[ale] VPN recommendations?

Alex Carver agcarver+ale at acarver.net
Fri Mar 16 14:04:58 EDT 2018


On 2018-03-16 08:44, DJ-Pfulio via Ale wrote:
> On 03/16/2018 10:32 AM, Steve Litt wrote:
>> On Fri, 16 Mar 2018 09:04:24 -0400
>> DJ-Pfulio via Ale <ale at ale.org> wrote:
>>
>>  
>>> I run my own VPN at home, for when I'm away.  It uses openvpn AES256
>>> and works just like the VPN services.  Works surprisingly well for my
>>> 15/3 slow-ass connection.
>>
>> Why wouldn't everybody do your openvpn solution for when they're on the
>> road?
> 
> I can think of a few good reasons, but mainly, you just don't want to tie your
> current location with your home location.

Depending on the application in use your current location can be hidden
(e.g. mobile Firefox).  Your "location" ends up being the exit IP of the
VPN.  This is what I see when I'm on my phone using my VPN at home.

> 
> A few other reasons NOT:
> 
> Sometimes you might be in a location that you really don't trust - even with a
> VPN and wouldn't want to provide access to your HOME LAN for any attackers.

Easy way out for this:  Give yourself two openvpn profiles with two
static IP addresses for the tunnel (statics are easy to do as is).  Set
up iptables on the VPN server to allow Profile A unrestricted access to
your home LAN and Profile B is only allowed to reach the gateway and any
IP address on the WAN.  If you're in a scary place, log in with Profile B.

> Getting openvpn working seems to be non-trivial due to all the configuration
> options.

Most of the defaults work fine.  The only specific bits to choose are
the encryption algorithms and the key sizes.


> Perhaps the home has poor internet or poor power? Needing to use a VPN, but not
> being able to connect will likely lead to poor security choices.
> 
> Not everyone is comfortable running a server from their home. They might believe
> that the ToS from their ISP prohibits it for personal use, which I don't believe
> is the case, but everyone has to follow their conscience.  Personal use is fine,
> even for residential accounts based on conversations I've had with ISPs over the
> decades.
> 
> Not everyone wants to leave **any** computer running at home when they aren't there.

To tie two threads together I run openvpn on a Pi 2. :)  It takes about
four seconds to negotiate a connection and then it works pretty well
after that.  My ISP service isn't terribly fast in one direction so
there's some sluggishness at times but for basic browsing, email and
even VNC it works well enough.  I also have SSH on that Pi as well so I
can tunnel in via that if VPN is being slow.


More information about the Ale mailing list