Month: July 2014

OpenVPN Performance through PrivateInternetAccess

I’ve been wanting to get a VPN service due to privacy concerns for a while now. I have not done it until now mostly because of my assumptions about VPN service speeds and reliability. A (blog post)[http://blog.level3.com/global-connectivity/verizons-accidental-mea-culpa/ “Verizon’s Accidental Mea Culpa”] by Level 3’s Mark Taylor prompted me to finally take action. As it turned out, I was about half-right in my guesses and below I’ll tell you why.

First, though, let me talk about my choice of VPN service. To clarify, my primary concern was privacy, speed, and reliability. Conducting illegal activities was not part of my search criteria, however I did keep in mind the attitude towards using popular file sharing protocols since there are plenty of legitimate uses for those. I looked at about 10 different options and ended up going with PrivateInternetAccess)[https://www.privateinternetaccess.com “PrivateInternetAccess”). Don’t take this as a “best of 10,” though, because I have not properly reviewed any of them.

Before choosing PrivateInternetAccess, I was leaning towards AirVPN because of their origins. But, what turned me off is their slow support for prospective customers (I requested a trial and am still waiting on a reply) and their social features oriented website. For instance, their customer and forum accounts are one and the same, and when logging in one has to explicitly check the option to not be added to the active users list. The control panel has all the usual social profile features of a forum member (user information, post tracker, status feed, etc) in addition to billing information and other service related information such as current plan, support tickets, and invoices. I understand the need for a community, but when you are a privacy oriented service I feel there are better ways of going about setting that up.

All this in contrast to (PrivateInternetAccess)[https://www.privateinternetaccess.com “PrivateInternetAccess”), or PIA for short, that only has options for setting your e-mail, password, and subscription. That’s more up my alley. And they are cheap.

I did briefly consider running my own VPS setup on a VPN, but the cost/benefit didn’t work out.

Let’s talk benchmarks. I should warn that these numbers are not very scientific in the sense that, although I performed multiple tests while setting things up and messing around, the results below are from one-time runs that were done specifically for this post but still looked representative of my overall experience.

There were three main scenarios that I looked at, with the only difference being where the VPN client was set up.

  • For all of the speed tests I chose one closest geographical location (VPN server was set to the same state).
  • There was no other significant traffic on the LAN
  • DOCSIS 3.0 cable modem with a 100BASE-T cable plugged in to WAN (because it helped with cable management and wasn’t going to come close to capping my bandwidth)
  • 50/5 Mbps ISP plan
  • OpenVPN setup
  • All the snapshots were done within a 30 minute window

Scenario 1 — no VPN.

Speedtest without VPN

This is the baseline — low ping, speeds as advertised. No surprise there.

Scenario 2 — VPN on a Windows PC running PIA’s software

Speedtest with VPN on a PC

Triple the latency and triple the speed. Pretty impressive, huh? The conclusion is obvious — to increase the speed we must increase the latency! Call your ISP now and demand higher ping times! All kidding aside,
the increase in latency is due to additional VPN hops and the increase in speed is most likely due to LZO compression. Still, rather impressive considering I am going through a VPN. Certainly, not what I was expecting and in a good way.

Scenario 3 — VPN on TL-WDR4300 router running OpenWRT Attitude Adjustment

Speedtest with VPN on a TL-WDR4300 router

This is really the use case I was going for. I wanted to set up VPN service on my router for use for the entire house. The latency did not change from the previous scenario, however the download speed took a huge hit — about 1/4th of my regular speed and 1/10th of the VPN link with compression enabled. That’s not where I want to be for the entire house. The drop is mainly due to lack of processing power and cryptography instruction set of the Atheros chipset.

Here are some router details and benchmarks:

