Travel Technology - VPN - OpenSSH? OpenVPN? which...etc.

World of Warcraft is @$@%$%

I'd like to play even if the network that I am attached to doesn't cooperate (insert here...yes I understand the admin/company policy).

So which VPN is better or please suggest some others.
I have control over my local notebook and also my home network where I can setup another laptop to be dedicated as VPN server.

Primary intended uses are:

1) WOW
2) VNC / remote desktop
3) Video Chat
4) unfettered websurfing

THANKS!

World of Warcraft is @$@%$%

I'd like to play even if the network that I am attached to doesn't cooperate (insert here...yes I understand the admin/company policy).

So which VPN is better or please suggest some others.
I have control over my local notebook and also my home network where I can setup another laptop to be dedicated as VPN server.

Primary intended uses are:

1) WOW
2) VNC / remote desktop
3) Video Chat
4) unfettered websurfing

THANKS!

#4 isn't too difficult. If you can get your hands on a cheap 400 Mhz machine with a network card, load Ubuntu Server on it (with SSH). Lock it down to one user and using keys instead of passwords. If you have a router, you'll need port forward to it, of course.

From work, just SSH (with a tunnel) to it on a port not blocked. Then point Firefox to localhost and that port and you're golden :D

It took me some online reading to set it up how I wanted, but now I can SSH in securely when I'm away from home or on a public Wi-Fi. All traffic is encrypted.

I can find some write-up's if you're still interested. ;) I don't use remote desktop too much so I can't help there.

both SSH and OpenVPN have their pros and cons.

SSH is fairly adept at working around firewalls...you can set your remote host to listen on port 80 or 443 which are both almost always allowed.
That said, its a pain to setup tunneling, even with a gui like Putty.exe... all the ports, etc ... then you have to change the clients (thats assuming WOW can even support that).

OpenVPN is very powerful and robust, but setting it up can be quite complex.
Still, if you are up for the challenge, it is probably the best bet.
You might want to have the server listen on a common port, such as 443. Also, make sure you set the clients up to send all traffic over the VPN.

OpenVPN comes with the added benefit (if setup to send all traffic) of giving you a secure way to surf in hotels and public hotspots too...always a good idea to use a VPN when away from home.

If you don't feel like the OpenVPN challenge :) you may want to just consider purchasing something like a Netgear SSL VPN-capable router for your home network. It should just pop into place of the router you have now, but then comes with an SSL/HTTPS based VPN server that takes very little expertise to set up.

Steve

OpenVPN comes with the added benefit (if setup to send all traffic) of giving you a secure way to surf in hotels and public hotspots too...always a good idea to use a VPN when away from home.

I need this logic explained to me at some point, because I've heard it a bunch in various places and don't entirely agree. If I'm not sending a cookie or login data in cleartext, does it really matter that I'm surfing CNN without protection from my hotel room? If it's an encrypted website, does it really matter?

I have a VPN and use it an awful lot for just about everything (notably because I do some work that expects me to be originating from a known IP, and it's the easiest way). However, I really don't feel like I'm practicing bad risk mitigation by checking (logged out) FT from a hotel Wi-Fi access point without tunneling thru the VPN first.....

I need this logic explained to me at some point, because I've heard it a bunch in various places and don't entirely agree. If I'm not sending a cookie or login data in cleartext, does it really matter that I'm surfing CNN without protection from my hotel room? If it's an encrypted website, does it really matter?


You may think its encrypted, but there is always a possibility of
"man in the middle" attack. But if you are careful with what SSL keys you
accept etc.. chances are low.

Also if the data is sent via "GET" method (within the URL) its
open for anybody along the way.


I generally use SSH (OpenSSH) to tunnel most of my sessions.

I need this logic explained to me at some point, because I've heard it a bunch in various places and don't entirely agree. If it's an encrypted website, does it really matter?

I have a VPN and use it an awful lot for just about everything (notably because I do some work that expects me to be originating from a known IP, and it's the easiest way). However, I really don't feel like I'm practicing bad risk mitigation by checking (logged out) FT from a hotel Wi-Fi access point without tunneling thru the VPN first.....

check this post (http://www.flyertalk.com/forum/showthread.php?t=633980&highlight=wifi+hotel)
Theres some detail there about why it can be risky.

One of the most compelling reasons is that a (properly configured) VPN virtually removes you from the LAN you are on, keeping you safe from incoming attacks, as well as encrypting your outbound traffic.

Ultimately its up to you to decide what is acceptable risk, just make sure you feel like you are making an informed decision.

