[ale] OT have some questions about vpn security

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Sun Jul 14 01:53:34 EDT 2013


Hi JD,

I think hotspotvpn is a good vendor.  I've been with them for several years, and always like to turn on a vpn when I'm away from the house.  They support port 443, tcp; port 443, udp; port 53, tcp; and port 53, udp.  I think they can do PPTP but I always use the Open Vpn setup.  They have a few exit points here in the states and some others in other countries.  Their staff is minimal and pretty much works only by email as far as I know.  But, it works.  Their website is at hotspotvpn.com.

Using the tunnel via udp is supposed to be faster, when you can use it.  I suppose, if there is lots of interference on the network, tcp might be faster.

My main objective is to get the in the clear data away from the hotspot.  My email and my https traffic (like banking) has it's own ssl encryption anyway regardless of the tunnel, so I'm not too worried about what the vendor might see.

Another one that sounds good that's been advertising on the TWIT network ( twit.tv ) network is proxpn.com.  They're a bit cheaper and have phone support.  You can get discount codes on come of the twit podcasts to save 20% for the life of the account I think.  They have a free option with reduced bandwidth.  One feature they rave about if you pay for service is not keeping server logs but 2 weeks.  I haven't personally used this one though.

In regards to what was working and B&N, it wasn't working well, with the frequent disconnections.  But, I was able to establish the tunnel via either 443 udp or 443 tcp.  I don't think I tried 53.  The android Open Vpn client has an option to disallow internet access while the client is paused or connecting.  This eliminates in the clear traffic unless the system just gives up completely or you cancel it.  I think it did just give up once, but I had it working intermittently most of the time.

I was at office max the other day and couldn't get it to work at all.  I don't know why.

I've been considering upgrading my vpn solution so I can encrypt all 5 pc's from home, just because I can, in light of the NSA stuff.  Not sure I want to pay 5X the monthly fee though.  I'm not sure if anyone allows simultaneous logins and I'd have to research that.  Sure, NSA can still monitor choke points, but at least Comcast couldn't monitor everything I do.

Sincerely,

Ron




JD <jdp at algoloma.com> wrote:

>On 07/13/2013 04:59 PM, Ron Frazier (ALE) wrote:
>>  I'm using port 443 via udp on the vpn.  I notice that it disconnects
>and reconnects every few minutes. 
>
>Without talking to the network designer or deployment engineer, I don't
>think
>you'll ever get a specific answer for your question.  I find it likely
>that they
>have a connection timeout for all traffic - udp and tcp, just to keep
>the
>firewall state table from becoming too large.
>
>It is good to know that udp is allowed. I wouldn't have expected that
>at all. I
>would expect only TCP on well-known ports to be allowed and a
>transparent proxy
>to provide all DNS ... so that udp need only be allowed from that
>single
>machine, not all clients.  There are lots of different security
>architectures.
>Finding an open internet access point outside a home environment is
>getting
>harder and harder in my experience.
>
>I suppose that you really trust the HotSpotVPN-2 guys, since you let
>all your
>non-SSL traffic exits from their systems.  I send all my traffic to my
>home
>network, since I'm basically forced to trust the ISP. Brian Krebs had
>an
>interesting article a few days ago about being secure online ... or was
>it Bruce
>Schneier's blog?  One of those 2 - with lots of suggestions from
>"experts" on
>how to accomplish it.  I think a journalist asked the question.
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://mail.ale.org/mailman/listinfo/ale
>See JOBS, ANNOUNCE and SCHOOLS lists at
>http://mail.ale.org/mailman/listinfo


--

Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
Please excuse my potential brevity if I'm typing on the touch screen.

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com
Litecoin: LZzAJu9rZEWzALxDhAHnWLRvybVAVgwTh3
Bitcoin: 15s3aLVsxm8EuQvT8gUDw3RWqvuY9hPGUU




More information about the Ale mailing list