Help With A VPN
 

I follow several technology channels on YouTube and they all seem to heavily recommend using a VPN. I installed NordVPN as it was one of the recommended programs. But my internet connections seems to run a lot slower. Microsoft Outlook also seems to be having issues with it. It wants me to enter my password every time I open it now. Is there any way to resolve these issues or it is just the nature of a VPN?

A VPN or any other alternative is going to slow your connection speed unless it's a good VPN service. A great VPN will require the provider of the VPN to have both great download and upload speeds. Free VPNs don't have the resources and are constantly overcrowded. Frankly there are virtually no free VPN providers that will offer decent speeds and - what I suspect you are seeking - anonymity.

I wouldn't insert a middleman into my connection. In most cases, you'll just displace your data. Rather than being checked locally via your actual IP, it will probably be subject to surveillance in whatever location the VPN server is located.

I don't see a reason why the average internet user would need to systematically use VPNs. I use a VPN merely to circumvent location-based availability of data and secure networks.

You could try Tunnelbear. You get 500Mb per month. After that you'll have to pay. CyberGhostVPN does work good as well. Both never disappointed in terms of speed. The free VPN offered by Opera browser can be slow at times.

I paid $79 for a two year subscription to NordVPN. PC Magazine rated it as the fastest so that's why I went with it. I connect to a lot of different wifi networks in hotels and airports. I'm not sure how secure they are and I don't want any of my personal information being exposed. I really don't like entering my banking or credit card information on them and usually used my phone's LTE network instead.

If you're concerned about security, you might consider setting up your own home VPN. Many routers support VPN, and you can also flash most routers with dd-wrt, which has an excellent VPN implementation. I've been doing this for years and it has worked perfectly.

Do you have a multi-platform IPSec client? I've been trying to find a VPN appliance I can install at home and connect to using both my iPhone and Windows 10 laptop.

You don't need the same IPSec client, just an IPSec client for whatever platform you're using. I use Windows 10's built-in VPN client on laptop and office computers. On my Android phone and tablet, I use Android's built-in VPN client. I don't have any Apple products, but it's hard to believe there isn't IPSec VPN capability available. I haven't had to use a separate client for years.

In addition to the IPSec VPN, dd-wrt also support OpenVPN in both server and client mode. I've never fooled around with OpenVPN, but I'm pretty sure it's available for anything and everything.

Some of the consumer products I have used for hardware VPN have required vendor specific software to use it. In those cases, often times at least one of my platforms was not supported despite my best efforts. Native IPSec clients simply would not authenticate. This was a long time ago though, maybe it's different now.

NordVPN was awful for me, so after one year I switched over to PureVPN. Much, much faster, more intuitive interface, and far fewer connect glitches.

A VPN is basically only needed if you are in a situation where you don't trust your internet connection--either because it's being tampered with, spied upon or because you're doing something you don't want the authorities to know about.

It's unlikely your home connection is being tampered with in any important fashion. Some ISPs these days will inject notification messages into unencrypted HTML traffic but that's usually about it. Public Wi-Fi is another matter, a black hat is much more likely. In foreign lands it can be essential--for example, nothing Google works in China. I don't set foot over there without having a VPN set up on my equipment.

Spied upon is usually not a meaningful threat to the average person. If I'm over there and not using a VPN I figure Beijing can probably see what I'm doing. So what? Things like login credentials go over HTTPS already, they won't get the passwords. These days many systems have gone 100% HTTPS anyway, they're not going to see what you're doing.

That leaves hiding from the authorities. If they're going to deploy the big guns to hunt you it's not going to be enough. The government will trace you to the VPN, then go tell the VPN to disclose what IP such-and-such traffic is coming from. VPNs that advertise about not keeping records will protect you from this in the past but it won't shield you if you're actively doing it when they are hunting. (They see you browsing at PlayPen, every VPN out there will cough up the account info {which could be anonymous} and source IP {which will finger you.}) It's only a useful shield against low level things--copyright issues etc.

I have yet to see a VPN that doesn't seriously trash your speed--admittedly, my first criteria is how well they play cat & mouse with the Great Firewall, though.

