OpenVPN vs. IKEv2?

[classfolkphile]

I apologize in advance for the probable simplicity of my questions as I am not computer savvy. TIA to all who reply.

 

So, I've finally subscribed to NordVPN but am unsure which protocol to use, OpenVPN or IKEv2. (Nord just said both will work well.) The former is apparently the most secure, the latter a bit faster. 

 

There are only two of us in the house, so although we have three TVs, a single point Sonos system, three computers and two cell phones, we are unlikely to be using more than three of these at a time.

 

Will OpenVPN be problematic speed wise under these conditions (streaming music/video on two devices, surfing on another)?

 

Given that we have more than six devices, would one or another protocol provide more security for our network as a whole? I.E. could we configure the router to shield the multiple TVs/computers?

 

Can we use one protocol on some devices, another on the others?

[classfolkphile]

Ok, so after finding the Tutorial and Chat pages, I've found that I can't configure my AT&T supplied router for VPN. And that I can use different protocols for different devices, which is what I think I'll end up doing. 

[plissken]

NORD VPN (and other like it) use a software client that emulates an NDIS adapter that has configuration settings for establishing a VPN tunnel. Either VPN client should work and you won't be touching anything on the ATT equipment. 

 

VPN's will slow down what you normally get because you are at the mercy of the speed on the far end of the tunnel. What problem are you looking to solve?

[classfolkphile]

I'm looking for an increase in general privacy and to avoid malware and hacking. I'm just going to  load the software into our computers and cell phones and see how it works.

[plissken]

29 minutes ago, classfolkphile said:

I'm looking for an increase in general privacy and to avoid malware and hacking. I'm just going to  load the software into our computers and cell phones and see how it works.

 

VPN's generally allow you to establish a connection that looks like it's originating from another geographic location. 

 

Most websites are HTTPS so that's privacy protection right there.

 

What you really may want is a managed DNS service. I use Open DNS. It's basically a service that keeps a list of know malicious sites and won't allow name resolution to IP Address lookup. 

 

VPN's are NOT going to protect you from malware and hacking. 

 

 

[mansr]

17 minutes ago, plissken said:

Most websites are HTTPS so that's privacy protection right there.

HTTPS protects against interception of communications by third parties. The server still knows who you are (IP address), and any router in between also knows that you are communicating with the server. A VPN hides your identity from both.

[firedog]

A good VPN  protects privacy because it prevents anyone, including your ISP,  from seeing your online activity. On public networks it also prevents you from being hacked.

 

[Jud]

I use OpenDNS also. It's now owned by Cisco if I remember correctly.  Google DNS is the other big public DNS server offering. They might provide slightly faster Web access than going through your ISP's DNS servers.  OpenDNS is on average a little quicker in the US, Google in the rest of the world. And OpenDNS does maintain a blacklist of bad sites. 

 

For malware and hacking a nice AV suite is good. I currently use ESET.  For privacy a VPN will do better than a public DNS or AV suite, though it will slow down web access a bit due to going through the VPN's servers. 

[duxservit]

This is an apple vs orange comparison of two VPN technologies at different layers of the IP stack. 

 

IKE is the cryptographic key establishment protocol (RFC2409) used for IP/IPsec layer (at layer 3, or better “layer 3.5”). 

 

OpenVPN is an SSL-layer VPN established above the TCP layer. (RFC5246 for TLS1.2). 

 

For home use (short TCP bursts, tear-up, tear-down VPN), I suggest using OpenVPN. 

 

If if you want a long-term VPN (e.g. home to office) that’s up 24x7, then you would use an IKE/IPSec VPN. 

 

[plissken]

3 hours ago, mansr said:

HTTPS protects against interception of communications by third parties. The server still knows who you are (IP address), and any router in between also knows that you are communicating with the server. A VPN hides your identity from both.

You are still going to traverse the open internet from the VPN. It's basically called a remote gateway at that point and it does at least provide a 3rd party end point being presented.

 

Protecting your DNS queries is more important IMO. 

[classfolkphile]

9 hours ago, firedog said:

A good VPN  protects privacy because it prevents anyone, including your ISP,  from seeing your online activity. On public networks it also prevents you from being hacked.

 

This is primarily what I was referring to: protection/privacy while on a public network.

 

Can I use OpenDNS while also using a VPN?