r36088 | Atheros AR9344 rev 2 | TP-LINK TL-WDR4300 (rev. 1.6) | MIPS 74Kc V4.12

OpenSSL 1.0.1h 5 Jun 2014
built on: Tue Jul 8 12:26:54 CEST 2014
options:bn(64,32) rc4(ptr,char) des(idx,cisc,2,long) aes(partial) blowfish(ptr)
compiler: ccache_cc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -I/home/bb/build/ar71xx/generic/staging_dir/target-mips_r2_uClibc-0.9.33.2/usr/include -I/home/bb/build/ar71xx/generic/staging_dir/target-mips_r2_uClibc-0.9.33.2/include -I/home/bb/build/ar71xx/generic/staging_dir/toolchain-mips_r2_gcc-4.6-linaro_uClibc-0.9.33.2/usr/include -I/home/bb/build/ar71xx/generic/staging_dir/toolchain-mips_r2_gcc-4.6-linaro_uClibc-0.9.33.2/include -DOPENSSL_SMALL_FOOTPRINT -DHAVE_CRYPTODEV -DOPENSSL_NO_ERR -DTERMIO -Os -pipe -mips32r2 -mtune=mips32r2 -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float -fpic -fomit-frame-pointer -Wall -DSHA1_ASM -DSHA256_ASM -DAES_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5               2262.45k     7884.17k    20603.42k    36201.19k    46113.77k
sha1              2093.89k     6299.78k    14280.39k    20922.61k    24506.03k
des cbc           4773.74k     5072.14k     5074.42k     5106.69k     4915.20k
des ede3          1722.16k     1746.40k     1748.50k     1751.77k     1756.32k
aes-128 cbc       7946.99k     9082.26k     9267.77k     9436.00k     9639.67k
aes-192 cbc       7108.66k     8013.22k     8061.08k     8232.59k     8185.86k
aes-256 cbc       6321.97k     7008.89k     7149.37k     7204.08k     7282.47k
sha256            1778.04k     4265.98k     7643.96k     9560.77k    10464.99k
sha512             553.24k     2236.05k     3239.23k     4406.14k     5018.68k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.108095s 0.003021s      9.3    331.0
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.030133s 0.036694s     33.2     27.3

The moral of the story here is VPN service can be fast and reliable, but if you want it to be on par with your home ISP, you will need the hardware to support it. So, I am now looking for a more powerful router. At first glance it looks like (MikroTik)[http://www.mikrotik.com “MikroTik”) or (Ubiquiti)хhttp://www.ubnt.com “Ubiquiti”) might have what I’m looking for.

HTTP/1.1 — STOP; HTTP/1.0 — GO!

Here’s something I came across not too long ago that I thought was a bit odd. An externally accessible web server was being protected by what appeared to be Cisco’s web filtering technology. This was strange because it is the kind of thing one would expect to see on an internal network, restricting access to the outside world. Protecting servers that still require access from the Internet by authorized users is generally done by things like firewalls, IP address whitelists, and VPNs. I believe this was a case of misuse of technology. An attempt to make something work in a way that was not intended. However, that is my job and it is the opposite of what network/systems administrators should be doing when implementing solutions.

Access was denied and a scary sounding message “Access to this destination is not allowed due to a possible malware threat” was presented when trying to access the website:

Access Denied

malware detected! maybe…

I had not seen that before and my first thought was that maybe an IPS detected the vulnerability scan that ran the night before. That scenario would have been annoying but not surprising as the scans are quite noisy. Maybe my source IP got flagged as potentially dangerous? But, after a few checks, it turned out to not be the case. Must be some kind of content filtering setup with a generic message and possibly IP-based, I figured. Or, even worse, malware got planted during an earlier compromise and internal Cisco solution was flagging it but the administrators haven’t noticed.

Anyway…

I noticed that the test results I was getting back were inconsistent. Some were coming back with the “Access Denied” page, while others with something else entirely. A few manual checks later it became apparent that the Cisco solution was only filtering HTTP/1.1 requests that are normally used by browsers, and letting everything HTTP/1.0 through.

After ensuring all my applications and tools were set to use HTTP/1.0 for communications with this web sever, it turned into just a regular day at work. This is what was behind the content filtering wall:

ShoreTel's login interface

Beyond the wall.

The moral of the story here is two-fold. One, if you are setting up security controls, don’t rely on web content filtering solutions as a means of controlling access to your external websites. Two, if you are testing security, always poke with several different sticks and from several different angles even when you think “there’s no way that would work.”

How I Chose My Blogging Platform

Over the past few days I scoured the Internet in search for a blogging platform that fits my needs. The usual suspects that immediately came to mind were WordPress, Blogger, LiveJournal and TypePad. As it turned out, there are a lot more other options out there. Before I go into my impressions of these platforms, I should explain what it is that I was looking for.

  • First and foremost, it had to be easy to write in. Fewer distraction, but enough tools to get the job done easily.
  • Second, it needed to handle attachments and media library well. I want to (attempt to) keep things organized.
  • Third, the look and feel had to be easily customizable. I wanted something a little more personal.
  • Fourth, it had to have support for custom domain names.
  • Fifth, it had to be a managed service.