Edit: Forgot, there's one more use case that's rare: If you need to be able to accept inbound connections and your ISP is doing address translation. (Note, however, that this is almost certainly against the TOS of your ISP!) I have a 10.x.x.x address here, inbound connections simply aren't going to happen. This is normally worked around these days by both ends connecting to a central server that then sends out packets that will trick both systems into thinking it's outbound traffic and allowing the connection to be built so there's little reason to use a VPN for such a case. (I'm thinking of things like Skype, TeamViewer etc.)

I want to add a VPN appliance to my home network so that I can tunnel in while on the road. I have some file servers etc. on my LAN that would be useful to access securely. I'm not comfortable opening these up to the WAN with FTP or the like.

Plus I've been considering getting PS Vue. It has some restrictions about needing to be on your home network both periodically and to access RSNs.

I echo Loren Pechtel's comments. If you're concerned about data security on public wifi, then virtually anything important will be sent over https anyway and thus can't be viewed by third parties in transit. I just noticed that even FlyerTalk now runs over https.

The main reason for using a VPN therefore becomes being able to access location-restricted services. Anonymity is also a factor, but using a VPN just shifts the responsibility for maintaining your anonymity to the VPN provider. If you want anonymity, use Tor and access it from a public wifi network.

Speeds on a VPN will also usually be slower than via direct connection unless the VPN provider has a lot of bandwidth. That kind of bandwidth is expensive for service providers to contract for, so if you're not paying a lot you probably won't get it. Better would be to set up a VPN server in Azure or AWS and use that.

As for the idea of a home VPN, it's an excellent idea that I use on occasion if I am on public wifi or (mostly) for accessing things in my house. iOS does include a built-in IPSec client, and I've downloaded the official OpenVPN client app. My home router (an EdgeRouter X SFP) includes IPSec, OpenVPN, and PPTP VPN servers. If you're hobbyist-minded, then you can see about flashing Tomato, DD-WRT, or OpenWRT onto a consumer router, all of which include VPN options. Or you can build a router using pfSense.

I don't have any non-computer, non-phone products connected via my VPN. I have a Grandstream Phone that supports OpenVPN, but I haven't needed to connect it to my router (yet), and I haven't configured the router for OpenVPN. dd-wrt will support both OpenVPN and IPSec VPN at the same time.

That's exactly what I use VPN for (along with VNC). I strongly suggest you look at dd-wrt. The odds are your existing router can be flashed with dd-wrt, the process is easy, and configuration is straight forward. Best of all, dd-wrt is free.

I'd heard DD-WRT was essentially a dead project. Just checked their website and there haven't been updates in a year...that sort of thing is why I switched to the Ubiquiti world. It's nice having an actual company put out nice hardware that is officially supported and has software updates.

Ubiquiti is new name for me. I'll check it out. I've been using dd-wrt for years because it simply works and works well. Right now, I have no reason to change, but I will check out Ubiquiti.

I'll take a look. Thanks!

The caveat is that, since it seems the project is dead, it hasn't been getting security updates in a while.

They focus on WISP and enterprise markets and price about 80% less than the equivalent equipment from Cisco or Juniper. The Unifi line of devices can all be managed from the same controller and are pretty slick.

As a home user, I'm comfortable with the level of security provided at the LAN-connected machine level. I've had an internet-connected LAN since I can remember and have never had any security issues at the router level. I suppose, if I get paranoid, I can put a hardware firewall in front of the router.

The prices were far lower than I first anticipated. I have to say, though, that from a home user perspective I absolutely despise Cisco (I have no experience with Juniper). I'm sure Cisco products make IT departments who must maintain mission-critical operations reasonably happy. However, I don't like, at all, the user-level comprises that Cisco forces. I can't tell from my quick scan of the Unifi whether these products are similarly over-bearing. They don't appear to be, but I'll look further.

I think it's more of a question about how secure the tunnel is from your remote workstation (or whatever platform) to the WAN side of your router.

Or, perhaps more importantly, the VPN service in general. I don't think you want unpatched exploits that allow unauthorized users to annex themselves to your LAN. Then machines on your network become much easier to break into.

This is more what I was getting at.

You can demo the Unifi controller at demo.ubnt.com.

