VPN service for an anonymous or untraceable internet presence

I recently considered the use a paid VPN service to connect myself to the internet. Why? The internet is a whole other world out there, and you just don’t know how much privacy you lose with all the connections you make on your computer. I see myself and the average user at a disadvantage when it comes to privacy because we aren’t savvy enough to know the underlying workings of the internet. The transmission of data packets from one device to another gives rise to the opportunity for a knowledgeable person (not me, of course ;) to decipher private information in that transmission. I’m not even referring to people stealing my password. It’s just scary to know people can find out what sites you’ve visited, what services you use, etc. Your privacy can be compromised without you even knowing it. People can figure out your daily habits and make judgment on the kind of person you are. This is quite scary. For example, your internet service provider (ISP) knows exactly what files (unencrypted) you are transporting on the internet: the source, the destination, the timing, duration, frequency, etc. However, if your connection between two devices are encrypted, for example, using SSL, then all the ISP (and other snoopers) see is a stream of data that have no idea what it is without the proper key.

When connected to a VPN, all the connections made between you and the internet is channeled through the VPN server. Thus, your footprint on the internet is that VPN server. What your ISP would see is a bunch of encrypted data that is passed from the VPN server and to your computer. I feel my personal freedom (privacy) is more guarded using such a service.

This site offers some reviews for the major services available. I ultimately tried HideMyAss due to their pricing (their yearly price ends up being like $6.55/month), the number of servers and ip addresses available, the location of these servers (30+ countries), the use of OpenVPN, their non-censoriship of connections (e.g., torrent), and the data they collect (the time you log on and the time you log off).

My original plan was to set the certificates and credentials working with an OpenVPN client on my Asus RT-N16 router running Tomato firmware. However, before getting there, I tried the service on my Ubuntu laptop using the OpenVPN and the provided scripts. I have to say, I was disappointed in the difference in speed. Without the VPN service, I download at 2+ Mbps. With it, I was downloading at 1.3 Mbps. I understand that speed loss is inevitable due to the encryption and data outing through one more server before it reaches my computer, but I was expecting 1.9 Mbps. I tried a few other servers but the speed didn’t improve. As a statistician, I should try it many, many more times. However, I didn’t have the time for it, and besides, I will only commit to the service if I get consistent speed that’s near my official bandwidth, and this obviously wasn’t the case. HideMyAss’s customer service suggested I use their “Speed Guide” functionality in their software to select the fastest server for me, but it wasn’t available for Linux. Moreover, if I were to want use the VPN service on my router, I would want to stick with a single server and forget about it, not “shop” around for the right server each time it got slow to get the best speed. Now if somehow the server selection was automatic or that they limit only a certain number of users per server to give the best speed to the users, then I think I would like the service more.

Not only did I want consistent speed, I also wanted no abrupt in service since I would run it on my router where all my internet-enabled devices depend on for the internet. I use VoIP for phone service, and I do not want to have an abrupt phone service due to the VPN service having issues. HideMyAss claims to have a 99.8% uptime rate. I assume this is really good because Google claims to have a 99.9% uptime rate.

I ultimately cancelled HideMyAss and got a refund. However, I’m still on the lookout for THE vpn service that has all the features of HideMyAss, but with negligible difference in speed. I’m sure as time goes by internet speed will only get faster, and maybe by then I wouldn’t mind not downloading at 3 Mbps if I can download at 2.5 Mbps and retain privacy.

If you have any suggestions for me, do let me know!

For now, I just have to stick with SSL-enabled sites for the exchange of private information (email, newsgroup, etc.). For the exchange of important data, I always use ssh anyways.

UPDATE: wanted to share this recent article on Lifehacker, and this useful comparison of vpn speed test that’s done periodically. I guess HideMyAss is the fastest out there, and what the speed I was observing is typical of the encryption overhead.

Be on my home network when I’m away from home via OpenVPN

In my previous employments, I remember co-workers having to use VPN when they work from home. They can access everything at the company as if they were physically on-site. I haven’t tried configuring it on my home network since if I ever needed anything, I ssh’d into my home NAS, and grabbed stuff from there. I guess VPN can be useful in that everything I do on the remote machine will seem like I’m at home, meaning all my mounted access to different directories on the NAS, access to the router, etc, are available while I’m away.

Been wanting to play around with VPN for a while since I know both DD-WRT and Tomato routers has OpenVPN bundled in them.

Instructions are clearly documented at the USB Tomato wiki (look here to get the easy rsa files in newer versions (14.04) of Ubuntu). Note that when pasting stuff into the web browser, include the BEGIN and END lines. Also note that in order to generate the files, you have to do so as root; sudo doesn’t cut it. On Ubuntu, do sudo -i to imitate su.

