Free VPNs and Wireless Security

I was listening to a podcast this morning by Steve Gibson (it's called Security Now! and I highly recommend it for anyone that's interested in security), and the topic of discussion was some of the new VPN software that's hitting the 'Net; specifically, Hamachi, iPig (awful name!) and OpenVPN. I should also mention that this was an old episode--from December 2005 (the 22nd, I think).

I have been using Hamachi now for about a month, and it's great--it allows you to install a small VPN agent on your PCs and establish a secure VPN "tunnel" between them. For me, it means that I can access my home network from just about anywhere--for moving files back and forth, troubleshooting the PC (via VNC), and even remote printing. The best part is that it's free, and a variety of security experts have thoroughly analyzed it and have pronounced it secure.

One nice side effect of Hamachi that was pointed out on the podcast (and that hadn't occured to me) is that when you have a Hamachi VPN established, your entire connection is secure, regardless of what type of Internet transport you're using. This is particularly valuable when you're using an unsecured connection, such as at a hotel or a WiFi hotspot. By simply establishing the connection back to your home network, you've also secured your WiFi connection. Cool!

Two other VPN alternatives that were mentioned on the podcast (both of which are free) are iPig (stands for iOpus Private Internet Gateway, BTW) and OpenVPN. iPig actually goes one better than Hamachi by providing a free server (end point) to connect to, which is very handy if you don't want all of your traffic going through your home ISP connection. iPig has a 5GB total transfer limit, but you can always sign up for another free account if you exhaust the first one. There are also plans in the works to offer an annual subscription ($30 range) that would give you much more bandwidth. Steve Gibson has spent some time sniffing the iPig protocol, incidentally, and believes that it is very secure. It apparently passes the user ID in the clear, but exchanges a 256 bit token (it uses 256 bit AES, which is extremely hard to crack), along with a pre-shared key (much as Hamachi does).

OpenVPN is similar to Hamachi and iPig, except for one key advantage: it's open source, which means that the various security experts can pick apart the code to make sure it's truly secure (and if it isn't, they can fix it!). The other huge advantage of OpenVPN's being open source is that people have ported it to jillions of platforms already (including Linux, of course). That means that you could easily build up a recycled commodity PC with Linux on it, and combined with OpenVPN and a decent firewall, have a really nice, really cheap security appliance.

One other advantage of these new VPN solutions that I should also point out is performance. Some older VPN solutions were very slow due to the fact that they tunneled TCP inside of TCP, which is very inefficient as TCP tends to fight with itself. The new solutions use UDP instead of TCP, getting around that problem--and the performance over these solutions is really good. I believe that all three VPNs mentioned in this blog entry are using the UDP tunnel mechanism.

I'm planning on trying both iPig and OpenVPN in the next few weeks; I'll be sure to post an update with my findings.