I've been using this method to Internet from China with better success than paid VPN solutions. So simple, and I can debug myself! Hint: if things are mysteriously hanging, add `-vvv` to turn on super verbose logging: `ssh -vvvfND localport user@vps`
I gave up using SOCKS, and now just use SSH to map a local port to a remote squid3 instance. This way my DNS queries are done on the VPS, and aren't subject to interference by my ISP.
For that, you need to change your routing table so that anything destined for 0.0.0.0 goes through the tunnel.
This is basically what sshuttle does.
One downside is that SSH tunnels can only forward TCP, not UDP, traffic. sshuttle adds special handling for DNS (which is UDP) but any other UDP communication will not work.
For $20 LESS per year than this "poor man's VPN", I can get an actual VPN that I don't have to maintain, has multiple world-wide POP's, and doesn't log customer usage: https://www.privateinternetaccess.com
You can get a low-end VPS for even less if you look at some VPS companies special offers, like $15/year for 1GB RAM, 20GB disk, 1TB transfer/month. Yes, low-end and most likely overbooked servers, but still decent enough for a proxy.
You don't need so much RAM for a VPN sever with a few users. You can get by with 128MB (or even less if you're ruthless), and get such servers for $7.50-$15.00 per year.
Does PrivateInternetAccess being located in the US have any impact on the security of their service? They are heavily promoted and that makes me skeptical of their motivations.
My understanding is that, in some ways, it gives them an advantage since many countries in the EU and elsewhere have mandatory data retention laws. The US does not.
They also go out of their way to accept anonymous payment sources, something most VPN providers don't bother with.
It's hard to truly compare, but I started from VPN review sites and just disqualified most of the sites that seemed to care more about torrenting than about privacy, and of the remaining ones I went with the one with the best reviews and official policies.
We built an incredibly easy single click OpenVPN setup tool for DigitalOcean and Rackspace during Sochi: http://www.tinfoilsecurity.com/vpn
Enter API key creds, it makes the box for you, sets it up, and hands you a config you can use for your client of choice. (The script is open source for those of you that don't want to enter creds - we don't store them, and actually remove access whenever we can; for example, we delete our own SSH key from DO because they let us).
Works great. :) we give you, at the end, a config file you can use for your OpenVPN client of choice. We like viscosity on win/Mac: https://www.sparklabs.com/viscosity/
I started using TunnelBlick before I had heard of Viscosity. The UI isn't great but it was easy enough to install and configure.
I will check out Viscosity, as I don't particularly like having to use the config files directly each time I want to make a small change. Do you know whether the performance (throughput, latency) differs between the two?
Always wonder how come tinc is not as popular as other VPN solutions. Peer to peer network routing via tun/tap interfaces, all traffic encrypted, each host has a public/private key pair.
I have been using it to build an VPN network with cheap VPS from different providers and found it really reliable and easy to set up. Besides that, once used it to watch some south park at UK and also worked wonders, no need to even setup a proxy, just route your traffic through the interface.
I can't comment on the protocol, but tinc is very easy to set up. You just need to generate pub/priv keys and then add your routes in /etc/tinc/vpn/tinc-up. We're running it in production with ~30 nodes worldwide and using puppet to dynamically add/remove nodes on the fly.
What is great is it's able to re-route around any peering issues suffered by local ISPs. Say you have three nodes in the US, UK, JP and your JP ISP loses routing to your US ISP. If both can still route to the UK then tinc will automatically keep traffic flowing.
Of course if you manage to get a template setup it is easy.
But now that I haven't setup tinc for awhile I have no idea how to do it again and the examples are horrible.
Every node needs to have a copy of every other node's configuration file and it is annoying to add a file to N servers when you are adding the N+1th server.
For the setup I will say it is on the same level of difficulty as it would be to setup iptables and routes manually. Yes, tinc does not abstract any of these things from you. But if you know what you are doing (not saying I always know what I am doing) it can be a powerful tool to build the exact network you want without any provider lock-in.