I understand that. All of the machines on my LAN, both Windows and Linux, run firewalls and anti-malware software, and I'm less concerned about things like the ROKUs. As has been proven repeatedly, anyone who is really determined and skilled enough can hack into any system. If someone really wants into my dinky home system, they'll get in, but they're going to be very disappointed once they get there. My main concern is malware that converts my computers into zombies. That's never happened and, frankly, if it did happen, it would be because my wife opened something she shouldn't have, and not from someone hacking my VPN router.

Thanks for the advice on the home VPN. I'll have to make that a weekend project.

Unfortunately, many ISPs do not permit this unless you pay for business service.

I know that it would be completely impossible for me without some third party company providing an intermediate to make it work. It's not merely against their terms of service (home users shall not run servers) but you simply can't reach 10.x.x.x addresses from outside.

Simple test: Open a command prompt and type: "tracert www.google.com" (without the quotes). Look to the right. You may get 4 numbers, you may get a name followed by 4 numbers in brackets. Chances are the first line will be 192.168.x.x. If the second is 10.x.x.x your system is unreachable from outside.

I don't know the technical details but I have a home server powered by Netgear that I am able to access from anywhere.

Netgear very well might be the third party allowing the connection. I have a NAS box here that I could configure for remote access if I chose to even though I have a 10.x.x.x address. The makers of the box provide the intermediate to allow the link.

You just outed yourself as a windows user...

I'll out myself too. A co-worker is out dealing with a family matter and he is the only one of us that uses a Mac. I was trying to do something for him and hated using it. You guys are really missing out by not having a taskbar. Apple users must not switch between programs or different screens very often.

I'm not an Apple user either.

This does not make any sense. I used the built in Windows PPTP service on a home server for many years.

OT: cmd+tab, much!? Taskbars are pointless if you're using keyboard combos anyway. I never use the dock on Macs or the taskbar on Windows.

OMNIzens,

Please follow this discussion in its new home, Travel Technology.

essxjay, the OMNIs co-mod

From your above quote I'm inferring that you are tech savvy enough to set up your own VPN server and I concur with PTravel's comment on the use of DD-WRT. I have VPN servers running in 5 of my homes/vacation condos and need to access their local network storage drives, printers, cameras, STBs and other devices while I'm away. In two of my homes/condos, I've installed ASUS AC1200 RT-AC56U brand routers that support PPTP as well as OpenVPN concurrently in their native mode, two of my homes/condos have NetGear routers that I've flashed with DD-WRT and I run PPTP and OpenVPN concurrently in those. My fifth home has a Motorola Arris NVG-589 router which is required for my AT&T U-Verse service and this router does not support running a VPN service on it nor does it seem to support dynamic DNS (DDNS). What I've done is flashed an inexpensive NetGear router with DD-WRT, and use a static ip address for it, and have the appropriate VPN ports forwarded to it from the Arris NVG-589 and I run the DDNS client in this flashed router. You have to disable the routing and DHCP services in the flashed NetGear router and have it run in bridged mode rather than as a router. So in this case my two VPN servers are not on the front end router but behind the router on the flashed NetGear. The flashed NetGear is also used as a Wi-Fi access point for guests and I use a different SSID for the guest network and limit access to resources that guests can see.

To reduce network traffic I use the TUN Mode instead of the TAP mode for OpenVPN as TAP is bridging which sends all Ethernet traffic to the OpenVPN client whereas TUN is routing mode and only traffic to the VPN clients are sent across the Internet to them.

PPTP is what I primarily use as most platforms, except for more recent Apple platforms, support PPTP natively, and I use OpenVPN clients for my Apple iPhone, iPad, and Mac Air. Apple dropped support for PPTP recently as it is less secure than the other VPN services they support natively.

Depending upon how your local LAN IPs are assigned and subnets you may use, you may have to modify your VPN routers routing table to "push" traffic to/from the LAN segments where your local resources are so that the OpenVPN clients can access these resources.

Linux users generally know enough about the system to figure it out without instructions. That leaves only Macs. I don't speak enough Mac to know how to do it on one.

I use AirVPN and it doesn't seem to degrade my speed much if at all.

Unfortunately I didn't realize when I bought my Chromebook that AirVPN doesn't support Chrome OS. Found out the hard way when I tried to use their Android app and it didn't work when I was trying to stream US content while I was in Europe.
---

ETA: Since I've been back home from Europe it turns out AirVPN has added ChromeOS support. Was relatively straighforward to set up and appears to be working well.

