Home » Posts tagged "vpn"

解 ocserv 因為沒有使用 DTLS 而導致速度很慢的問題...

最近偏好用 ocserv 來跑 VPN。在連上 full-route VPN 後測試發現速度偏慢,發現是沒有走 UDP 的 DTLS,只有 TCP 的 TLS 流量... 找了一下發現用有人遇過了,可以用 workaround 解:「OpenConnect not working with DTLS」。

作者發現是 ocserv.socket 有問題,打算整個抽開。方法是註解掉 /lib/systemd/system/ocserv.service 裡的 Requires=ocserv.socketAlso=ocserv.socket,然後在 systemd 裡一起處理:

sudo systemctl stop ocserv
sudo systemctl disable ocserv.service
sudo systemctl disable ocserv.socket
sudo systemctl daemon-reload
sudo systemctl start ocserv
sudo systemctl enable ocserv

重新連上去後跑 tcpdump 可以看到是 UDP 了,測速也可以看出來快不少...

在 Android 上支援 DNS over HTTPS 的 Intra

IntraAlphabet (Google 母公司) 旗下 Jigsaw 所開發的 app (目前只有 Android 的,依照說明需要 4.0+),透過 VPN 的架構換掉 DNS 設定,透過本機的 DNS Proxy 改走到外部的 DNS over HTTPS 服務上。

走 DNS over HTTPS 可以降低 DNS 被干擾 (security issue) 或是被監控 (privacy issue) 的風險。

在軟體內已經先內建了兩個 DNS over HTTPS 清單,一個是 Google 的 Google Public DNS,另外一個是 Cloudflare1.1.1.1,除此之外也可以自己輸入。

由於是 Alphabet 家的軟體,預設是用 Google 的服務。

軟體本身是 open source 專案 (Apache-2.0),程式碼在 Jigsaw-Code/intra 這邊可以取得。

最近討論頗多的 NordVPN

最近 NordVPN 的隱私問題被拿出來討論的蠻凶的,應該是從「Is NordVPN a Honeypot?」這篇開始的...

作者一開始就有提到並不只有 NordVPN,而是整個 VPN 產業其實都有類似的情況,只是現在可以找到比較多證據可以推測 NordVPN 後面並不單純。

首先是 NordVPN 買了大量評論,後來被發現是假的而被移除,而移除後的分數掉了非常多。再來是 NordVPN 居然花了五十萬美金在 CNN 的廣告上,這對於 VPN 產業的成本來說很不可思議...

另外一個是 NordVPN 的母公司 Tesonet 就是做 data mining 的,「整理」各種資料拿出來賣的...

基本上這類服務只能拿來翻牆用 (翻進日本或是翻進美國),不要認為隱私性有多高... 需要隱私還是得透過其他方式降低風險 (沒辦法完全保護,只能降低)。

蘋果以隱私為由,下掉 Facebook 在 App Store 上的 Onavo App

Onavo 是個提供 VPN 服務的公司,跟一般的 VPN 服務一樣,以隱私為主打,後來在 2013 年被 Facebook 買下,但在今年三月的時候就有媒體有報導 Facebook 打算蒐集 Onavo 上的資料:「Facebook-owned Onavo quietly launches Bolt App Lock, a data-tracking app that locks other apps」,當時 Facebook 不怎麼鳥各家媒體的看法,就放著...

不過直到八月的時候才被 Apple 下架:「Apple removed Facebook’s Onavo from the App Store for gathering app data」,引用 Apple 發言人給 TechCrunch 的句子:

We work hard to protect user privacy and data security throughout the Apple ecosystem. With the latest update to our guidelines, we made it explicitly clear that apps should not collect information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing and must make it clear what user data will be collected and how it will be used.

看起來是直接改遊戲規則後強迫下架...

WireGuard 被收進 Linux Kernel 了...

Twitter 上看到 WireGuard 被收進 Linux Kernel 了,等 review 完後就就會正式納入了... 而且 Linus 給的評價還蠻高的:

找了一下起源是「[PATCH v1 3/3] net: WireGuard secure network tunnel」這邊,而 Twitter 上面引用的是「Re: [GIT] Networking」這篇...

