Jimiz.net – Jim Becher on the web

I went to a coffee shop today to do some work. Update a few documents and get some random things I have been putting off.    As always I log onto the coffee shop wireless and connect to my VPN.  (read other articles here and here).

After completing the items I had set out to do.  I took some time to do some poking around on the wifi.  Since wireless is basically you sharing a network with others, it is easy to see what people are doing.  I used a simple nmap query to see who my neighbors are.

That scan showed me 5 active people and their IP.   It also let me know that the router had HTTP running.   Since I already knew the PC names and what ports they had open. (some one had a web server running).  I decided to look at the wireless router.  To my surprise it was running DD-WRT, my favorite router firmware.    DDwrt is a very powerful router firmware that can turn a basic wireless router into a great device.

However there are a few settings you need to understand when using DDWRT.  One in particular is to disable the default status page for unauthenticated users.  This page shows a lot of information that you don’t want snooping people like me to see.   Things like:

• Public IP
• Firmware version
• Device Type and name
• Connected users (IP address, mac address, dhcp lease)

Not only was this on but I was able to also see the other computers on the network (with out doing a nmap scan).   So everyone who had connected in the last 2 hours pc was listed on this page.  I decided to push up a pic.  My pc is called TP2.

This is scary to me because someone took the time to use a great opensource Firmware but not the time to properly secure it.    It is also interesting to see the number of android devices that were using the wifi.  I guess the same is true for iPhone devices.

I can’t stress this enough, when on public wifi use a VPN.  If you don’t have one.  Head on over to wifi-vpn.com and subscribe or purchase.

The other item on the list is BT, that is the backtrack vm that I started to do some network sniffing.

I have a few servers that I help maintain or use for VPN access.  I have found on a few machines that when I use VPN to secure my connection at a coffee shop or any other public WiFi that some sites will not load.  I have seen this issue before when using PPTP but had never taken the time to investigate.   Sites like Digg would just not load.   After a lot of investigation I as able to see a few obscure issues with the mtu size.  The default PPP0 interface MTU size was 1396

Output of ifconfig:

ppp0

Link encap:Point-to-Point Protocol          inet addr:192.168.240.1  P-t-P:192.168.240.2  Mask:255.255.255.255          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1          RX packets:9 errors:0 dropped:0 overruns:0 frame:0          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:3

After some google searching I was able to see that my eth0 MTU was set to 1500.    To correct the issue  I increased the PPP0 MTU size to 1492.   That change allowed the sites to load.

Manually change the MTU:

sudo ifconfig ppp0 mtu 1492

I was unable to find a clean permanent solution to keep this set.  I tried the /etc/ppp/options and options.pptp.  The work around I created was to modify the MTU size on the first PPP connection.  I used the ip-up.local file to make this change on every PPP connection.  The ip-up file is executed once a PPP (vpn) connection is started.

I added the following line to ip-up.local

• ifconfig ppp0 mtu 1492

After these changes every connection will set the mtu to 1492.   This corrected my issue with browsing some sites.

I can now surf the web and get to any site.

I use DDWRT as my home router / firewall. It has some of the best features that can be found on a router. Visit DDWRT for more information.

I use the VPN when I am not in a trusted location. I have setup my iPhone, iPad, and computers to use this as my connection to the internet any time I am not at home. By having a secure connection I am comfortable using the web where ever I am. Connections from a non trusted connection, say a coffee shop wireless. Traffic from your computer is sent encrypted from the PC over the VPN to your home router, then out to the internet.

To setup the VPN on DDWRT you need to log into the admin section. Select SERVICES | VPN. You need to enable PPTP, Broadcast support, and Force MPPE Encryption.

The Server IP is the internal IP of your router (192.168.2.1 is what I use)
The Client IP(s) are the dynamic IP’s you want the connecting devices to use. I have set 192.168.2.200-220, this allows for 20 devices to connect and get IP’s.
CHAP-Secrets: the username / passwords for each user. Note the “*” after both the username and password.
Unless you have a Radius server keep that set to Disabled.

With DDWRT you can have a simple and easy VPN server setup at your home that allows you to connect securely back to your home or office. I often use my vpn to also remote take over machines at my house. I have my iPad configured to use this setting when ever I am on a non trusted connection.

So far the iPad has been a great hit in our home. From remote access, browsing the web, email and movies. I have only good things to say about this device.

Inside the comfort of my own home I know my connection is safe. However, when I venture out to public wifi or a coffee shop, I cannot be a comfortable with the network security. When using my laptop at a public wifi I normally use SSH or a VPN to secure my connection. I will show you a quick how-to on using VPN on you iPad to get a secure connection when using a public hotspot.

To use a VPN client on your iPad you will need a VPN server somewhere. I use DDWRT as a vpn server at my home. It has a built-in PPTP VPN server. The iPad supports (PPTP, IPSec, and L2TP).

Thankfully the iPad has a built in VPN client. To access the settings for this you will need to go into settings | general | network.

Under your network settings you can find vpn connections. In this section you can turn on vpn, view the status of a connection, add a connection or edit a connection. We will be adding a connection:

Next you select “Add Vpn Connection”. Select PPTP, L2TP, or IPSec. For each type of vpn you have different options:
PPTP:

L2TP:

IPsec (cisco):

Once you have setup your vpn connection you only need to go back to the setting page (network / vpn) to enable the vpn connection. You then can view the status and be connected or browsing through your VPN tunnel. In the image below I can connected to my home VPN and have an IP of 192.168.2.200.

Happy secure browsing. Remember to still take precautions when in a public location and using any type of secure sites.

If you are in need of a personal VPN provider, I recommend wifi-vpn.com.