Simple VPN?

[Billy Crook]

Openvpn is actually detectable apart from regular ssl web servers
because while SSL is always authenticated, the very beginning of the
session is not encrypted, and handshake parameters will reveal the
certificate issuer, and use and such.  If a bad guy tried go mangle
any of it, it would be detected because it's all signed, but it's
clear, and that's how deep packet inspection IDS systems can tell
https apart from ssh on port 443 and openvpn on port 443.  IPSEC for
one purpose though would look identical to IPSEC for any other
purpose.  It also encapsulates layer 4 stuff, so a bad guy can't
manipulate window sizes and send RST packets to DoS your connection.
In this sense, IPSEC would have prevented comcast from attacking their
p2p using customers.

Even sneakier VPN systems include ones that tunnel the data through
ICMP echo and echo reply packets, and ones that tunnel using DNS
queries and responses.  While I've never set either of those up, I
imagine they are quite slow.  I know the former requires some invasive
kernel patch as well.

On Mon, Jul 28, 2008 at 14:08, Bradley Hook <bhook at kssb.net> wrote:
> IPSec is very difficult to setup and extremely easy to break. It's easy to
> end up locking yourself out of remote systems too.
>
> The nice thing about OpenVPN is that you can configure it to do all sorts of
> sneaky stuff. You could always configure your OpenVPN to run TCP over port
> 443 (HTTPS), which your ISP would have an awful time trying to block. IPSec
> wont give you that kind of flexibility, and when your ISP starts seeing
> those kind of weird packets they are likely to start filtering them.
>
> IPSec is awesome when you have control over all or most of a network, and
> want the traffic to be extremely secure. When you start routing it over the
> public Internet, you can expect problems.
>
> ~Bradley
>
> Billy Crook wrote:
>>
>> Nor am I.  But I know that it is valiable as a module in ddwrt and
>> openwrt, so it is likely also avaliable on tomato, and for the common
>> "router" architectures.
>>
>> I probably shouldn't have overlooked IPSEC.  While significantly more
>> difficult to set up, it works at a lower layer of the stack, and is
>> thus harder to make sense of.  Assuming the ISP's tampering works in a
>> default-allow, tamper-by-list setup, IPSEC may work as well as
>> anything else.
>>
>> On Mon, Jul 28, 2008 at 13:42, Bradley Hook <bhook at kssb.net> wrote:
>>>
>>> OpenVPN seems fairly flexible and is cross platform. Not sure about which
>>> CPU architectures it has been ported to though.
>>>
>>> ~Bradley
>>>
>>>
>>>
>>> Sean Crago wrote:
>>>>
>>>> My DSL provider with the DNS masquerading and Squid transparent proxy
>>>> is feeding me all sorts of bad DNS information. I think I need to move
>>>> to the VPN option temporarily. Anyone have any advice on a basic, easy
>>>> to configure VPN solution? Support by Tomato firmware (a DD-WRT like
>>>> replacement) to allow my wife's Windows box access and to allow access
>>>> from my Internet Tablet is deeply desired.
>>>>
>>>> Thanks,
>>>> Sean Crago
>>>> _______________________________________________
>>>> Kclug mailing list
>>>> Kclug at kclug.org
>>>> http://kclug.org/mailman/listinfo/kclug
>>>
>>> _______________________________________________
>>> Kclug mailing list
>>> Kclug at kclug.org
>>> http://kclug.org/mailman/listinfo/kclug
>>>
>
>