Cloudflare 推出 Cloudflare Access,實作 Google 推出的 BeyondCorp

Google 之前發表的 BeyondCorp 採用不同的認證方式,改變企業會假設「內部網路是可信任」的這件事情:「Google 推的 BeyondCorp」,而 Cloudflare 也照著這個概念實作出一套產品,包成服務來賣:「Introducing Cloudflare Access: Like BeyondCorp, But You Don’t Have To Be A Google Employee To Use It」。

可以走雲服務的認證:

Access integrates out of the box with most of the major identity providers like Google, Azure Active Directory and Okta meaning you can quickly connect your existing identity provider to Cloudflare and use the groups and users already created to gate access to your web applications.

也可以走 TLSclient certificate 架構認證:

You can additionally use TLS with Client Authentication and limit connections only to devices with a unique client certificate.

而企業內部的服務剛好可以透過 Cloudflare 之前推出的 Wrap 串上去,不需要用 VPN 打通內部網路 (參考先前寫的「Cloudflare 推出的 Wrap 讓你不用在本地端開對外的 Port 80/443」):

If you want to use Access in front of an internal application but don’t want to open up that application to the whole internet, you can combine Access with Warp. Warp will make Cloudflare your application’s internet connection so you don’t even need a public IP.

費用的部分,第一個使用者免費,後續的使用者費用是 USD$3/month:

Access takes 5-10 minutes to setup and is free to try for up to one user (beyond that it’s $3 per seat per month, and you can contact sales for bulk discounts).

ExpressVPN 在土耳其的 VPN server 被抄...

ExpressVPN 在土耳其的 VPN server 被抄,為了調查大使的刺殺案件:「VPN Server Seized to Investigate Russian Ambassador’s Assassination」。

A VPN server operated by ExpressVPN was seized by Turkish authorities to investigate the assassination of Andrei Karlov, the Russian Ambassador to Turkey. Authorities hoped to find more information on people who removed digital traces of the assassin, but the server in question held no logs.

ExpressVPN 官方的回覆在「ExpressVPN statement on Andrey Karlov investigation」,主要的部份是:

As we stated to Turkish authorities in January 2017, ExpressVPN does not and has never possessed any customer connection logs that would enable us to know which customer was using the specific IPs cited by the investigators. Furthermore, we were unable to see which customers accessed Gmail or Facebook during the time in question, as we do not keep activity logs. We believe that the investigators’ seizure and inspection of the VPN server in question confirmed these points.

至於是不是真的,就需要時間確認了...

WPA2 安全漏洞

話說 WPA2 也撐了十三年了:

WPA2 became available in 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard.

這次的漏洞可以參考「Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping」這邊。

PoC 稱作 KRACK (Key Reinstallation Attacks),漏洞將會在十一月正式發表,從會議的標題名稱大概可以知道方向,是對 Nonce 下手:「Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2」。另外站台 www.krackattacks.com 已經放好,等後續的發表更新了。

對於無線網路的各種漏洞,老方法還是目前最有效的方法,也是這次的 workaround 之一:上強度足夠的 VPN。

Update:補上論文「Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2」。

VPN 保留連線記錄幫助 FBI 抓犯人

這應該是這幾天鬧得蠻大的事情:「PureVPN Logs Helped FBI Net Alleged Cyberstalker」。

起因在於 PureVPN 的廣告寫著他們不會記錄:

但在證詞裡卻提到 PureVPN 有記錄:

“Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time,” the agent’s affidavit reads.

然後回頭看 PureVPN 的 Privacy 條款發現他們在條款裡面寫著他們會記錄連線資訊:

Our servers automatically record the time at which you connect to any of our servers. From here on forward, we do not keep any records of anything that could associate any specific activity to a specific user. The time when a successful connection is made with our servers is counted as a ‘connection’ and the total bandwidth used during this connection is called ‘bandwidth’. Connection and bandwidth are kept in record to maintain the quality of our service. This helps us understand the flow of traffic to specific servers so we could optimize them better.

然後被告 Ryan S. Lin 就幹剿了:

“There is no such thing as a VPN that doesn’t keep logs,” Lin said. “If they can limit your connections or track bandwidth usage, they keep logs.”

以後挑 VPN 還得仔細看條款裡面留 log 的部份啊...

Archives