[Jud]

4 hours ago, classfolkphile said:

This is primarily what I was referring to: protection/privacy while on a public network.

 

Can I use OpenDNS while also using a VPN?

 

I see no reason why not. OpenDNS and Google DNS are free, so just find a free VPN or one with a free trial and try it. 

[plissken]

5 hours ago, classfolkphile said:

This is primarily what I was referring to: protection/privacy while on a public network.

 

Can I use OpenDNS while also using a VPN?

 

This technically doesn't change much. Now the VPN service can see everything instead of your local ISP. You are potentially changing deck chairs on the Titanic.

[mansr]

If you really want to hide, you'll need to use something like Tor, and even that is far from perfect.

[plissken]

1 hour ago, mansr said:

If you really want to hide, you'll need to use something like Tor, and even that is far from perfect.

 

Honestly the only way to 'hide' is to go entirely off grid. Then again maybe not:

 

https://www.marketwatch.com/Story/a-new-data-breach-may-have-exposed-personal-information-of-almost-every-american-adult-2018-06-27?&siteid=yhoof2&yptr=yahoo

[mansr]

2 minutes ago, plissken said:

Honestly the only way to 'hide' is to go entirely off grid.

In some unexplored jungle. Probably still need an underground bunker to avoid detection by spy satellites.

[classfolkphile]

2 hours ago, plissken said:

 

This technically doesn't change much. Now the VPN service can see everything instead of your local ISP. You are potentially changing deck chairs on the Titanic.

I gather there is some skepticism about VPN's claims of not recording usage logs?   

But doesn't using a VPN help protect against hackers in your proximity while on a public network?

 

[plissken]

2 minutes ago, classfolkphile said:

I gather there is some skepticism about VPN's claims of not recording usage logs?   

But doesn't using a VPN help protect against hackers in your proximity while on a public network?

 

 

VPN's, as you are wanting to use them, don't reduce your footprint of hacker attack. You are still exiting into a public internet at some point. 

 

Now when I setup box to box VPN's or client to box for private companies to give them a back haul link for protected traffic then I am protecting them from attempts at gaining access. 

 

 

[classfolkphile]

2 hours ago, mansr said:

If you really want to hide, you'll need to use something like Tor, and even that is far from perfect.

I'm just looking for a reasonable amount of privacy: not the absolute. Again, the concern is mostly when using a public network.

[plissken]

1 minute ago, classfolkphile said:

I'm just looking for a reasonable amount of privacy: not the absolute. Again, the concern is mostly when using a public network.

 

You're defining an oxymoron. If you are on the Internet, you are by defacto usage, PUBLIC. The BEST a VPN is going to do is hide your traffic from your ISP.

 

It doesn't mean the VPN service isn't going to log that traffic. 

 

IMO there is zero 'reasonable amount of privacy' if you are using the Internet. That ship has done sailed. 

 

[classfolkphile]

So, a VPN won't even protect from a hacker in physical proximity to you on a public network?

[plissken]

1 minute ago, classfolkphile said:

So, a VPN won't even protect from a hacker in physical proximity to you on a public network?

 

Define physical proximity to you on a public network? 

[classfolkphile]

Both using a public network in a cafe or bookstore.

[plissken]

Not really and here is why:

 

The standard now for websites is https. That protects your WEB (http) traffic. Other protocols such as FTP aren't protected (telnet etc...). 

 

So in those cases a VPN will protect you on public hot spots with protocols that aren't secure by nature. But most likely you are web browsing.

 

I've found most commercial VPN's just slow down the traffic too much. I tried to stick with Nord for awhile but gave up on it. Now I spun up my own Linux VPN concentrator at Digital Ocean for $5 a month and using their Amsterdam hosting center. 

 

Here's my approach:

 

1. Use managed, secured, DNS. It should ideally not allow you to go to questionable sites. 

2. Use only web sites that use HTTPS

3. Use only other inherently secure protocols. I use SSH for all my Linux boxes and soon Windows (thank you MS for finally defaulting to SSH)

4. Use user accounts of least privileges to get the job done

5. Keep a firewall in place and properly configured

6. Use an ad-blocker (sorry Chris ? )

7. Keep an up to date AV/Malware package (I use MS's Windows Defender for my clients works just fine)

8. Get a phone with Hot Spot capability and avoid public hot spots

 

 

 

[classfolkphile]

Excellent. Thank you for all of the info.