Now, I must agree on that, it might not be a friendly solution for dead easy routing to an exit node as a proxy with dns-tunneling built in. I just wanted to know why tinc does not get enough love, and you answered accordingly. But if you are building a serious network I do think tinc hits the sweet spot between being easy and allowing for any network you can think of without being tied to a particular server provider that might offer private IPs.
As for the configuration I use git, which makes it super easy to setup the N+1th server. None of the private keys are committed to the repo, of course. My infrastructure is not that big so I am still doing some things by hand, but it should be easy to automate some parts by using git hooks + puppet|ansible|chef.
About the protocol I do not understand why it would be a problem, other than not being ssh or the possibility of being filtered over the network. Doesn't most VPN solutions have their own protocol?
Like everyone else here, I've been using ssh -D. Which is awesome especially because I have my hosts organized into my ~/.ssh/config file, so if I need a connection in the USA, I'll just type "ssh -D 4444 us".
If anyone need some of the advanced features provided by OpenVPN, I can suggest this script: https://github.com/Nyr/openvpn-install
I've successfully used it to install OpenVPN several times, and it's mostly effortless.
As for the VPSs, I can suggest http://lowendspirit.com/, awesome owner and can't beat the 3€/year (yes, year) price. You don't get a public dedicate ipv4, but if you need only a VPN then it's not really needed.
You can actually specify the -D in your .ssh/config with "Dynamic Forward 1234". Now whenever you connect, it'll also open up a proxy to which you can optionally connect.
Another neat trick is having a wildcard for a host to set global options, like compression.
OpenVPN is nice too and will work on the same cheap VPS. They have a command line version, and a paid product, Connect, which has a web UI for configuration.
It's free for a low number of users, though. And it also has clients for Android.
I find that I get better speeds through OVPN than through an SSH tunnel. YMMV :)
OpenVPN defaults to tunneling over UDP, but optionally supports TCP. SSH is always over TCP. Here's a bit of info from the man page [1] for anyone who's curious:
" OpenVPN is designed to operate optimally over UDP, but TCP capability is provided for situations where UDP cannot be used. In comparison with UDP, TCP will usually be somewhat less efficient and less robust when used over unreliable or congested networks."
SoftEther is really simple to configure and works very well using normal VPN clients, which is easier for non-tech friends/colleagues to access vs SSH.
+1 to SoftEther. I've been using it as a replacement for Hamachi (which recently went pay-only), allowing my godsons to log into my Minecraft server. I have it set up with a server running on a DigitalOcean VPS and the bridge to my internal network running on a Raspberry Pi.
This sort of VPN is useful for getting around filtering and blockades but is not good for deniability. Tor and or a commercial VPN that doesn't keep logs is for being more anonymous.
Well, the commercial VPN may or may not log traffic, so let's say it's 50/50.
Your VPS, on the other hand, is your VPS. If the police comes to your server, the company has no reason to hide who you are. That's 0% deniability, they'll come straight to you as the owner of the server. You'll then have to prove somehow it wasn't you (and you were, so it's a tough one). At the very least you'll get lawyers involved.
LIke probably_wrong said. If you own the VPS and only your traffic goes through it, your deniability is pretty low. All the traffic emanating from the node is still "you", only translated.
They don't need logs on the box to track the activity of the box.
I have used both techniques discussed, mostly for being able to download stuff I purchased on iTunes while being over seas.
I thought this would be an article about setting up PPTP and/or OpenVPN on a low end VPS. For anyone doing this for the first time, these shell scripts may be helpful:
ssh -D localport -fN user@vps
Then for chrome/chromium:
chromium --proxy-server="socks5:localhost:localport"
If you need multiple instances running different proxy connections use different data directories like:
chromium --user-data-dir="other-dir" --proxy-server="socks5:localhost:localport"
Edit: sshuttle covers more than port forwarding but the article was geared at browsing the web through a vps hence my comment.