<p dir="ltr">Change keep alive to 20 secs or use an ssh session inside the VPN tunnel. Than keep alive is set able.</p>
<div class="gmail_quote">On Jul 14, 2013 3:39 PM, "Ron Frazier (ALE)" <<a href="mailto:atllinuxenthinfo@techstarship.com">atllinuxenthinfo@techstarship.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi all,<br>
<br>
Here's some followup info. I found out that these vpn tunnel timeouts are happening even at home. This is new behavior that didn't used to happen as far as I know. Looking at the open vpn control screen on android, and the raw stats screen, I see the keepalive_timeout increment upwards when the system disconnects. It appears that the connection drops if it hasn't received a packet in 40 seconds. Then, it immediatly reconnects. It happens no matter which port and protocol I use. Anybody know what that's all about?<br>
<br>
I could try tinkering with the router, but I wouldn't be able to do that in B&N or starbucks. I'd like to solve the problem from the client end. The open vpn client menu options don't appear to allow any control over this. I really need the tunnel to stay connected if possible.<br>
<br>
Any help is appreciated.<br>
<br>
Sincerely,<br>
<br>
Ron<br>
<br>
<br>
<br>
JD <<a href="mailto:jdp@algoloma.com">jdp@algoloma.com</a>> wrote:<br>
<br>
>Inline.<br>
><br>
>On 07/14/2013 01:53 AM, Ron Frazier (ALE) wrote:<br>
>> Hi JD,<br>
>><br>
>> I think hotspotvpn is a good vendor. I've been with them for several<br>
>years,<br>
>> and always like to turn on a vpn when I'm away from the house. They<br>
>support<br>
>> port 443, tcp; port 443, udp; port 53, tcp; and port 53, udp. I<br>
>think they<br>
>> can do PPTP but I always use the Open Vpn setup. They have a few<br>
>exit points<br>
>> here in the states and some others in other countries. Their staff<br>
>is<br>
>> minimal and pretty much works only by email as far as I know. But,<br>
>it works.<br>
>> Their website is at <a href="http://hotspotvpn.com" target="_blank">hotspotvpn.com</a>.<br>
><br>
>Those are all the ports that basically can't be blocked and still allow<br>
>people<br>
>on the internet. Even if a proxy server is involved, VPNs can work.<br>
><br>
>Knowing a vendor only comes from their actions that we learn about. If<br>
>we never<br>
>hear they are cooperating with entities we'd rather they didn't, there<br>
>is little<br>
>chance of discovery. I'd rather hear them refuse stock law enforcement<br>
>requests<br>
>and demand a court order for all access. Is that there method of<br>
>operation?<br>
><br>
>Not using PPTP for anything seems smart.<br>
><br>
>> Using the tunnel via udp is supposed to be faster, when you can use<br>
>it. I<br>
>> suppose, if there is lots of interference on the network, tcp might<br>
>be<br>
>> faster.<br>
><br>
>I'd never heard that. I'd always assumed that UDP was faster and since<br>
>the<br>
>tunneled packets already have TCP overhead, any lost packets would<br>
>cause a<br>
>retransmit request to the source. Double overhead with tcp/tcp just<br>
>doesn't<br>
>make sense, but if there isn't any other choice ... something is better<br>
>than<br>
>nothing.<br>
><br>
>> My main objective is to get the in the clear data away from the<br>
>hotspot. My<br>
>> email and my https traffic (like banking) has it's own ssl encryption<br>
>anyway<br>
>> regardless of the tunnel, so I'm not too worried about what the<br>
>vendor might<br>
>> see.<br>
><br>
>I think a vendor being paid a fair price for their services is the<br>
>ideal VPN<br>
>provider. This should prevent a conflict of interest with customer<br>
>happiness<br>
>being the primary goal for the company.<br>
><br>
><snip><br>
><br>
>> In regards to what was working and B&N, it wasn't working well, with<br>
>the<br>
>> frequent disconnections. But, I was able to establish the tunnel via<br>
>either<br>
>> 443 udp or 443 tcp. I don't think I tried 53. The android Open Vpn<br>
>client<br>
>> has an option to disallow internet access while the client is paused<br>
>or<br>
>> connecting. This eliminates in the clear traffic unless the system<br>
>just<br>
>> gives up completely or you cancel it. I think it did just give up<br>
>once, but<br>
>> I had it working intermittently most of the time.<br>
>><br>
>> I was at office max the other day and couldn't get it to work at all.<br>
> I<br>
>> don't know why.<br>
><br>
>If UDP is blocked, it won't work on UDP.<br>
><br>
>> I've been considering upgrading my vpn solution so I can encrypt all<br>
>5 pc's<br>
>> from home, just because I can, in light of the NSA stuff. Not sure I<br>
>want to<br>
>> pay 5X the monthly fee though. I'm not sure if anyone allows<br>
>simultaneous<br>
>> logins and I'd have to research that. Sure, NSA can still monitor<br>
>choke<br>
>> points, but at least Comcast couldn't monitor everything I do.<br>
><br>
>You know, routers will do this and you can specify certain subnets to<br>
>be routed<br>
>through a VPN and others are not. This handles the entire network. I've<br>
>seen<br>
>how-to guides on the internet.<br>
><br>
>Researchers have been working on determining the type of traffic inside<br>
>tunnels.<br>
>Seems there are specific patterns to the traffic. They can't see the<br>
>exact<br>
>content of the traffic of course.<br>
><br>
>I believe that HTTPS has been hacked through different techniques<br>
>involving DNS,<br>
>CA corruption, or just having governments demand that CAs create certs<br>
>with the<br>
>desired credentials to enable proxies or spoofing of websites. For<br>
>online<br>
>purchases, I don't worry about it.<br>
><br>
>We often forget that if DNS is compromised, **NOTHING** on the network<br>
>can be<br>
>trusted and we've already lost the war. Using a VPN with non-public<br>
>keys and<br>
>IP-based connections (not DNS/hostname) should mitigate any remote<br>
>network<br>
>tampering.<br>
>_______________________________________________<br>
>Ale mailing list<br>
><a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
><a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>See JOBS, ANNOUNCE and SCHOOLS lists at<br>
><a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
<br>
--<br>
<br>
Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.<br>
Please excuse my potential brevity if I'm typing on the touch screen.<br>
<br>
(PS - If you email me and don't get a quick response, you might want to<br>
call on the phone. I get about 300 emails per day from alternate energy<br>
mailing lists and such. I don't always see new email messages very quickly.)<br>
<br>
Ron Frazier<br>
<a href="tel:770-205-9422" value="+17702059422">770-205-9422</a> (O) Leave a message.<br>
linuxdude AT <a href="http://techstarship.com" target="_blank">techstarship.com</a><br>
Litecoin: LZzAJu9rZEWzALxDhAHnWLRvybVAVgwTh3<br>
Bitcoin: 15s3aLVsxm8EuQvT8gUDw3RWqvuY9hPGUU<br>
<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>