August 2012 Archives

Good NEWS everyone!

Hello *,

we have just uploaded the first few OpenVPN guides for Windows, Ubuntu Linux and Mac OS X to the website. More guides are in the queue for the CLI and some other common setups.

Using OpenVPN instead of PPTP to connect to IPredator brings different advantages:

  • The security offered by OpenVPN is a lot better than the one provided by PPTP
  • OpenVPN works way better with NAT in between, no port-forwarding or special router settings are needed
  • OpenVPN improves the connection stability when dealing with lossy or high latency network paths
  • It can be used through HTTP proxies if you suffer from limited connectivity

Having OpenVPN available does not mean that connecting via PPTP is totally obsolete. PPTP is still supported to be able to connect with devices where OpenVPN clients are not available.

The IPredator team

Database migration

Dear users,

tonight at 2012-08-09 00:00 UTC, we are migrating our database server to another machine. This will take around two hours in total. During this time you will not be able to use our service.

UPDATE 2012-08-09 01:20 UTC: Maintenance finished.

The IPredator team

PPTP, MS-CHAPv2 & IPv6

Dear users,

lately you wrote us a lot of e-mails regarding the security of the VPN.

One issue has been that you were concerned about your origin IP address not being hidden anymore behind a PTPP tunnel established to us. Second, a lot of articles have been released on the web, all relating to the talk about cracking MS-CHAPv2 by David Hulton and Moxie Marlinspike at Defcon 20. A rough overview is given here.

The first issue relates to an attack, where the origin IP address of a PPTP tunneled connection can be revealed when a PTPP connection is configured to use IPv6. Since our install guides all describe that IPv6 needs be turned off where possible, this should not be an issue for you. Furthermore we block IPv6 traffic from passing through the VPN servers.

Now for the second, and most important part. Before David's and Moxie's talk on Defcon 20, it was known that MS-CHAPv2, the authentication mechanism also used in our PPTP setup, can be broken when weak passwords are used. Basically, this means if the password is simple, it can easily be brute-forced. In his Cryptanalysis of Microsoft's PPTP Authentication Extensions Bruce Schneier concludes, that the fundamental weakness of the authentication and encryption protocol is that it is only as secure as the password chosen by the user.

That being said, we know that PPTP cannot be a long-term solution for VPN connections and that we urgently need to support other VPN protocols.

Some time ago, we started to implement support for OpenVPN connections, and let users beta test it. After closing down the beta phase, analyzing problem reports and redesigning the OpenVPN dial-in mechanism we are now on the way to make OpenVPN available again for you. As a further alternative, we also started to include support for L2TP/IPSEC into the software images deployed to our infrastructure.

As a reaction to the attention and the omni-presence of PPTP security on the web, we changed our time schedule and decided to postpone work related to translating website content, since this eats up a lot of time in the website's development process. We know that being multilingual will be a beloved feature, but for now, priorities need to be shifted.

We are working as fast as possible to make OpenVPN and L2TP/IPSEC dial-in ready as soon as possible.

The IPredator team