I frequently find myself attached to some public wifi hotspot trying to get work done, and while I try to make most of my connections via secure methods (e.g., all my email takes place over encrypted connections), most of my web surfing takes place in cleartext. Occasionally, I’ll read some weblog post about the various hosted VPN services and think that I should just use one of them, but never really get around to it. This week, I finally bit the bullet… but rather than subscribing to one of the services, I just set up my own VPN server at home to use.
I have a Linux machine in my home network, and I flirted with the idea of installing OpenVPN on it and using that as my server, but due to a few weird complexities in where that machine sits on my network, that wasn’t the most appetizing idea to me. It was then that I wondered whether someone had built a VMware virtual appliance with OpenVPN support, and it turns out that PhoneHome was just the ticket I was looking for. On my home Windows 2003 Server box, I started that puppy up in VMware Player; it took about a half-hour’s worth of tweaking to get it set up just perfectly for me, and another half-hour to get my home firewall (well, really a Cisco router with a detailed set of access rules) set up to play nicely with the server. Now, I have an easy-to-run, easy-to-connect-to VPN server that allows me to have a secure connection no matter where I am, and that just rocks.
One of the things I was worried about was that the VPN would massively slow down my network connection; between the bottleneck of encrypting all the tunneled traffic and the bottleneck of my home internet connection, I was pretty sure I’d be less than impressed with the speed of an always-on VPN. Surprisingly, the connection is pretty damn fast, though — I appear to have the full speed of my home T1 available to me.
If anyone’s interested, I’m happy to share details of the changes I made to the PhoneHome VMware appliance, and any other info you might want.
I’m doing something a bit more clunky & brute-force: I’m using PuTTy to create an SSH proxy to my hosted webserver and telling Firefox to route through that. On the email side, I have my server setup for IMAP-SSL and SMTP AUTH with TLS.
Paranoid? Moi? Hah!
• Posted by: GreyDuck on Oct 9, 2008, 11:47 AMYeah, that’s what I always had done too — a simple SSH session (either to home or to my hosted webserver) with SOCKS proxy support enabled, and then reconfiguring my browser and/or OS to use that SOCKS proxy. But as you said, that was clunky — it required reconfiguration of Firefox and/or the OS every time I started the proxy up, and again when I shut the proxy down… and I found that I would occasionally use an app I thought used the OS-level proxy config but didn’t, meaning that all its traffic was in cleartext on the wifi network.
This solves all that, and easily.
• Posted by: Jason on Oct 9, 2008, 11:52 AMSecurity is a big issue for me since I do most of my work on the train in NYC. Does PuTTy work on Unix platforms as well as the usual Win32? Personally I recommend Pageant, which is a SSH authentication agent for many applications.
• Posted by: Jose on Oct 9, 2008, 3:55 PMJose, why would you want PuTTY to work on Unix? It’s just an SSH client, the same thing you have built-in on all major Unix platforms. Pageant isn’t a replacement for this; it’s an ssh-agent app, which means it holds SSH client keys in a cache and releases them to apps that ask without the user having to type in the keys’ passphrases. The app still needs to support SSH, though, and has to know to ask for the key…
• Posted by: Jason on Oct 9, 2008, 4:15 PMI’ve been thinking about OpenVPN for a while, too, but I just haven’t really needed it badly enough to read the docs yet. This might get me over that hump.
• Posted by: full-speed.org on Oct 10, 2008, 12:00 AM