PPTP has been thoroughly broken, so if privacy is anything of a concern you shouldn't use it. Use OpenVPN or IPSec instead. That's why Apple has removed native PPTP support.

MacOS is a customized version of BSD Unix, so what works for Linux will often work for Macs.

Most ISPs seem not to care if you run a VPN server at home. They just generally don't want you running a web server. Also, Spectrum seems to vacillate between allowing ssh or not. Sometimes they block port 22 and sometimes they don't. I get around it by running ssh on port 443, which you'd think they'd block given their dislike of home web servers, but here we are.

If you have an RFC1918* address on your WAN connection then your cable modem or DSL modem may not be in bridge mode. That's the first thing to check.

*192.168.0.0 - 192.168.255.254, 10.0.0.0 - 10.255.255.254, or 172.16.0.0 - 172.31.255.254

For the most part this is true; it is not that PPTP is broken, but that Microsoft's implementation of PPTP is broken, specifically the MS-CHAP-v1 and MS-CHAP-v2 versions of the Challenge Handshake Authentication Protocol where one can analyse the traffic to figure out the passwords.

PPTP is deprecated and with the large base of installed Microsoft servers the safe bet, as you rightly suggest, is to use one of the more secure VPNs.

Many have mentioned how VPN speeds are slower. This is by design. It takes quite a bit of overhead to encrypt/decrypt all that traffic. So things like streaming and file downloads are significantly slower.

Por ejemplo:

I have a 1Gbps fiber connection to the internets. I have one server that's connected to PIA (Private Internet Access) all the time. I can get a max of about 48 Mbps (down) over the VPN connection. Since most of my torrenting is automated, this isn't really a problem.

I'm also using a higher level of encryption that I probably need (4096 bit). They offer lower versions, but I prefer the higher levels. When I ran the lower ones, I didn't notice much difference in speed.

I've tried many other VPN services in the past, but I've found PIA to be the best speedwise (and they don't keep logs).


I've been noticing the same. Which is a shame, because dd-wrt was awesome. I'll only buy a wireless router if it supports dd-wrt. It amazing how much junk is on a consumer router these days and how few features they have. Form over function for all the morons I suppose.

I use pfSense for my home router/firewall. It is free and has a lot more features than dd-wrt. pfSense has OpenVPN built in, and I use it as the VPN for my home when I'm on the road. You can also setup an outbound VPN if you want all your home network traffic to go over VPN.

I HIGHLY recommend OpenVPN (free) for a roll-your-own solution. They have an iOS app too. It's sweet, I keep about 20 different PIA servers in there (for different US locations, and other countries), as well as my home VPN.

For the mac I paid for Viscosity, and I've been very happy with it.

This statement is true if you are only using wired connections. Since this is a travel board, I'm going to hazard to say that most people here use Wifi while they're traveling.

I would never use an unsecured wifi network connection without a VPN. And pretty much all the free ones are unsecured. Even with a Psk, you can still see others traffic who are on the same network.

Yeah, DD-WRT was cool. I wound up settling on Tomato for my router at home, which was just a little friendlier than DD-WRT at the time.

Ubiquiti's EdgeRouter X is a wired-only 5 port gigabit router that's $49. You really can't beat it. Also includes IPSec and OpenVPN (and PPTP) servers. And MPLS and BGP if you feel like running a small ISP. :D

Never used pfSense, but I think a big benefit of it would be that you could install it on a beefy computer and get high throughput with OpenVPN.

Note that 4096 bits is your key size. The actual encryption is probably AES-128 or AES-256.

Never tried Tomato, but I've also used OpenWRT which was pretty good.

Yeah, as a favor, I put in a bunch of Ubi AC-pro APs at a friend's restaurant in town last year. They're perfect for that scenario. I tried the same system at home, and couldn't get much better than 100Mbps downstream. I googled for help, and it seems like that's a big complaint from "prosumers". Those APs are more designed for a high number of users and not really for a few users with high bandwidth needs.

Yeah, I have it running on an ESXi VM on a Dell R620 server. I don't think the limitation is in pfsense, because it rarely uses over 20% CPU (10% RAM). Now the Windows Server VM that I'm using for my torrent client is has a noticeably higher CPU load when using torrents over the VPN connection.

Oops, you are correct. aes-256-cbc