My wife and I plan on doing some travelling soon, and, as usual, we will be bringing along plenty of digital toys (e.g., laptop, iPad, smartphone). All of these upcoming trips are for business purposes, so we’ll need to be checking our email and accessing other online resources on-the-go. In the past, I have always avoided using WiFi hotspots in airports and hotels (or anywhere, really) as they are typically unsecured and open to prying “eyes”1. However, there have been times when I needed to check my email, do some work for a client, or even (gasp!) access my online banking while on the road. I have always been careful to ensure that HTTPS was used and changed my login credentials as soon as I was at a “safer” location (i.e., home), but there is still a lot of danger involved in doing these activities from…well, anywhere, really, but I tend to trust my home network (admittedly, more than I should), as I have taken extra precautions and thrown up some obstacles to deter common digital theives. Of course, if someone really wants your data, there’s not much you can do, but, as I have no known enemeies, I feel relatively safe when using my home connection. On the road, however, I feel completely helpless and vulnerable…until today.
I had the (not quite) brilliant idea of making my own VPN that I could use to route all my internet traffic through while on the road. Using a VPN means all the traffic to and from my devices will be encrypted and (more) secure. I have had access to VPNs through employers in the past, but I never used them for anything other than work as they were typically quite slow and there is no way of knowing if the employer is snooping on the traffic. I used to run a private server from my home, which would have been perfect for use as a VPN, but, in an effort to cut costs, I left it behind when I moved to Europe. There are plenty of commercial, hosted VPN products on the market, but most require a monthly fee, and like an employer-hosted VPN, I have no way of knowing if the host is snooping on the traffic. I wanted a VPN that was cheap (preferrably free), easy to setup, and also temporary. I only travel a few times a year, and when I’m at home, I have no use for the VPN, so I really only need it t be active for a few days or weeks at a time. Amazon’s cloud computing service, EC2, sounded like the perfect solution. Before leaving home, I can launch an instance and setup the VPN. While on the road, I can securely use the internet from all of my devices by tunneling through the VPN. Then, when I get home again, I can terminate the instance. Amazon currently has a very generous free usage tier, so running the VPN should end up costing me nothing but the time it takes to launch an instance and configure my devices. Sounds excellent, let’s get started!
The first step was to create an EC2 instance. Before getting started, I did some quick googling to see if anyone else had used an EC2 instance a their personal VPN. As is the case with most of my ideas, dozens (if not hundreds) of people had already setup EC2 instances as VPNs and they had blogged about it. Many of them had done everything by hand, a task I was certainly prepared for, but I was hoping to automate as much of the process as possible. Luckily, I happend across VoodooPrivacy. That project contains an excellent shell script that can be used to easily setup a VPN when launching an EC2 instance. The shell script from Voodoo Privacy contains some variables to hold the VPN login credentials, however, I prefer to use unique VPN login credentials for each device2, so I removed these variables and hard-coded my credentials into the script where needed. After, adjusting my EC2 security policy3, I was ready to go.
I am quite comfortable with several linux distros, but I chose the default 64-bit Ubuntu instance provided by Amazon as that is my distro of choice for personal projects. I’m not going to go into detail on setting up an EC2 instance, if you need assistance, try Google. The Voodoo Privacy guide suggests copying and pasting the shell script into the “User data” field, but I was able to upload it (perhaps that is a new feature). After launching the instance (and attaching an elastic IP to it), I began configuring my devices to use the VPN. I had no issues configuring our MacBook Pros (MBP3.1 w/ OSX 10.7.4 and MBP5.1 w/ OSX 10.6.8) or my Samsung Galaxy Nexus (which is running JellyBean v4.1.1). However, I ran into trouble when trying to configure my Windows 7 laptop and my wife’s Samsung Galaxy S2 (which is running ICS v4.0.3). The issue with my Windows 7 machine turned out to be a PEBKAC error. I’m still not 100% sure how I resolved it, but I think it had something to do with unchecking “Use Windows logon domain”. The issue with the Galaxy S2 was not so easy. Apparently, there is a bug in the ipsec-tools implementation within Android ICS. I am still looking for a fix.
Edit: I have found a solution to the Galaxy S2 problem.
I never, ever, ever (ever!) trust or use a public computer such as in an internet cafe or a hotel business center to do anything other than general browsing. The computer may have a wired connection and the owner may swear it is secure, but I have no way of knowing for sure. Where does the wire go once it’s in the wall? Who may be tapped into it? What malicious software has been installed on the machine or the loca network? The list goes on. ↩
Using unique login credentials for each device allows me to easily remove the credentials for that device should it ever be lost or stolen, without effecting the other devices. In other words, if a device is lost or stolen and I used the same login credentials for every device, then I would have to change the credentials on the server and every device. That’s a lot of work! =\ ↩
The Voodoo Privacy guide incorrectly states that port 450 needs to be opened to UDP traffic. AFAIK, it should actually be port 500. ↩