to your highest priority of networks to connect to if you
have automatic joining enabled.

As someone who has used these lovely devices to prank others it's a good idea
to do so.

~~~
dotBen
I'm confused, does the Pineapple device create an additional SSID called this?
Sorry, not familiar with the devices.

~~~
post_break
Your computer asks "Hey is ____ SSID available?" and pineapple says "Yep!
That's me!" Now your computer connects to the pineapple.

Well if you set the "Pineapple detected" SSID in your computer as the top
priority, you'll connect to that when the pineapple is around. You're just
putting in a dummy network on your computer to warn you that you've just
joined the network f*&%ville, and you're not the mayor.

~~~
dotBen
Oh I see.

So anyone running a pineapple should alter the code not to respond to any SSID
client probe containing the string "pineapple" and just wait for the next
probe, and latch on to that as that will result in the MITM'ing of a high-
value target.

------
smtddr
[https://github.com/apenwarr/sshuttle](https://github.com/apenwarr/sshuttle)

Easy solution and system-wide, if your OS supports it and you can ssh to a
trusted server. My personal plan-B tool when a simple ssh -D and firefox's
socks-proxy isn't enough.

(BTW, why doesn't Chrome have socks-proxy like Firefox yet?)

------
mef
If you run a Linode, they have similar instructions for each of their Linux
images:

[https://library.linode.com/networking/openvpn/ubuntu-10.04-l...](https://library.linode.com/networking/openvpn/ubuntu-10.04-lucid)

------
rmrfrmrf
If you have a decent internet connection at home with reliable uptime, you can
also just set up a VPN at home and connect that way. My router comes with
OpenVPN on it, so I don't even need to have extra hardware running.

------
Wicher
I like Tinc VPN ([http://www.tinc-vpn.org/](http://www.tinc-vpn.org/)). It's
multiplatform and open source, just as OpenVPN is, but I prefer it for its
simplicity and its mesh feature. It doesn't try to do too much (which means
you'll have to set up routes yourself).

See [http://www.tinc-vpn.org/documentation-1.1/tinc_4.html#How-
co...](http://www.tinc-vpn.org/documentation-1.1/tinc_4.html#How-connections-
work) to get an idea of the mesh feature.

------
gurbelmann
Of course, you have a problem when the owner of the wifi explicitly prevents
anonymisation services.

For example, when I was at Birmingham airport, I couldn't connect to my VPN
because they blocked domains of well-known VPN providers and even hijacked all
my DNS requests so I couldn't circumvent so easily it.

I guess running your own local DNS server which has your typical requests
cached would solve this problem though.

~~~
borski
Well, if you're running your own on, say, an EC2 or Rackspace or DigitalOcean
droplet, they likely won't have it blocked.

------
newman314
I'm still looking for a good config for a raccoon roadwarrior config to a VM
behind dd-wrt (as dd-wrt does not come with IPSec support).

Amazingly, there is very little information about this despite what would seem
to be a pretty common desired config. Or maybe my google-fu just sucks.

At this point, I can get a tunnel established but it fails to correctly route
after the tunnel is set up. Frustrating.

------
nly
The article doesn't mention IPv6 where things can be a bit more tricky. The
Android clients don't let you use TAP (layer 2 tunneling), so if you're going
to be accessing your VPN from an Android device you'll have to configure IPv6
NAT, or hack around with scripts to add IPv6 addresses dynamically.

------
mhurron
You know what would be great - The ability to do this automatically,
especially on Android.

I would love to see the ability to specify 'safe' or 'trusted' WiFi networks
and if you connect to a network other than these, the VPN gets initialized and
used.

Setup on the phone is once and usage of the VPN happens automatically after
that.

------
theandrewbailey
I like to use an SSH SOCKS proxy to my home server. It didn't seem to be as
much work to set up as this.

------
chakalakasp
BTW, for what it's worth, the (very inexpensive) Synology NAS models out there
will all act as an openvpn server. It requires a hit of tweaking to get it to
work they way you'd expect, but it's nothing beyond what the typical reader
here can do.

------
slig
Anyone have experience setting up a VPN on a Raspberry Pi?

I'm guessing that it would cost less than $5/month on energy and I have one
sitting on a drawer.

Also, I don't live in the US and proxying all my data through the US and back
would introduce unwanted lag.

~~~
alexchamberlain
Grab a Kimsurfi dedicated machine in France! Only £3 a month.

~~~
slig
Well, I'm not in Europe and VPNs/Dedicated servers in my country are tad
expensive.

------
car54whereareu
Once your vpn is established do you post to HN, inject SQL, download torrents,
or is there something else exciting to do? I'm not in a fraternity (or
sorority) so that's out.

------
archagon
If you're too cheap to shell out money for a VPN, proXPN has a limited free
tier. I've been using it for banking while travelling and it works great!

------
michaelwww
Somebody could probably sell me a solution that does all this automatically
without distracting me from I'm supposed to be thinking about.

------
ihaveaq
I have a Chromebook (whose security is limited to HTTPs Everywhere, which
doesn't lock much at all). How do I set up a VPN for it?

~~~
bensedat
Looks like Chromebooks may support it right out of the box:
[https://support.google.com/chromeos/answer/1282338](https://support.google.com/chromeos/answer/1282338)

~~~
thomc
But their OpenVPN support is awful and limited, unless you enable developer
mode and set it up manually. Prevents Chromebooks from using VPN in our
office.

------
scotty79
I wonder why this is so convoluted. NAT used to be like that but since long
time it's just `apt-get install ipmasq`

------
molecule
subscribing to a VPN provider is typically easier, cheaper and provides more
options than rolling your own on EC2

[http://netforbeginners.about.com/od/readerpicks/tp/The-
Best-...](http://netforbeginners.about.com/od/readerpicks/tp/The-Best-VPN-
Service-Providers.htm)

~~~
bensedat
Definitely true that cheaper is definitely possible, but a DigitalOcean
droplet or an EC2 micro can be pretty cheap and you don't have to worry about
the other VPN clients as much.

~~~
joelhaasnoot
It is hell though - recently setup this on a droplet, but getting all the
settings right and diagnosed on Ubuntu and some Ubuntu and Android clients was
complicated. It never seems to work the first time...

~~~
spindritf
L2TP/IPsec is hell. OpenVPN is not more difficult to set up than a web server.
Of course, you need L2TP if you want to use the built-in clients on Android,
IPhone, Windows...

~~~
bensedat
Yeah, mobile support was a bit tricky to set up for us as well, but we managed
it with just OpenVPN. The OpenVPN app for iPhone at least was able to be
configured without too much headache, although it only supports a subset of
the OpenVPN options. It should be compatible with the config in the article.

~~~
joelhaasnoot
For Android, there's an OpenVPN app too - it uses the very handy and neat
Android VPN API and besides needing certificates in the right format (not the
text versions), it works well.

------
holri
I am using a NoMachine NX remote session to a my server through ssh for this
purpose.

