Seems like a perfect use case for EC2 on demand. Only run the VPN node when you are on an open wireless network and need the VPN security. Shut it down otherwise.
That would make it harder to run, but it would greatly reduce the cost. I'd pay $0.02 for an hour's worth of security while stopping off at a coffee shop.
It wouldn't be much harder to run. You can start and stop the instance using the command line tools, so you could easily wrap the whole lot into a script which started the server and brought up the VPN link, then when youre finished take down the link then the server, all in once command.
The API-based management is what makes cloud providers really special.
Your AWS dashboard would be compromised if you waited until you were on the open wireless network to run the EC2 instance, but attackers would not be able to compromise the EC2 instance. Once the instance has been created you can't change the Key Pair. You also can only download the private key associated with the Key Pair once, which is right when you create it. But of course, an attacker could stop or terminate your instance if he gained access to your AWS dashboard.
Not true: the dashboard runs entirely on SSL - which is still encrypted on an open wifi network. Compromising SSL isn't out of the question though, but highly unlikely.
That is a great option for people who have a dd-wrt/tomato/etc. compatible wireless device.
The goal of the post was for folks who don't already have a solution setup and to get people familiar with EC2 now that it has a Free Tier and see some of the "not so obvious" things we can do with.
You don't need to have dd-wrt. I've got a used corporate firewall (which also works as a router) it has built in VPN and built in support for updating to DynDNS... I bought it for 80 dollars, not too far off from vanilla routers - I did have to pair it with an access point, so costs aren't completely comparable.
Ah, so easy! Only 28 steps filled with remote Linux shell commands, certificate creation, and downloaded software! I'm sure that's exactly what his wife wanted to hear when she asked how to avoid being Firesheeped.
Whatever happened to good old ssh -ND ? Wouldn't that solve 90% of most casual hotspot users' problems ? And I'd be wary suggesting even that one-liner to someone who isn't a techie, which I'm assuming his wife isn't since she asked the question.
ssh -D: socks proxy. only works with some apps. tunnels at the "data stream" level.
ssh vpn: tunnels all packets at the "network" level. bad because running TCP over TCP can have erratic performance. good because it covers all traffic.
openvpn: tunnels using UDP, so you don't have the TCP on TCP problems. it's just more work to set up than ssh vpn, but still probably easier than full blown ipsec.
I've never used OpenVPN (and am not a network expert), but my guess is that it shims into your network stack somehow, so it's transparent to any application? Maybe, it's just a guess. Otherwise, it doesn't seem to make much sense.
I'm running a low-tech setup like this with sshd on my home router and PuTTY on my laptop, acting as a SOCKS proxy, and there are several applications that don't know how to talk to a SOCKS proxy. Luckily FF knows how to.
It doesn't. It merely installs a virtual network adapter and then you get creative with the routing table to pass the traffic you want through that adapter.
I was wondering the same thing. The post went through all the steps to setup SSH VPN while SSH tunneling works pretty well and requires almost-zero config on the server…
OTOH I saw the value of using PPTP or L2TP-based VPN. It is supported on most systems by default. I set up one for iPhone because you cannot do SSH tunneling on it. On non-*nix systems there is usually no SSH installed by default. I opened my PPTP/L2TP VPN for friends running Windows.
It's also slightly easier to connect to PPTP/L2TP VPN with a single click on the menubar of OS X without installing any additional software.
Otherwise I stick with SSH tunneling with SOCKS proxy.
Could someone explain the benefits of SSH VPN please?
SideStep basically automates ssh -D for you and sets up a local SOCKS proxy. However SOCKS proxies (and thus the current version of Sidestep) can only protect TCP traffic that supports SOCKS proxies. For example, you can't tunnel your DNS requests over a proxy (without tinkering with Firefox's about:config).
Also, since ssh -D is not a true VPN tunnel, your machine is exposed to the hostile network (if you don't have a firewall).
If you want complete privacy where ALL of your IP traffic is tunneled out, OpenVPN (or other tunneling layer 3 solution) is the way to go.
Thanks for the explanation! There are a few things I don't understand fully, could you please talk a bit more?
“since ssh -D is not a true VPN tunnel, your machine is exposed to the hostile network (if you don't have a firewall).”
I believe on OS X the SOCKS proxy is applied globally, unlike Windows where you have to do per-application settings. So aside from DNS queries, I guess other TCP connections should go through SOCKS? That should cover the major problem of FireSheep.
Also, since on Windows/OS X/iOS there is no default OpenVPN clients, I use PPTP/L2TP/IPSec-based VPN instead because they are available by default. Is there any advantage of OpenVPN over them?
For the purpose of defeating FireSheep, ssd -D works just fine.
OpenVPN in the configuration of the blog post utilizes 443/tcp, which is open at most places, while the ports required for PPTP/L2TP/IPSec could be closed.
