I've decided to run my own VPN with some friends. I'll know for sure that I'm not recording or snooping on my traffic, and the speed is what DreamHost can provide (which would appear to be whatever their full capacity is since its not mentioned in the plan) I've narrowed my options down to DreamHost's DreamCompute plan. It's OpenStack, which means that I can manage VMs through it. It's effectively an even more managed VPS. I can add more VMs later and get more servers for websites or even VPN-online servers with its advanced network mapping. However, I see some issues in my plan.
-
I basically have one IP. I get one reserved IPv4 address and one IPv6 address. I contacted support asking if I would be able to use non-permanent IPv4 and IPv6 address, but I got an odd, indirect, and not detailed answer that sort of said no. They simply said that I could purchase more static IPv4 addresses and not whether or not I could use non-static ones. Would this be a problem? Everyone connected to the VPN's traffic would be funneled through one IP instead of tunneling to many different IPs. Some sites (coughTwittercough) rate limit IPs after a while, and if everyone has their phone and tablet and computer connected, then it wouldn't take too long.
-
Legallity (this will be in the U.S.). If someone decides to torrent or do something else illegal, DreamHost or possibly the government could get suspicious. This will be coming out of a data center. All from one IP. If I go to another country (where having a VPN is ver great), I could get in to trouble for technically dodging region blocking (Netflix for example).
-
It's *#&!(@$ OpenVPN! I'm running it in a VM, and for crying out loud, it lists TLS v1.2 ciphers as possible options, but then doesn't actually allow them (it gets errors when the client and server try to match ciphers).
- I'm sure that there's more. Please tell me. Is there a better VPS for the same great price, no data cap, and no speed limits?
The server will be running Debian Jessie with automatic security updates. It would be in DreamHost's best interests to have DDoS blocking since a hacker would be more directly DDoSing the OpenSTack servers and not my little VM, so I assume that they have it.
Also, I'm not planning on getting a domain. The IP is static, so it would be useless. I might add another server later with MaskMe/Blur style randomly generated email addresses forwarding and blocking which would definitely need a domain, but that can wait.
I think that @wendell or maybe @DeusQain mentioned being able to set up a VPN on a VPS once, but I'm not sure how smooth it will be.
Thanks for any help! I'm really determined to get this going. I get a 30-day free trial period for the plan and then have to split the money between everyone and have it running, so I want to test it in my VM first. I won't do it if there are too many problems.
If you want a VPN to avoid ISP nonsense, or for use on public networks then a VPS will work fine. But if you're going to be torrenting or doing anything which you don't want traced back to you I wouldn't recommend it. The VPS is registered to you so really it's just another ISP as far as tracing an IP back to it's user goes. You may not be logging anything but you have no control over what traffic the VPS provider logs and records.
The advantages of a VPN service is that they are privacy focused, assuming you can trust them then you know that they are working to keep your traffic private. They know all the laws and loopholes and set their servers and networks up for maximum privacy. They also share IPs with multiple users so it's not possible to trace specific traffic back to a specific client. Whereas with your VPS it's simple enough to see VPN traffic going in and regular traffic coming out and assume it's the same traffic.
Openvpn uses openssl for it's encryption, but it doesn't work with all TLS ciphers, like the elliptic curve ones. The strongest cipher you can use would probably be DHE-RSA-AES256-SHA for the TLS control channel with SHA512 authentication and AES-256-CBC for the tunnel encryption. If you want to use better ciphers you could try using openvpn-nl instead.
2 Likes
But in the same way I have no control what some sketchy VPN company records, right?
So because I have one IP (stuff goes into one IP and comes out the same one), it's useless other than for avoiding the ISP speed problems? I could buy another IP, but it would be at a cost.
I'll definitely try that.
@Dexter_Kane do you think I'll have any problems with having multiple users' traffic coming out of one IP (for websites that identify and track security somewhat that way)?
You don't have control over what a VPN service does but if they say they don't keep logs (and they're running the company out of a country like the US with good consumer protection laws) then they're legally obligated to follow through on whatever claims they make. So you can be reasonably confident that they are legit.
Only having one IP isn't the issue, it's only having one (or a very small group) of users using the VPN. It makes it easy to figure out the real IP address of the user. For example if you're the only person connected and I'm looking at the traffic going in and out of the VPS I can see encrypted traffic going in from your IP address and I can see unencrypted traffic coming out. So it's pretty easy to say you're the person generating that traffic. But if there are 100 users using that same IP address then I can't really tell which one is generating which traffic.
You shouldn't have any trouble with multiple users traffic using one IP. It's pretty common, everyone in your house uses the same IP, or in a business or university. You really shouldn't run in to any problems.
I actually use a VPS as a VPN, I use it for incoming connections to my server, so my domain resolves to the VPS and then the traffic is forwarded over the VPN to my servers at home, this way my ISP can't see the traffic and I'm not giving out my home IP address to everyone who knows my e-mail address. I also use it as a VPN from my phone but for my computers at home I use an actual VPN service.
Like I said before if you want to stop your ISP from seeing or manipulating your traffic, or you're using a public network and want some protection then using a VPS will work great. But if you're worried about someone tracing your IP address back to you a VPS isn't a good option as it's still registered to you and you don't know how the VPS provider will behave if they're asked for your details or sent a DMCA notice or whatever.
I see. Then it meets my needs. It will boost my speeds, protect me from sketchy coffee shop WiFi, and even allow me to have VPN-only servers. However, I can't control completely what the other people who will be using the VPN do. I can say not to do anything illegal on it, but I can't literally stop them. I don't think that it's worth the risk.
I'm still interested in seeing how well TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA256
, a AES-256-CBC
cipher, and RSA-SHA512
HMAC will run though.
Thank you so much for your help.
You should be able to get that working with openvpn-nl but regular openvpn doesn't support that cipher yet. I'm not sure why considering that it's using openssl.
A simple way of stopping anyone from torrenting is to set up a firewall to block everything which isn't port 80 and 443 and whatever other ports you want to allow. It may take a while to figure out which ports you need but once you have it set up it will make torrenting pretty hard. But it will also make games pretty hard too especially if they use random ports.
Oh and if you're got the time you can generate a 4096 bit DH key too, but you might want to make yourself a coffee while you wait :P
Neither do I. Especially since it lists TLS v1.2 ciphers in openvpn --show-tls
.
That would pose problems. Skype. Games (as you mentioned). Email sometimes. Also, I'm pretty sure you can torrent on port 80 if you try. I don't want to completely block torrenting anyways. Downloading Linux ISOs has got to be it's #1 for me these days. Even DownThemAll doesn't like my ISP's spikiness.
Oh don't worry, back when I was first getting into cryptography I tried that (classical noob thinking "higher is better"). It eventually stopped it realizing that Google didn't even do it (at least last time I checked). Also, caffeine-free coffee. Otherwise you'll get a little bit more impatient. :P