I travel a lot. Be it to foreign destinations like Brazil or Romania, or to less exotic locales like the coffee shop down the street.
In either case, I often end up connecting to the Internet through a less-than-trustworthy network connection. You should know by now that I’m a stickler for security, so how can I in good conscience connect to a network I don’t trust?
Private Networking
I’ve written before about how I use a commercial VPN for the majority of my on-the-go network access. The VPN allows me to open an encrypted tunnel to the Internet through an organization I trust. Traffic leaves my computer encrypted, goes to my VPN partner, is decrypted, then is passed anonymously to its destination.
This makes browsing just about any site, SSL-secured or not, somewhat safe even if eavesdroppers and hackers are lurking on the open WiFi network I’ve connected to.
Occasionally, though, I need more than just a secure connection – I need a secure connection to my home network.
Network Security
In addition to unique SSH keys for server access, some of the machines I manage also maintain IP address whitelists. Any traffic, authenticated or not, coming from an address not in the whitelist is rejected.
It’s an added level of security meant to protect against the accidental disclosure of SSH keys to an untrusted part. It also means our server is extra secure because, not only can few people reach it, those few people can only reach it from known, secure connections.
If I need to manage such a server on the road, not even my commercial VPN can help. Yes, it ensures that my connection is secure, but I’m connected through whichever anonymized data center is the closest. What I need is a VPN that can connect me – securely – to my home network.
Self-Hosted VPN
Enter Raspberry Pi, the credit-card machine that (apparently) is the answer to everyone’s problems.
I purchased a Raspberry Pi last month with the sole purpose of turning the amazing low-power device into an in-home network server. I connected it directly to my router and, thanks to some amazing tutorials, converted it into a VPN provider using OpenVPN.
The only real deviation from the tutorials I made was to enforce 4096-bit keys for encryption. This is more security than we rationally need now, but I fully expect computing and cryptography to change rapidly as more of the public becomes aware of the need. I also want everything I do between a remote connection and my home network to remain secure for as long as possible.
To borrow from Cryptonomicon, I want my data to remain secure “for as long as men are capable of evil.”
Using 4096-bit keys does come at a bit of a price, though. The Raspberry Pi is a low-power device with just a 700-MHz processor. It ran continuously for 26 hours before it finished calculating the Diffie-Hellman key exchange. If you want a quick VPN, go with a less secure key. Just know that everything else about the tutorials linked above took only 15 minutes. Total.
Remote Networking
An in-home, Raspberry Pi-powered VPN won’t always be the fastest thing in the world. I can connect to it over just about every connection I use, but my bandwidth is then limited by the network I’m on, my home network, and the speed of the Pi’s encryption/decryption. I’ve discovered the combined bottleneck is somewhere around 10 MB/s both up and down, which is fairly respectable.[ref]If for some reason I need speeds faster than this, I still have a commercial VPN available. Won’t give that up for the world![/ref]
I’m willing to sacrifice a bit of speed in favor of security. Oh, and by connecting though a box in my home, I also have access to my entire home network.
I have a network printer and even a 1TB network storage device attached to my Pi. This allows me to move from location to location without having to carry my entire iTunes library on my machine. I can back up photos on the go to my own, self-hosted “cloud” back at home. I can even print documents from the cafe and pick them up when I get back.
The Bottom Line
I have VPN clients set up on everything I use remotely – from my Mac to my smartphone. Even when I leave the house it’s like I never left the house; my Internet activity and access is just as safe as it is in my office.[ref]Considering recent debates over net neutrality and the NSA it’s debatable that even browsing from home is “safe.” I’m speaking in relative terms here only.[/ref]
If you don’t pay attention to your security – if you connect to insecure wireless access points and leak your data online – then you’re just asking to be hacked. Be smart about your digital presence and make sure you’re a) always connecting from known/secure networks or at the very least b) only browsing encrypted (HTTPS) resources when you’re on the go. Setting up an in-home VPN is relatively straight-forward given available tutorials, takes little time to configure,[ref]Outside of waiting for the key generation to complete, the entirety of my VPN setup took 15 minutes.[/ref] and can help keep you connected just about wherever you go.
Just about …
There will always been networks that are more questionable than others. When I landed in the Dusseldorf airport last weekend, the first thing I wanted to do was check on a few things online. I discovered quite quickly, however, that their network was configured in such a way to only allow traffic over standard ports – 80 used for HTTP and 443 used for HTTPS.
https://twitter.com/EricMann/status/485302296730173440
I could not tunnel to either my personal VPN or the commercial one I use, so Dusseldorf was out for any sort of WordPress blogging or other Internet activity. Remember, protect yourself – if the network to which you have access makes you nervous, don’t use it. I don’t trust German airports any more than I trust American coffee shops.