[ale] OT have some questions about vpn security

Jim Kinney jim.kinney at gmail.com
Sun Jul 14 16:09:09 EDT 2013


Change keep alive to 20 secs or use an ssh session inside the VPN tunnel.
Than keep alive is set able.
On Jul 14, 2013 3:39 PM, "Ron Frazier (ALE)" <
atllinuxenthinfo at techstarship.com> wrote:

> Hi all,
>
> Here's some followup info.  I found out that these vpn tunnel timeouts are
> happening even at home.  This is new behavior that didn't used to happen as
> far as I know.  Looking at the open vpn control screen on android, and the
> raw stats screen, I see the keepalive_timeout increment upwards when the
> system disconnects.  It appears that the connection drops if it hasn't
> received a packet in 40 seconds.  Then, it immediatly reconnects.  It
> happens no matter which port and protocol I use.  Anybody know what that's
> all about?
>
> I could try tinkering with the router, but I wouldn't be able to do that
> in B&N or starbucks.  I'd like to solve the problem from the client end.
>  The open vpn client menu options don't appear to allow any control over
> this.  I really need the tunnel to stay connected if possible.
>
> Any help is appreciated.
>
> Sincerely,
>
> Ron
>
>
>
> JD <jdp at algoloma.com> wrote:
>
> >Inline.
> >
> >On 07/14/2013 01:53 AM, Ron Frazier (ALE) wrote:
> >> Hi JD,
> >>
> >> I think hotspotvpn is a good vendor.  I've been with them for several
> >years,
> >> and always like to turn on a vpn when I'm away from the house.  They
> >support
> >> port 443, tcp; port 443, udp; port 53, tcp; and port 53, udp.  I
> >think they
> >> can do PPTP but I always use the Open Vpn setup.  They have a few
> >exit points
> >> here in the states and some others in other countries.  Their staff
> >is
> >> minimal and pretty much works only by email as far as I know.  But,
> >it works.
> >> Their website is at hotspotvpn.com.
> >
> >Those are all the ports that basically can't be blocked and still allow
> >people
> >on the internet.  Even if a proxy server is involved, VPNs can work.
> >
> >Knowing a vendor only comes from their actions that we learn about. If
> >we never
> >hear they are cooperating with entities we'd rather they didn't, there
> >is little
> >chance of discovery.  I'd rather hear them refuse stock law enforcement
> >requests
> >and demand a court order for all access. Is that there method of
> >operation?
> >
> >Not using PPTP for anything seems smart.
> >
> >> Using the tunnel via udp is supposed to be faster, when you can use
> >it.  I
> >> suppose, if there is lots of interference on the network, tcp might
> >be
> >> faster.
> >
> >I'd never heard that. I'd always assumed that UDP was faster and since
> >the
> >tunneled packets already have TCP overhead, any lost packets would
> >cause a
> >retransmit request to the source.  Double overhead with tcp/tcp just
> >doesn't
> >make sense, but if there isn't any other choice ... something is better
> >than
> >nothing.
> >
> >> My main objective is to get the in the clear data away from the
> >hotspot.  My
> >> email and my https traffic (like banking) has it's own ssl encryption
> >anyway
> >> regardless of the tunnel, so I'm not too worried about what the
> >vendor might
> >> see.
> >
> >I think a vendor being paid a fair price for their services is the
> >ideal VPN
> >provider. This should prevent a conflict of interest with customer
> >happiness
> >being the primary goal for the company.
> >
> ><snip>
> >
> >> In regards to what was working and B&N, it wasn't working well, with
> >the
> >> frequent disconnections.  But, I was able to establish the tunnel via
> >either
> >> 443 udp or 443 tcp.  I don't think I tried 53.  The android Open Vpn
> >client
> >> has an option to disallow internet access while the client is paused
> >or
> >> connecting.  This eliminates in the clear traffic unless the system
> >just
> >> gives up completely or you cancel it.  I think it did just give up
> >once, but
> >> I had it working intermittently most of the time.
> >>
> >> I was at office max the other day and couldn't get it to work at all.
> > I
> >> don't know why.
> >
> >If UDP is blocked, it won't work on UDP.
> >
> >> I've been considering upgrading my vpn solution so I can encrypt all
> >5 pc's
> >> from home, just because I can, in light of the NSA stuff.  Not sure I
> >want to
> >> pay 5X the monthly fee though.  I'm not sure if anyone allows
> >simultaneous
> >> logins and I'd have to research that.  Sure, NSA can still monitor
> >choke
> >> points, but at least Comcast couldn't monitor everything I do.
> >
> >You know, routers will do this and you can specify certain subnets to
> >be routed
> >through a VPN and others are not. This handles the entire network. I've
> >seen
> >how-to guides on the internet.
> >
> >Researchers have been working on determining the type of traffic inside
> >tunnels.
> >Seems there are specific patterns to the traffic. They can't see the
> >exact
> >content of the traffic of course.
> >
> >I believe that HTTPS has been hacked through different techniques
> >involving DNS,
> >CA corruption, or just having governments demand that CAs create certs
> >with the
> >desired credentials to enable proxies or spoofing of websites. For
> >online
> >purchases, I don't worry about it.
> >
> >We often forget that if DNS is compromised, **NOTHING** on the network
> >can be
> >trusted and we've already lost the war.  Using a VPN with non-public
> >keys and
> >IP-based connections (not DNS/hostname) should mitigate any remote
> >network
> >tampering.
> >_______________________________________________
> >Ale mailing list
> >Ale at ale.org
> >http://mail.ale.org/mailman/listinfo/ale
> >See JOBS, ANNOUNCE and SCHOOLS lists at
> >http://mail.ale.org/mailman/listinfo
>
>
> --
>
> Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
> Please excuse my potential brevity if I'm typing on the touch screen.
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new email messages very
> quickly.)
>
> Ron Frazier
> 770-205-9422 (O)   Leave a message.
> linuxdude AT techstarship.com
> Litecoin: LZzAJu9rZEWzALxDhAHnWLRvybVAVgwTh3
> Bitcoin: 15s3aLVsxm8EuQvT8gUDw3RWqvuY9hPGUU
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130714/89ddc864/attachment-0001.html>


More information about the Ale mailing list