Keep the generated files in a safe place. The files that I keep on my laptop (client) to VPN into my home network are ca.crt, Client1.crt, and Client1.key. Then create this Client1 file:

# ______ __
# /_ __/___ ____ ___ ____ _/ /_____
# / / / __ / __ `__ / __ `/ __/ __ 
# / / / /_/ / / / / / / /_/ / /_/ /_/ /
# /_/ ____/_/ /_/ /_/__,_/__/____/
# admin@domain.com
# The hostname/IP and port of the server. You can have multiple remote entries to load balance between the servers.
remote server.dyndns.org 1194
# Specify that we are a client and that we will be pulling certain config file directives from the server.
ns-cert-type server
# On most systems, the VPN will not function unless you partially or fully disable the firewall for the TUN/TAP interface.
dev tun21
# Are we connecting to a TCP or UDP server?
proto udp
# Keep trying indefinitely to resolve the host name of the OpenVPN server. Useful for machines which are not permanently connected to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to a specific local port number.
# The persist options will try to avoid accessing certain resources on restart that may no longer be accessible because of the privilege downgrade.
# SSL/TLS parms.
ca ca.crt
cert Client1.crt
key Client1.key
# Enable compression on the VPN link.
# Silence repeating messages
;verb 3
# Silence repeating messages
mute 20

When I need to VPN, just do

sudo openvpn Client1 ## do this in directory where the 3 files are stored

Thank you open source community!

Update (12/14/2010): Password-protect OpenVPN

I wanted to add a password feature to my VPN since I’m afraid someone might get access to my key files. I asked how to do so on the Tomato forum, and was referred to this post. It is quite easy to implement. 10/25/2014: Did more research to see if it’s better to implement a passphrase for the key instead of what I implemented before, but this post confirms that the auth-user-pass-verify method is indeed the recommended way to implement authentication.

In the tomato web config, add the following:

init script (under Administration):

echo '#!/bin/sh
test "$user1" = "${username}" && test "$pass1" = "${password}" && exit 0
exit 1' > /tmp/quickAuth.sh
chmod 755 /tmp/quickAuth.sh

Restart the router or, better yet, execute the above code on the “System” page under “Tools”.

Under the “Advanced” tab on the VPN Server page, enter the following under “Custom Configuration”:

script-security 3
auth-user-pass-verify /tmp/quickAuth.sh via-env

Now, on my Client1 file above, add the line auth-user-pass somewhere (I placed it after comp-lzo).

Now when I vpn to the network, I have to enter a username and password. This is awesome.

UPDATE 1/1/2011: Issue with PeerGuardian/MoBlock

I have issues connecting to a computer on the local network through OpenVPN. See this post for more details. To connect to it, just turn off PeerGuardian (sudo pglcmd stop).

UPDATE 10/6/2011: Channel all internet traffic through VPN

The above method allows me to access computers on my home network. To direct all internet traffic from my current device to the VPN network (so that the IP the world would see is the VPN’s network), check the Direct clients to redirect Internet traffic checkbox in the Advanced Tab when setting up VPN in Tomato (according to this post). That way, I can use the internet securely when on a public network. I will only turn this feature on when I truly need it.

Unfortunately, there DNS names doesn’t resolve (only IP addresses will work). I seeked help here obtained a solution there and here. To fix the DNS issue, I added the following three lines to the end of the config we created earlier:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

and added

push "dhcp-option DNS"

to the “custom configuration” field under the “Advance” tab of the VPN server page on Tomato. The latter just says to use Google’s DNS server.

UPDATE 10/25/2014: Use on Android

I can VPN on Android via the OpenVPN app. It should work after I copy all my files (Client1.ovpn, Client1.key, Client1.crt, and ca.crt) into a single directory on Android, and import Client1.ovpn in the app. However, I don’t want to leave my keys on my phone like that for security reasons, so the Help file in the OpenVPN app suggests creating a pkcs12 file and adding that to the Android keychain. To do so, first remove the 3 lines referencing in Client1.key, Client1.crt, and ca.crt in Client1.ovpn file. Import this ovpn file instead. On Linux, do

openssl pkcs12 -export -in Client1.crt -inkey Client1.key -certfile ca.crt -out Client1.p12

to generate Client1.p12. Enter an extracting password (will be asked when importing into Android keychain). Transfer to phone and import it via the OpenVPN app (so only Client1.ovpn and Client1.p12 files needed); enter the extracting password. Now one should be able to connect to the VPN after entering the username and password from the auth-user-pass-verify method. This is cool!