Don't Get Pwned on Public WiFi: Use Your Own VPN

I use a VPN for much of my private traffic. Here is where I differ from the article&#x27;s recommendations, and why:<p>- I don&#x27;t recommend rolling your own on EC2: pick a VPN with a good reputation and a policy of not retaining logs. See: <a href="http://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition-130302/" rel="nofollow">http:&#x2F;&#x2F;torrentfreak.com&#x2F;vpn-services-that-take-your-anonymit...</a> (you don&#x27;t have to use torrents to need a VPN, btw!!)<p>- I recommend using a Debian VM w&#x2F; OpenVPN for your private traffic. That way, &#x27;am I using my VM?&#x27; is a quick test for whether your traffic is private or public.<p>- I can&#x27;t stress this enough: _be sure to firewall your VM from any traffic not to your VPN provider_. <i></i>If OpenVPN drops its connection, it will fallback to sending packets normally!<i></i> At least if you firewall, your connection will just die, instead of potentially sending private traffic in the clear. The article doesn&#x27;t mention this, and it should.<p>- Be sure not to log in to your usual services on your VPN, or there is a possibility that someone can connect your real traffic and your VPN traffic. I use LastPass with random passwords to manage all of my accounts, so I solve this problem by simply not installing LastPass on my VM, which makes logging in a very deliberate action on my VM.

Hi folks. I&#x27;m one of the three guys who runs Cloak (<a href="https://www.getcloak.com/" rel="nofollow">https:&#x2F;&#x2F;www.getcloak.com&#x2F;</a>).<p>Cloak is a super simple VPN where both the back-end service and front-end apps are tightly integrated. (We think of it as the &quot;Dropbox of VPNs&quot; in the sense that, like Dropbox, it&#x27;s so easy to use.)<p>Basically, it&#x27;s the VPN service+applications I wanted for myself when I started looking around and couldn&#x27;t find anything (1) easy enough and (2) non-sketchy. Right now Cloak supports OS X (10.7+) and iOS (6+). We&#x27;ve been around for a while and I know there are a number of happy customers here on HN.<p>In any case, please let me know if you have any questions, and please do give it a spin. Cheers!<p>(EDIT for clarity, and because X of Y descriptions are not always loved.)

Good writeup, but why does this piece recommend running the VPN over TCP? Tunneling TCP over TCP, which will be the end result, is known to provide terrible performance in the presence of even minor packet loss.

I too use (open)vpn for 99% of my traffic because <i>terrorism</i> etc.<p>I can&#x27;t recommend it enough, the damn thing is super stable and secure, works via NAT via NAT via NAT etc and super flexible (push routes, push dns, proxy and other settings), works in routed mode, bridged mode and so on.<p>I recommend you get a server or a VPS somewhere &quot;nearby&quot; and install openvpn software on that.<p>I can&#x27;t trust VPN providers that they do not monitor or log my traffic and neither should you.

Much more practical on Linux&#x2F;OSX: <a href="https://github.com/apenwarr/sshuttle" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;apenwarr&#x2F;sshuttle</a><p>No root&#x2F;admin privileges required on your &quot;VPN server&quot; - just the ability to ssh. It solves the tcp-over-tcp issue. It just works.<p>It only does TCP (with a specific hack for DNS, but no general UDP or IP). But it works exceptionally well, and just needs an sshable account on the server.

Does anyone know why this is better than a simple SOCKS proxy, which can be set up with one SSH command to your VPS and a quick visit to your system settings?<p>I use sheepsafe to pull these up automatically when I&#x27;m away from a trusted network <a href="https://github.com/nicksieger/sheepsafe" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;nicksieger&#x2F;sheepsafe</a>

For this audience, one would assume this isn&#x27;t anything new.<p>The next level of &#x27;detail&#x27;&#x2F;risk to consider here is the fact that so many apps, and even browsers, will bind to the &quot;on connection&quot; event of connecting to a wifi hotspot - before you can initiate your VPN your twitter client* has already sent your authenticated token over the wire, etc.<p>I&#x27;ve tried to hack something together with iptables but that doesn&#x27;t work either in airports&#x2F;etc where there are splash screens to negotiate, etc.<p><i>(</i> = yes, you could use a better client, but then the reason we need VPNs in the first place is that so many apps and sites don&#x27;t use https)<i>

Ironically, Ghostery prevents the article from being displayed and there are nine trackers detected on that page.

If you&#x27;re planning to run a VPN server on Amazon EC2, be forewarned that lots of sites are going to block you. For example, Yelp, Craigslist, the StackOverflow family, Hulu, and Bank of America.

The easiest defense against a pineapple is to create a wifi network titled &quot;Pineapple Connected ALERT ALERT&quot; or something similar to that. No security, no keys, and set it to your highest priority of networks to connect to if you have automatic joining enabled.<p>As someone who has used these lovely devices to prank others it&#x27;s a good idea to do so.

