[tlug] VPN?

["Stephen J. Turnbull" <turnbull.stephen.fw@example.com>]

David J Iannucci writes:

 > So I'm currently using PIA for VPN service, but thinking that I
 > need to make a change. I realize VPNs are far from being
 > one-size-fits-all, but does anyone have any recommendations?

I don't really see why you think a change is a good idea.  Your post
suggests it's pure paranoia based on an inconsequential fault on a free
wireless network.  On the one hand, free WiFi services are frequently
unreliable for various reasons, and on the other, OpenVPN Tech's
programs seem to be competently-designed and well-maintained.  My
first take would be to ask the company and/or development community if
they're aware of such problems.

If you really want to change, I would recommend trying the new
provider at all the locations you have used PIA before committing to
spending money, although it's not all that much.

 > Incidentally, the main reason I want to leave PIA is that I cannot
 > use them on the free wifi offered at Apple Stores.

Which means what?  Does the VPN app issue warnings or error messages?
If so, what?  Does the VPN app appear to start and say nothing, but
some other app that uses the VPN fails?  What is that other app?  What
does it say about the problem?  Have you tried with OpenVPN on a
different platform (Android, Linux)?

 > (i.e. most secure). That makes me glad that I'm using it with PIA
 > now, but there's a weird limitation with iOS - it seems Apple will
 > not allow app developers to make their own OpenVPN clients and
 > offer them on App Store, but force you to use their "OpenVPN
 > Connect" app.

I don't understand.  A search for "openvpn" on the App Store and 5
minutes browsing the results finds at least 3 apps that connect to
OpenVPN providers, and several more that find access points near you
(if I understand the Japanese correctly).  I didn't bother to look
more.

 > A different free VPN that I found _does_ work at the Apple Store.

What does "different free VPN" mean?  A different provider?  Or a
different app?  Or both?

If PIA provides different endpoints to attach to the service, you
could try a different endpoint (IP address or port) from the Apple
stores.

 > Maybe it's the protocol used?

I would think that the provider-supplied .ovpn would give the right
configuration of the VPN app, so it's probably something to do with
the underlying network.  VPNs necessarily involving multiple layers of
Internet protocols, the VPN using too large an MTU seems like a quick
guess, although the docs suggest that you would see the connection
"stall under active usage" rather than be completely unusable.

 > Finally, I do want to ask if anyone has any info about http://proxy.sh,

Can't help there.

BTW, like Curt I wonder why you're using a commercial VPN service for
"security" in the first place.  In almost all of my use cases, I'll be
transmitting over HTTP (which is locked down with HTTPS) or an SSH
tunnel (eg, git or a shell session).  So the VPN encryption provides
little, if any, additional security, but does impose costs (time, CPU
and memory use, money).  With a commercial service, a serious
antagonist can probably see you going into the tunnel at the service,
and maybe coming back out at the other end (if it's the NSA ;-), and
they know you're trying to hide.  It adds multiple points at which a
MITM exploit can occur, unlike a direct TLS (HTTPS or SSH) connection.

On the other hand, the point may be to provide "internal" IPs to
roaming terminals, which is a common use of VPNs (ie, the "privacy"
provided isn't security, but rather "internal" routing -- as far as
your hosts are concerned, traffic between them is never routed through
the public Internet).

Steve


-- 
Associate Professor              Division of Policy and Planning Science
http://turnbull.sk.tsukuba.ac.jp/     Faculty of Systems and Information
Email: turnbull@example.com                   University of Tsukuba
Tel: 029-853-5175                 Tennodai 1-1-1, Tsukuba 305-8573 JAPAN