To expand on the last point, although running your own setup can be a lot of fun and educational, it is also a fair amount of work. I don’t trust the security of regular shared hosting solutions, plus that route would require acquiring an SSL certificate. So, setting up a VPS would have been the way to go for a DIY approach. That, however, means:

  • set up, secure configuration, maintenance, and monitoring of the server host
  • set up, secure configuration, maintenance, and monitoring of the web server
  • set up, secure configuration, maintenance, and monitoring of the web application
  • set up, secure configuration, maintenance, and monitoring of the database server (most likely)
  • set up, secure configuration, maintenance, and monitoring of the monitoring software (IDS/IPS, etc)

Been there, done that, ain’t got time for it. I had to find a managed service that I felt was reasonably secure and gave me the freedom I needed.

roon.io
I think they have a poor infrastructure because the site frequently failed to load properly. Also, they are having some UI issue because I wasn’t able to modify some account settings and was given some silly errors as to the reason why. Plus, they are new and none of that builds confidence. On the other hand, because they are new and because I think their blogging interface is right up my alley, I will be checking up on roon.io to see how it develops.

Ghost
Another fairly new platform. It’s open source and their service definitely felt more stable, however I didn’t feel very comfortable with it. What threw me off was the fact that they require registration of one account with ghost.org and then, after you create a blog, you will need to create another account to administer that blog. Not only that, but after the setup the administrative user registration for your new blog is left wide open to anyone who happens to visit the website before you register. Granted, this timeframe should generally be rather small (as long as it takes you to click a link and type in a user name and password) and the URL of your blog should be unknown, I still don’t like it. Nevertheless, another platform I will be keeping my eye on.

Scriptogr.am
Requires Dropbox. Although I can see why it can be appealing, I do not like sharing access because the restrictions are not granular enough.

Postagon
Has a good set of attractive features, but is “blogging for minimalists” and thus doesn’t have quite all the features I required.

Svbtle
Registration partially closed. I did not bother trying to get an account because it seemed like it lacked the customization/CMS functionalities that I required.

Pen.io
Too simple for my needs. It also claims to be anonymous because they “don’t store email addresses or any personal information.” Unless they also don’t store IP addresses and browser fingerprinting information I don’t see how they are any more anonymous than any other free blogging service out there (since you can use a dedicated e-mail address and fake personal information).

Medium
Seems pretty neat and social, but too simple for my needs.

Postach.io
Similar to above. Too simple for my needs.

Squarespace
Loved the simplicity of setting up and managing the website, however from the blogging perspective I found it to be lacking. The writing interface is suited more for creating webpage content rather than regular publishing. That is it tailors to website development rather than distraction-free writing. Their theme choice is fairly small and the themes, I feel, are suited better for e-commerce, portfolio, photography, etc. and less for for blogging. Additionally, making CSS adjustments requires a “developer” account which you need to apply for. I didn’t go through the process since completely rewriting or creating my own theme wasn’t my intention. Their support was thorough and helpful. I submitted a ticket for an issue the night I was testing out the service and the following morning I got the answer. I have to say, when I require a business/professional website Squarespace will by at the top of my candidates list.

WordPress
This is the one I eventually settled on (the managed service). It’s a bit bulky, has a set of its own quirks, requires payment to remove ads and at the same time has a policy of not allowing placing your own. Custom domains and other features also require payment. The current deal is $99/year for a set of all the features you’ll need to get started. Unless the domain name is registered with them you will not be able to simply point it at their servers. At the same time their DNS management options are fairly basic. In addition, their system supports TXT field of only up to 192 characters long, so if you have, say, a long DKIM public key it won’t work. Admittedly, I have not contacted their support to see if they can manually make an exception. I had to resort to some CNAME and redirect trickery at my DNS provider to get mostlyhacking.com and http://www.mostlyhacking.com to end up pointing here. Additional restrictions are placed on the usable themes and plugins. But, with all that, it is still possible to make managed WordPress work well. The huge community and large theme choice and customization options mean you’ll find the look you want and get the support you need. The writing portion has a good distraction-free option; the posts support HTML and extended Markdown; there is built-in HTTPS support; ability for the website to be more than just a blog; easy media management, and a slew of other options.

The following blog platforms currently do not provide a managed service and therefore got only a peripheral look from me:

So the takeaway here is what you’d expect. There are a lot of options out there when it comes to publishing content and there is no universal right and wrong answer. It all depends on what you are trying to accomplish and how much of a tradeoff between time, effort, and money you are prepared to make. The more features you need and the less time you’re willing to spend on making things work, the more money it’s going to cost.

Set one (or several) of these up yourself, it’s great fun.