Differences

This shows you the differences between two versions of the page.

--- virtual_private_networks [2019/08/09 11:07] – neil
+++ virtual_private_networks [2021/07/06 09:26] (current) – external edit 127.0.0.1
@@ Line 2: / Line 2: @@
 A virtual private network or "VPN" is a (usually secure) means of routing your traffic from your computer or phone to another computer.
+Bear in mind that, like anything, VPNs are not unhackable. (e.g. [[https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf|"Infiltrating Corporate Intranet Like NSA"]].)
 ====Key points: ====
-  * [[Work out why you want to use a VPN|Work out why you want to use a VPN]]
+  * [[virtual_private_networks#Work out why you want to use a VPN|Work out why you want to use a VPN]]
-    * [[To hide your traffic from the local network operator|To hide your traffic from the local network operator]]
+    * [[virtual_private_networks#To hide your traffic from the local network operator|To hide your traffic from the local network operator]]
-    * [[To access your firm's systems remotely|To access your firm's systems remotely]]
+    * [[virtual_private_networks#To access your firm's systems remotely|To access your firm's systems remotely]]
-    * [[To apply controls to your traffic|To apply controls to your traffic]]
+    * [[virtual_private_networks#To apply controls to your traffic|To apply controls to your traffic]]
-    * [[To avoid restrictions on the local network|To avoid restrictions on the local network]]
+    * [[virtual_private_networks#To avoid restrictions on the local network|To avoid restrictions on the local network]]
-    * [[To avoid restrictions imposed by the site/service you are trying to visit|To avoid restrictions imposed by the site/service you are trying to visit]]
+    * [[virtual_private_networks#To avoid restrictions imposed by the site/service you are trying to visit|To avoid restrictions imposed by the site/service you are trying to visit]]
-  * [[Consider an "always-on" or "on-demand" VPN which connects automatically|Consider an "always-on" or "on-demand" VPN which connects automatically]]
+  * [[virtual_private_networks#Consider an "always-on" or "on-demand" VPN which connects automatically|Consider an "always-on" or "on-demand" VPN which connects automatically]]
-    * [[Always-on / on-demand VPNs may not work well with public Wi-Fi|Always-on / on-demand VPNs may not work well with public Wi-Fi]]
+    * [[virtual_private_networks#Always-on / on-demand VPNs may not work well with public Wi-Fi|Always-on / on-demand VPNs may not work well with public Wi-Fi]]
-    * [[If someone gets access to your device, they can connect to your network|If someone gets access to your device, they can connect to your network]]
+    * [[virtual_private_networks#If someone gets access to your device, they can connect to your network|If someone gets access to your device, they can connect to your network]]
-  * [[Test your VPN before you rely on it|Test your VPN before you rely on it]]
+  * [[virtual_private_networks#Running your own VPN server|Running your own VPN server]]
-  * [[Check your VPN is not leaking|Check your VPN is not leaking]]
+  * [[virtual_private_networks#Test your VPN before you rely on it|Test your VPN before you rely on it]]
-  * [[Third party VPN providers: someone else to trust |Third party VPN providers: someone else to trust ]]
+  * [[virtual_private_networks#Check your VPN is not leaking|Check your VPN is not leaking]]
-  * [[Consider Tor as an alternative|Consider Tor as an alternative]]
+  * [[virtual_private_networks#Third party VPN providers: someone else to trust |Third party VPN providers: someone else to trust ]]
-  * [[Detailed guidance from the National Cyber Security Centre|Detailed guidance from the National Cyber Security Centre]]
+  * [[virtual_private_networks#Consider Tor as an alternative|Consider Tor as an alternative]]
+  * [[virtual_private_networks#Detailed guidance from the National Cyber Security Centre|Detailed guidance from the National Cyber Security Centre]]
 ====Work out why you want to use a VPN====
@@ Line 42: / Line 45: @@
 If, for example, the network you are using blocks access to websites which you need to visit, connecting to an endpoint which does not block access would circumvent the block.
+Some networks block (or attempt to block) VPN traffic. If you are using a public Wi-Fi hotspot that blocks VPN traffic, find another hotspot — if they do not want you to be sure online, you might reasonably wonder why.
 ===To avoid restrictions imposed by the site/service you are trying to visit===
@@ Line 63: / Line 68: @@
 If you use an always-on or on-demand VPN, someone who gets access to your unlocked device automatically gets connected to whatever network is at the end of your VPN — for example, your firm's network.
+====Running your own VPN server====
+If you do not want to [[#Third party VPN providers: someone else to trust|trust a third party VPN service]], you will need to run your own.
+Some routers come with an integrated VPN server. For example, the fully-loaded version of the [[https://www.firebrick.co.uk/fb2900/|FireBrick 2900]] has an integrated IPSec VPN service, which works well with the inbuilt macOS and iOS VPN clients. Other routers may offer integrated VPN servers too, often using OpenVPN.
+An advantage of using an "all-in-one" solution is that it means you do not need to run and maintain a separate server. By the same token, you need a powerful enough router to cope with the additional load.
+Alternatively, you can run your own server, and install a VPN service using [[https://github.com/trailofbits/algo|Algo]].
+If you do run your own VPN server, you will need to ensure that you have it correctly configured, to prevent unauthorised use or network access, and that you are [[securing_your_devices#install_software_updates_promptly|running up to date software]], to mitigate newly-discovered bugs and security vulnerabilities. Using a VPN server which no longer receives security patches, or gets them only very slowly, is a very bad idea.
 ====Test your VPN before you rely on it====
 As with any major configuration change, test it before you rely on it.
+Ideally, you would test that the traffic going across the VPN connection is encrypted. However, unless you are knowledgeable enough to use WireShark, or have someone to hand who can do so, that's going to be difficult.
+If nothing else, visit an IP address checker before you connect to the VPN, and then again afterwards: you should see a different IP address.
+If you do not have a preferred IP address checker, you can use [[https://ipv4.neilzone.co.uk|ipv4.neilzone.co.uk]].
+If you know you have an [[https://en.wikipedia.org/wiki/IPv6|IPv6 address]], either on the local network or else because of your VPN, or you want to see if you do, you can use [[https://ipv6.neilzone.co.uk|ipv6.neilzone.co.uk]] to check it. If this page does not load, it means you do not have an IPv6 address.
+(Neither of these sites log connection requests.)
@@ Line 77: / Line 104: @@
 Test too what happens if your VPN connection drops — does your traffic fall back onto the local network, or is it blocked by your computer until the VPN re-connects.
-====Third party VPN providers: someone else to trust ===
+====Third party VPN providers: someone else to trust ====
 A VPN shifts where your traffic routes. If you want to connect to the Internet, someone still manages the point at which your traffic leaves the VPN and goes onto the Internet.
@@ Line 86: / Line 113: @@
 It's very easy to set up a VPN service, and it's very easy to make fake promises on a website, so do your due diligence correctly, if you are concerned about the third party VPN operator seeing, logging, or interfering with, your traffic.
+There is what appears to be a substantial review of third party VPN services on [[https://thewirecutter.com/reviews/best-vpn-service/|The Wirecutter]].
@@ Line 95: / Line 124: @@
 ====Detailed guidance from the National Cyber Security Centre ====
 [[https://www.ncsc.gov.uk/collection/end-user-device-security/eud-overview/vpns|NCSC VPN guidance]]