One of the most compelling reasons is that a (properly configured) VPN virtually removes you from the LAN you are on, keeping you safe from incoming attacks, as well as encrypting your outbound traffic

Actually only a couple of incorrectly designed VPN clients do that; it's deeply non-RFC compliant. Most properly compliant VPN clients will not and should not do this.

The only proper way to protect a machine on the local network is to be running a software firewall or be otherwise configured to not accept any externally-initiated connections. With Windows XP, you should have "no exceptions" checked in your advanced settings for firewall configuration.

Steve

Actually only a couple of incorrectly designed VPN clients do that; it's deeply non-RFC compliant. Most properly compliant VPN clients will not and should not do this.

The only proper way to protect a machine on the local network is to be running a software firewall or be otherwise configured to not accept any externally-initiated connections. With Windows XP, you should have "no exceptions" checked in your advanced settings for firewall configuration.

Steve

So is RDP really that insecure? I use it all the time at work or at client sites?

So is RDP really that insecure? I use it all the time at work or at client sites?

There are very well documented man in the middle attacks for RDP, its fairly broken. In fact, its trivial for someone with a popular free program to sit on a hotel network in their own room and grab your RDP password right out of the air.

OpenVPN is very powerful and robust, but setting it up can be quite complex.
Still, if you are up for the challenge, it is probably the best bet.
Any suggestions on how to get started on this? (e.g. links to instructions)

Try the howto (http://openvpn.net/howto.html) on the website. It has worked well for me.

I have progressed from OpenSSH to OpenVPN. The main difference between the two are you can choose the applications that use OpenSSH tunnel, and OpenVPN can redirect all the traffic to the VPN tunnel. I prefer the latter.

That said, its a pain to setup tunneling,

What's difficult about setting up ssh tunneling?

It's just a bunch of localforward statements in your .ssh/config file, one for each local port number you want to tunnel over ssh to the remote machine.

-David

What's difficult about setting up ssh tunneling?

It's just a bunch of localforward statements in your .ssh/config file, one for each local port number you want to tunnel over ssh to the remote machine.

-David

Or Putty....

Try the howto (http://openvpn.net/howto.html) on the website. It has worked well for me.

I have progressed from OpenSSH to OpenVPN. The main difference between the two are you can choose the applications that use OpenSSH tunnel, and OpenVPN can redirect all the traffic to the VPN tunnel. I prefer the latter.

I second that, their HOWTO is actually decent. I'm not sure the casual computer user could follow it, but it doesnt take an alpha geek either.

SSH is fairly adept at working around firewalls...you can set your remote host to listen on port 80 or 443 which are both almost always allowed.
That said, its a pain to setup tunneling, even with a gui like Putty.exe... all the ports, etc ... then you have to change the clients (thats assuming WOW can even support that).


Depends on the firewall. At my employer, we use an authenticating firewall/proxy setup - you have to be a member of an "allowed internet access" user group and authenticate to the firewall with your windows login credentials. (IE and Firefox both can do this).

Depends on the firewall. At my employer, we use an authenticating firewall/proxy setup - you have to be a member of an "allowed internet access" user group and authenticate to the firewall with your windows login credentials. (IE and Firefox both can do this).

True, there are no guarantees that any given network provides unfettered internet access. I guess I was thinking about hotels only allow web (http and https) traffic and block things like port 22 (the default ssh port)

SSH is fairly adept at working around firewalls...you can set your remote host to listen on port 80 or 443 which are both almost always allowed.
That said, its a pain to setup tunneling, even with a gui like Putty.exe... all the ports, etc ... then you have to change the clients (thats assuming WOW can even support that).

From a public hotspot or firewall, this is true. Any company who is worth their salt, however, is going to have a firewall and/or IDP that will see you trying to tunnel SSH out 80/443 and shut 'er down ASAP.

From a public hotspot or firewall, this is true. Any company who is worth their salt, however, is going to have a firewall and/or IDP that will see you trying to tunnel SSH out 80/443 and shut 'er down ASAP.

I never suggested that anyone should try and tunnel out or establish a VPN connection from inside a work network.

That said, I work for a very significant company and with very few exceptions neither my company nor most of our clients filters SSH tunneling. I'm not suggesting that is good practice (in fact, from an intellectual property standpoint its fairly poor) but I am saying that I cannot recall a time when I have been prevented from establishing an ssh tunnel via port 443

I might be stupid but I can't get my netgear VPN to ever work. Guess I need to try again soon.