Worst than just "ports" AFAIK: last I checked PPTP required use of either GRE or its own protocol (I can't remember which)--so not TCP nor UDP, and thus more likely to be blocked or simply NATed incorrectly. I don't recall how L2TP works, but I bet it uses a different IP protocol as well. I'm not sure if it's common to use L2TP unless it's tunneled in IPsec these days. IPsec can run over UDP if configured correctly. (I always encountered the UDP transport in the context of NAT-T which has/had its own set of problems. For example, it used to be the case that many IPsec "servers" had a problem with more than a single NAT-T client behind the same NAT. Not sure if that's still the case as this stuff is no longer my job, thankfully.)
Better choice than a lot of the VPN services out there. The free services should be presumed to have some sort of ulterior motive to get a look at your traffic (including, potentially, much more nefarious ones than a firesheep user). Even premium services should be considered carefully, you have little way of knowing what amount of tracking or inspection of your packets is going on - and such concentrators make an excellent target for hackers.
Yeah, obviously AWS has access to your traffic and host data if they choose to inspect it, but I wasn't trying to suggest it was a perfect secrecy situation (nor that thats needed). I'm inclined to trust amzn here over most providers, they have a bigger reputation to protect than most VPN hosts, and their scale and focus makes provider level intrusion or consumer focused tracking less likely.
Just curious, if you already have decent hosting couldn't you just implement this by installing openvpn on your existing virtual machine (or whatever)? Is there anything which specifically requires EC2?
Also, the -f flag will cause it to fail if you don't have passwordless auth set up. If you don't have it set to use private/public key pairs, just tunnel like so:
this sounds like a pretty viable business idea, actually. in the past, i've looked for a simple VPN service provider to help secure non-techie friends' laptop work at a starbucks or whatever. couldn't find anything decent. seems like people might be willing to pay some $ for this if it were turned into something commercialized.
SparkLabs also has a sweet/simple OpenVPN client for OS X that I use and will be coming out with a server sometime in the near future that should make setup a lot easier.
Depends on usage. I bought $5 or $10 worth of GB traffic few years ago and I have most of it still left to be used. Even just 1gb is plenty for the occasional browsing at starbucks or at the airport.
With default Ubuntu configuration you just have to enable/install OpenVPN server (1) (server), generate one user certificate (2) (server) and configure NetworkManager profile (3) (client).
All the other steps are just intro to using Linux and/or Amazon EC2 infrastructure or such technicalities as copying files or (unnecessary) configuring time zone.
Apologies in advance for being off-topic, but am I the only one who hates people hunched over their laptops while hogging starbucks' chairs for hours . I work in a downtown location and its impossible to have your coffee at starbucks as there is no place to sit. I really wish Starbucks could charge for seating ;-)
I just found out a few weeks ago that my ISP, Sonic.net, offers an IPsec VPN endpoint to all of its customers, with no additional fees. I highly recommend them if you're in the SF Bay Area.
Note that while their help page suggests that you use the Cisco client software to connect to their VPN endpoint, the service works just fine with Mac OS X's built-in Cisco IPsec client, as well as with the IPsec client in iOS. Dunno about other platforms, but Sonic.net provides the Cisco client for Windows and GNU/Linux, at least.
To anyone who desires this level of security but doesn't want to have to go through the trouble of a VPN, using SSH tunnels works just as effectively.
Assuming you have access to a remote Linux/BSD box, you can (from Linux) `ssh -D 1025 remote.host.address` then proxy your browser's SOCKS proxy to localhost:1025.
On Windows, using PuTTY, one can simply go into the Tunnel menu, hit the "Dynamic" radio button, type in 1025 and click "add" to achieve the same effect.
This looks like a great way to get started with EC2, VPN or no. I've been thinking about it, but one thing still puzzles me. You choose an AMI, but does Amazon effectively create an EBS instance for you and populate it with a copy of the AMI?
I don't see any mention of an EBS instance being created, so I'm not quite sure how you can write to the filesystem at all. I'm sure I'm missing something here, but I'm not quite sure what. Thoughts?
You can just run the instance as normal. It has a root filesystem, you can write to it etc. However if you stop the instance, then all your changes are lost. The EBS is only needed if you actually need disk space.
You can replace the install of openvpn with openswan to provide a strong tunnel that's compatible with iOS. There should be prebuilt packages for ubuntu.
I keep a server up-n-running 24/7 anyway, doing lots of things (file server, UPnP, the whole nine yards), it's on cable Internet with a dynamic DNS. So I installed OpenVPN on it and all my laptops automatically connect to it when they boot up. The server also runs a proxy.
So I've a secure proxy available any time, from anywhere.
How's your latency? An advantage of connecting to an EC2 instance seems to be that you're getting your traffic onto the backbone without eating a "last mile" roundtrip to your house.
EC2 scenario:
coffee shop -> backbone -> EC2 -> backbone -> remote site (probably hosted somewhere close to your EC2 instance, especially if a CDN is in use)
Home scenario:
coffee shop -> backbone -> cable provider -> home -> cable provider -> backbone -> remote server
Good timing - I just had this thought "in the shower" a day or two ago. I wouldn't utilize a VPN enough to make some of the more traditional providers cost-effective, so something along these lines is probably Just Right.
