The why and how of personal VPNs

Virtual private networks, or VPNs, are used by lots of companies, big and small, to connect offices to other offices around the world and to allow people to connect from remote locations into their corporate networks for a variety of reasons - usually having something to do with productivity. But a VPN isn't just for corporate connectivity. VPNs are used by individuals around the world to securely access resources at their homes and to enhance the security of their online activities.

What's the point (-to-point)?

The way I see it, there are two major reasons to have a VPN connection to your home. The first and rather straightforward one is resource access. If you have computers or servers or printers at home that you need to access remotely, VPNs let you do that. Now, if you only have a single computer at home that you might want to connect to, it's probably easier just to set up something like GoToMyPC or LogMeIn. But if you have other resources, or if you're a little paranoid and don't want to install proprietary always-on software, then a VPN might work better.

The second, and arguably more important, reason to use a VPN is secure Internet access. Although it's not always obvious, there are many people who use the Internet insecurely without realizing it. This is usually a problem with Web browsing specifically, and especially when it's done in a public place. If you've ever accessed a public Wi-Fi hotspot, you've likely accessed some part of the Internet insecurely.

Public Wi-Fi is bad?

Public Wi-Fi hotspots that are available from your favorite coffee joint, or your hotel room, or the airport aren't bad per se. The problem is, they're not very secure. In fact, there's a hint to that effect in their very name: public. A lot of the activity you do while on a public hotspot is going to be public itself, even if nobody can see your laptop screen. If you browse to any website that isn't served over HTTPS, that entire information exchange is completely out in the open. There are free tools out there that make it extraordinarily easy to see what people nearby are sending and receiving over their wireless connections.

And then, of course, there's malicious alteration of data. Depending on a number of factors, it's possible for someone to modify your Internet requests and responses in real-time as you're browsing online. Using tools like sslstrip, it's often easy to trick people into thinking they're on a secure website, when in fact the security was "stripped" from it. Yes, this applies to banking.

Even if you don't bank in coffee shops, simply going to entertainment websites can be dangerous. People can modify the websites' contents to send you malware and infect your computer. This isn't science fiction; it's actually pretty easy to do when you have the right tools - most of which are, again, free.

VPN to save the day

Using a properly configured personal VPN, all your Internet traffic that might otherwise be susceptible to monitoring or unauthorized modification becomes (reasonably) secure once again. That's because all that traffic gets encrypted and sent through your home's Internet connection. Let me explain this another way, using state-of-the-art ASCII drawings.

Here is what your Internet traffic looks like normally on a public Wi-Fi hotspot:

-------    P    -----------    P    -----------
| YOU |  <--->  | HOTSPOT |  <--->  | WEBSITE |
-------         -----------         -----------

The problem here is that the HOTSPOT section is, for the purposes of this example anyway, completely insecure. If somebody wants to tap into your communications there, they can do it, and you won't be able to stop them. You won't even know that they've done it, when it's done right. The P above the communication channels stands for "plaintext", or in other words, the normal way that WEBSITE communicates. If either your plaintext request or the website's plaintext response is modified in that hotspot section, you're in trouble, and you won't necessarily know it, either.

And here is what VPN traffic looks like in a similar setting:

-------    C    -----------    C    --------    P   -----------
| YOU |  <--->  | HOTSPOT |  <--->  | HOME |  <---> | WEBSITE |
-------         -----------         --------        -----------

The C above the communication channels between YOU, HOTSPOT, and HOME stands for "ciphertext". This is encrypted data, which generally nobody can understand when listening passively at the hotspot, and more importantly, nobody can modify without repercussions. Any unauthorized modification to the ciphertext at the hotspot will be detected and cause the receiver of this bad data (either YOU or HOME, depending on direction) to discard it. WEBSITE will still send and receive plaintext, as it's designed to do, but instead of communicating with the insecure HOTSPOT, it will communicate with HOME, which will in turn communicate with YOU via HOTSPOT in a secure manner using ciphertext.

I'm convinced. How do I get started?

It is important to know that there are many different VPN protocols, servers, and clients out there, and they all have their pros and cons, as well as their supported server and client operating systems. L2TP/IPsec can be considered an "enterprise" standard; it's secure, but often very difficult to set up on both the server and client side. OpenVPN is a popular open-source SSL/TLS-based VPN protocol, which is available cross-platform and sometimes even built into home routers. PPTP, though still widely available in modern higher-end routers, should be avoided as it is not secure. There is also SSTP, a modern SSL/TLS-based VPN protocol from Microsoft; it's not widely supported outside of Windows.

For personal use, my recommendation is to get a Raspberry Pi, or better yet, a Pi clone with gigabit Ethernet. Put your favorite Linux distro on it, and then install SoftEther.

The most versatile VPN server

From my research into various VPN solutions, SoftEther appears to be the most versatile. It's open source, available for Linux (not just x86) and Windows as both server and client, provides free dynamic DNS if your home Internet connection doesn't have a static IP, and it supports multiple VPN protocols!

If you have different devices you wish to use to connect to your personal VPN, this works out great. In addition to the built-in SoftEther VPN protocol, you can enable SSTP and OpenVPN - all on the same port, even. For Android and Linux, you can download OpenVPN client software and connect to your VPN through that. This should, in theory, work for Macs as well. For Windows, you could do that too, or you can make use of the built-in support for SSTP to establish a native VPN connection.

Do it now

Whether you want to browse the Web securely in public places, or you want to access resources in your home, or you just want to play around with VPN tunneling, now is a good time to start. There are, of course, potential gotchas and other issues, as with any sufficiently complex technology. For example, depending on your VPN configuration, only some traffic might go through it, leaving your Internet traffic insecure. There are lots of resources online explaining how all of this stuff works. Check them out. Have fun. Be more secure.

comments powered by Disqus