Can You Trust Your VPN Provider…?

Mirimir, your guides on privacy are outstanding. Thanks for putting those out there for the world. Seriously. Good stuff!

 

I think that you would do it on the VPN. But that's just a guess. I'm no expert here

In pfSense, I see the "MSS" option in "Interfaces: ..." for each interface:

And in "System: Advanced: Miscellaneous", I see the "Maximum MSS" option:

I'm not sure whether or not it also applies to OpenVPN links. The pfSense book doesn't clarify that.

Looking at <http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html> I see the "--mtu-test" option:

It only works for UDP-mode VPN links, I find. On my current link, I get:

Code:

NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1557,1557] remote->local=[1557,1557]

I think that means that my VPN link can handle up to 1557 byte packets. That seems odd, because it's over the 1500 byte Internet standard. And it's especially odd because that VPN tunnel is routed through other VPN tunnels, so the packets that they're handling are even larger. However, this is just the MTU, and actual packet sizes could be lower. I'll check that with Wireshark.

There are many OpenVPN options for tweaking MTU, MSS and related stuff:

 

Thanks

There's more to be done, though. We need to make this more accessible to new users.

 

It may be nice to get a list going of VPN providers who provide a ta.key file / TLS Auth. It is not only good for protecting the server against DDOS but would also have protected against Hearbleed:

 

AirVPN: implementing TLS today
BolehVPN: has provided ta.key
Insorg: has provided ta.key
iVPN: has provided ta.key
Mullvad: apparently doesn't use tls-auth
PIA: apparently doesn't use tls-auth

Edit: I added PIA.

 

What about PIA ?

I tried purchasing AirVPN (since they have strong encryption for pfsense), but they won't accept a pre-paid debit vanilla visa card. Bitcoin is too much of a hassle. PIA accepted my vanilla visa just fine.

 

PIA is US, right? That's why the Vanilla Visa worked. You can blame the US Government for your Vanilla Visa not working for over-seas purchases, not Air.

 

I just don't find Bitcoins very time consuming. Maybe 10 minutes or less even from start. I keep coins in a few offline wallets so my payment transaction is virtually instant, then I delegate the 10 minutes to replenish when I am already "out and about". By going about it that way the "hassle" is almost none. My .02

 

Nice, thanks

 

BlackVPN has upgraded to 4096 bit RSA and DH keys, and they seem to be using tls-auth as well, but with SHA-512 instead of ta.key?:

Code:

[inline]tls-auth [inline] 1


</tls-auth>
cipher AES-256-CBC
#not supported on osx
#txqueuelen 486
sndbuf size 1655368
rcvbuf size 1655368
auth SHA512
hand-window 37
mssfix 1400
verb 3
mute 10

IPredator advises to disable all services on the TAP adapter except IPv4, is this advisable for other VPN providers as well?
https://www.ipredator.se/guide/openvpn/windows/native#disable_services

 

The stuff that you've redacted IS the ta.key

The option "auth SHA512" specifies a stronger algorithm for HMAC:

Code:

--auth alg

    Authenticate packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.

    OpenVPN's usage of HMAC is to first encrypt a packet, then HMAC the resulting ciphertext.

    In static-key encryption mode, the HMAC key is included in the key file generated by --genkey. In TLS mode, the HMAC key is dynamically generated and shared between peers via the TLS control channel. If OpenVPN receives a packet with a bad HMAC it will drop the packet. HMAC usually adds 16 or 20 bytes per packet. Set alg=none to disable authentication.

If you're asking about disabling IPv6, yes.

 

Whoops, I misread it and thought it was the ca cert

Thanks, so the ta.key is not actually used itself, but used to generate the HMAC key?

Yes, but I was wondering about the others as well.

 

http://openvpn.net/index.php/open-source/documentation/security-overview.html

Oh. Right. Lose all that Windows stuff too

 

Thanks

 

Just for fun, set "verb 11" in a VPN, invoking it at command line. Ctrl-C the process after a minute or so. You can see the dance that's described in that overview.

 

Thanks, btw I noticed even with verbosity set to 15, you don't get to see the DH keysize.

 

Seriously, 15? Wow. I wonder what the maximum is.

 

I read 15 is the maximum.

 

Not only Can you trust your VPN provider with your data, but can you trust your VPN provider with your security?

How VPN services responded to Heartbleed:
http://torrentfreak.com/vpn-service-respond-heartbleed-140510/

 

I trust my VPN providers more than the NSA, by a long shot!!