User Tools

Site Tools


virtual_private_networks

Virtual private networks

A virtual private network or “VPN” is a (usually secure) means of routing your traffic from your computer or phone to another computer.

Bear in mind that, like anything, VPNs are not unhackable. (e.g. "Infiltrating Corporate Intranet Like NSA".)

Key points:

Work out why you want to use a VPN

Why you want to use a VPN will help you pick a solution which fits your needs.

To hide your traffic from the local network operator

Use a VPN whenever you connect to an untrusted network (which probably means “always use a VPN”

The objective is to prevent or at least minimise surveillance of your online activity by the operator the network to which you are connecting.

This is important if you are communicating with sites or services which does not force https or another suitable encrypted connection (especially so, if you send login details over that insecure connection) or if they are using outdated, broken security.

To access your firm's systems remotely

The objective is to log into your firm's systems securely, so that you do not need to expose those systems directly to the Internet.

To apply controls to your traffic

If, for example, you do network-level ad blocking on your office's network, or implement malware-scanning, you could push all your mobile phone data traffic through a VPN, and through the same blocking system, to also protect you when out and about.

To avoid restrictions on the local network

If, for example, the network you are using blocks access to websites which you need to visit, connecting to an endpoint which does not block access would circumvent the block.

Some networks block (or attempt to block) VPN traffic. If you are using a public Wi-Fi hotspot that blocks VPN traffic, find another hotspot — if they do not want you to be sure online, you might reasonably wonder why.

To avoid restrictions imposed by the site/service you are trying to visit

If, for example, the site or service you are trying to use has implemented geo-blocking, so that you can only visit if you are in certain countries, and you are not in one of those countries, you could use a VPN to route your traffic through one of the countries which is permitted, and so gain access.

Consider an "always-on" or "on-demand" VPN which connects automatically

If you want to ensure that your traffic always goes over a VPN, configure either an “always-on” on “on-demand” VPN.

You might prefer an “on-demand” VPN, set so that it always starts when you are on any network other than ones you've specified. This might be preferable to an “always-on” VPN which connects to the VPN even if you are on a network you trust.

In addition to it being “always-on” or “on-demand”, you may also want to mandate the VPN connection, so that you and your users cannot disable it.

Always-on / on-demand VPNs may not work well with public Wi-Fi

If you are connecting to public Wi-Fi which requires you to put in some details, it may not work if you use an always-on or on-demand VPN.

If someone gets access to your device, they can connect to your network

If you use an always-on or on-demand VPN, someone who gets access to your unlocked device automatically gets connected to whatever network is at the end of your VPN — for example, your firm's network.

Running your own VPN server

If you do not want to trust a third party VPN service, you will need to run your own.

Some routers come with an integrated VPN server. For example, the fully-loaded version of the FireBrick 2900 has an integrated IPSec VPN service, which works well with the inbuilt macOS and iOS VPN clients. Other routers may offer integrated VPN servers too, often using OpenVPN.

An advantage of using an “all-in-one” solution is that it means you do not need to run and maintain a separate server. By the same token, you need a powerful enough router to cope with the additional load.

Alternatively, you can run your own server, and install a VPN service using Algo.

If you do run your own VPN server, you will need to ensure that you have it correctly configured, to prevent unauthorised use or network access, and that you are running up to date software, to mitigate newly-discovered bugs and security vulnerabilities. Using a VPN server which no longer receives security patches, or gets them only very slowly, is a very bad idea.

Test your VPN before you rely on it

As with any major configuration change, test it before you rely on it.

Ideally, you would test that the traffic going across the VPN connection is encrypted. However, unless you are knowledgeable enough to use WireShark, or have someone to hand who can do so, that's going to be difficult.

If nothing else, visit an IP address checker before you connect to the VPN, and then again afterwards: you should see a different IP address.

If you do not have a preferred IP address checker, you can use ipv4.neilzone.co.uk.

If you know you have an IPv6 address, either on the local network or else because of your VPN, or you want to see if you do, you can use ipv6.neilzone.co.uk to check it. If this page does not load, it means you do not have an IPv6 address.

(Neither of these sites log connection requests.)

Check your VPN is not leaking

Ensure that all the traffic you intend to go over the VPN is actually going over the VPN.

In particular, make sure that your DNS traffic is going over the VPN if that is what you want. You can use DNS Leak Test to check.

Test too what happens if your VPN connection drops — does your traffic fall back onto the local network, or is it blocked by your computer until the VPN re-connects.

Third party VPN providers: someone else to trust

A VPN shifts where your traffic routes. If you want to connect to the Internet, someone still manages the point at which your traffic leaves the VPN and goes onto the Internet.

You may not want to terminate a VPN on your office network, but want to use a third party instead.

If you use a third party VPN service, all you are doing is changing who you trust: your trust moves from the provider of the local network (such as the coffee shop you are in) to the operator of the third party VPN service.

It's very easy to set up a VPN service, and it's very easy to make fake promises on a website, so do your due diligence correctly, if you are concerned about the third party VPN operator seeing, logging, or interfering with, your traffic.

There is what appears to be a substantial review of third party VPN services on The Wirecutter.

Consider Tor as an alternative

If you just want to hide your browsing from the operator of the local network, consider Tor instead of a VPN.

Detailed guidance from the National Cyber Security Centre

virtual_private_networks.txt · Last modified: 2019/09/05 12:24 by neil