<a href="https://github.com/apenwarr/sshuttle" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;apenwarr&#x2F;sshuttle</a><p>Easy solution and system-wide, if your OS supports it and you can ssh to a trusted server. My personal plan-B tool when a simple ssh -D and firefox&#x27;s socks-proxy isn&#x27;t enough.<p>(BTW, why doesn&#x27;t Chrome have socks-proxy like Firefox yet?)

If you run a Linode, they have similar instructions for each of their Linux images:<p><a href="https://library.linode.com/networking/openvpn/ubuntu-10.04-lucid" rel="nofollow">https:&#x2F;&#x2F;library.linode.com&#x2F;networking&#x2F;openvpn&#x2F;ubuntu-10.04-l...</a>

If you have a decent internet connection at home with reliable uptime, you can also just set up a VPN at home and connect that way. My router comes with OpenVPN on it, so I don&#x27;t even need to have extra hardware running.

I like Tinc VPN (<a href="http://www.tinc-vpn.org/" rel="nofollow">http:&#x2F;&#x2F;www.tinc-vpn.org&#x2F;</a>). It&#x27;s multiplatform and open source, just as OpenVPN is, but I prefer it for its simplicity and its mesh feature. It doesn&#x27;t try to do too much (which means you&#x27;ll have to set up routes yourself).<p>See <a href="http://www.tinc-vpn.org/documentation-1.1/tinc_4.html#How-connections-work" rel="nofollow">http:&#x2F;&#x2F;www.tinc-vpn.org&#x2F;documentation-1.1&#x2F;tinc_4.html#How-co...</a> to get an idea of the mesh feature.

Of course, you have a problem when the owner of the wifi explicitly prevents anonymisation services.<p>For example, when I was at Birmingham airport, I couldn&#x27;t connect to my VPN because they blocked domains of well-known VPN providers and even hijacked all my DNS requests so I couldn&#x27;t circumvent so easily it.<p>I guess running your own local DNS server which has your typical requests cached would solve this problem though.

I&#x27;m still looking for a good config for a raccoon roadwarrior config to a VM behind dd-wrt (as dd-wrt does not come with IPSec support).<p>Amazingly, there is very little information about this despite what would seem to be a pretty common desired config. Or maybe my google-fu just sucks.<p>At this point, I can get a tunnel established but it fails to correctly route after the tunnel is set up. Frustrating.

The article doesn&#x27;t mention IPv6 where things can be a bit more tricky. The Android clients don&#x27;t let you use TAP (layer 2 tunneling), so if you&#x27;re going to be accessing your VPN from an Android device you&#x27;ll have to configure IPv6 NAT, or hack around with scripts to add IPv6 addresses dynamically.

You know what would be great - The ability to do this automatically, especially on Android.<p>I would love to see the ability to specify &#x27;safe&#x27; or &#x27;trusted&#x27; WiFi networks and if you connect to a network other than these, the VPN gets initialized and used.<p>Setup on the phone is once and usage of the VPN happens automatically after that.

I like to use an SSH SOCKS proxy to my home server. It didn&#x27;t seem to be as much work to set up as this.

BTW, for what it&#x27;s worth, the (very inexpensive) Synology NAS models out there will all act as an openvpn server. It requires a hit of tweaking to get it to work they way you&#x27;d expect, but it&#x27;s nothing beyond what the typical reader here can do.

Anyone have experience setting up a VPN on a Raspberry Pi?<p>I&#x27;m guessing that it would cost less than $5&#x2F;month on energy and I have one sitting on a drawer.<p>Also, I don&#x27;t live in the US and proxying all my data through the US and back would introduce unwanted lag.

Once your vpn is established do you post to HN, inject SQL, download torrents, or is there something else exciting to do? I&#x27;m not in a fraternity (or sorority) so that&#x27;s out.

If you&#x27;re too cheap to shell out money for a VPN, proXPN has a limited free tier. I&#x27;ve been using it for banking while travelling and it works great!

Somebody could probably sell me a solution that does all this automatically without distracting me from I&#x27;m supposed to be thinking about.

I have a Chromebook (whose security is limited to HTTPs Everywhere, which doesn&#x27;t lock much at all). How do I set up a VPN for it?

I wonder why this is so convoluted. NAT used to be like that but since long time it&#x27;s just `apt-get install ipmasq`

subscribing to a VPN provider is typically easier, cheaper and provides more options than rolling your own on EC2<p><a href="http://netforbeginners.about.com/od/readerpicks/tp/The-Best-VPN-Service-Providers.htm" rel="nofollow">http:&#x2F;&#x2F;netforbeginners.about.com&#x2F;od&#x2F;readerpicks&#x2F;tp&#x2F;The-Best-...</a>

I am using a NoMachine NX remote session to a my server through ssh for this purpose.