[ale] OT have some questions about vpn security

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Sun Jul 14 15:36:58 EDT 2013


Hi all,

Here's some followup info.  I found out that these vpn tunnel timeouts are happening even at home.  This is new behavior that didn't used to happen as far as I know.  Looking at the open vpn control screen on android, and the raw stats screen, I see the keepalive_timeout increment upwards when the system disconnects.  It appears that the connection drops if it hasn't received a packet in 40 seconds.  Then, it immediatly reconnects.  It happens no matter which port and protocol I use.  Anybody know what that's all about?

I could try tinkering with the router, but I wouldn't be able to do that in B&N or starbucks.  I'd like to solve the problem from the client end.  The open vpn client menu options don't appear to allow any control over this.  I really need the tunnel to stay connected if possible.

Any help is appreciated.

Sincerely,

Ron



JD <jdp at algoloma.com> wrote:

>Inline.
>
>On 07/14/2013 01:53 AM, Ron Frazier (ALE) wrote:
>> Hi JD,
>> 
>> I think hotspotvpn is a good vendor.  I've been with them for several
>years,
>> and always like to turn on a vpn when I'm away from the house.  They
>support
>> port 443, tcp; port 443, udp; port 53, tcp; and port 53, udp.  I
>think they
>> can do PPTP but I always use the Open Vpn setup.  They have a few
>exit points
>> here in the states and some others in other countries.  Their staff
>is
>> minimal and pretty much works only by email as far as I know.  But,
>it works.
>> Their website is at hotspotvpn.com.
>
>Those are all the ports that basically can't be blocked and still allow
>people
>on the internet.  Even if a proxy server is involved, VPNs can work.
>
>Knowing a vendor only comes from their actions that we learn about. If
>we never
>hear they are cooperating with entities we'd rather they didn't, there
>is little
>chance of discovery.  I'd rather hear them refuse stock law enforcement
>requests
>and demand a court order for all access. Is that there method of
>operation?
>
>Not using PPTP for anything seems smart.
>
>> Using the tunnel via udp is supposed to be faster, when you can use
>it.  I
>> suppose, if there is lots of interference on the network, tcp might
>be
>> faster.
>
>I'd never heard that. I'd always assumed that UDP was faster and since
>the
>tunneled packets already have TCP overhead, any lost packets would
>cause a
>retransmit request to the source.  Double overhead with tcp/tcp just
>doesn't
>make sense, but if there isn't any other choice ... something is better
>than
>nothing.
>
>> My main objective is to get the in the clear data away from the
>hotspot.  My
>> email and my https traffic (like banking) has it's own ssl encryption
>anyway
>> regardless of the tunnel, so I'm not too worried about what the
>vendor might
>> see.
>
>I think a vendor being paid a fair price for their services is the
>ideal VPN
>provider. This should prevent a conflict of interest with customer
>happiness
>being the primary goal for the company.
>
><snip>
>
>> In regards to what was working and B&N, it wasn't working well, with
>the
>> frequent disconnections.  But, I was able to establish the tunnel via
>either
>> 443 udp or 443 tcp.  I don't think I tried 53.  The android Open Vpn
>client
>> has an option to disallow internet access while the client is paused
>or
>> connecting.  This eliminates in the clear traffic unless the system
>just
>> gives up completely or you cancel it.  I think it did just give up
>once, but
>> I had it working intermittently most of the time.
>> 
>> I was at office max the other day and couldn't get it to work at all.
> I
>> don't know why.
>
>If UDP is blocked, it won't work on UDP.
>
>> I've been considering upgrading my vpn solution so I can encrypt all
>5 pc's
>> from home, just because I can, in light of the NSA stuff.  Not sure I
>want to
>> pay 5X the monthly fee though.  I'm not sure if anyone allows
>simultaneous
>> logins and I'd have to research that.  Sure, NSA can still monitor
>choke
>> points, but at least Comcast couldn't monitor everything I do.
>
>You know, routers will do this and you can specify certain subnets to
>be routed
>through a VPN and others are not. This handles the entire network. I've
>seen
>how-to guides on the internet.
>
>Researchers have been working on determining the type of traffic inside
>tunnels.
>Seems there are specific patterns to the traffic. They can't see the
>exact
>content of the traffic of course.
>
>I believe that HTTPS has been hacked through different techniques
>involving DNS,
>CA corruption, or just having governments demand that CAs create certs
>with the
>desired credentials to enable proxies or spoofing of websites. For
>online
>purchases, I don't worry about it.
>
>We often forget that if DNS is compromised, **NOTHING** on the network
>can be
>trusted and we've already lost the war.  Using a VPN with non-public
>keys and
>IP-based connections (not DNS/hostname) should mitigate any remote
>network
>tampering.
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://mail.ale.org/mailman/listinfo/ale
>See JOBS, ANNOUNCE and SCHOOLS lists at
>http://mail.ale.org/mailman/listinfo


--

Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
Please excuse my potential brevity if I'm typing on the touch screen.

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com
Litecoin: LZzAJu9rZEWzALxDhAHnWLRvybVAVgwTh3
Bitcoin: 15s3aLVsxm8EuQvT8gUDw3RWqvuY9hPGUU




More information about the Ale mailing list