July 2014 Archives

Dear users,

here is a short roundup of what has been going on lately:

DNS issues

There has been a DNS issue last week where some of you were unable to resolve our domains, effectively preventing you from connecting to the VPN. As it turned out there was an error in the glue records of one domain that caused confusion for some of the DNS resolvers. The issue was fixed and after a day all the resolvers were happy again.

iOS connection issues

A few reports came in that iOS devices had issues connecting lately. After some debugging we found the issue. Older versions of the OpenVPN client for iOS required the use of a dummy client certificate. The change that caused the problem to appear was that the latest version for the OpenVPN server image also supports SSL certificate authentication. Presenting the server with an invalid SSL certificate wont work. The easy fix is to remove the dummy certificate from the config file. Please fetch the latest config and check if your iOS device works again.

LibreSSL

As you might have noticed OpenSSL had its fair share of issues lately. As part of a cleanup effort the OpenBSD team forked LibreSSL from OpenSSL and released the first portable version a few days ago. We decided to integrate this version into our server images to gather some hands on experience with it. If you want to give it a try connect to libressl.openvpn.ipredator.se. Please keep in mind that this is still experimental. The portable version of LibreSSL comes without ASM instruction support at the moment, this means that there is no hardware accelerated AES using the rsax engine. Expect slower speeds. If you can bear the weaponized sans comic please consider donating to the LibreSSL project. Thank you!

IPv6 support

We have been testing a couple of machines with a dual-stack configuration for IPv4 and IPv6 for a while. If you are interested in getting an IPv6 IP address please connect to ipv6.openvpn.ipredator.se. So far Linux and BSD work fine out of the box. Latest OSX seem to work well too. Please test IPv6, especially with Windows, and report any issues you can find. Keep in mind to configure your firewall properly for IPv6 to prevent accidental exposure of locally running services!

While you test things we will finish a few todos on our end for proper integration of IPv6 like updating the website content or supporting IPv6 on the resolvers.

Second session / NAT pool

You have been asking us to allow more than one session for quite some time now. The basic limitation for one session is that you get your own (rare) public IP address when you connect to the VPN. To work around that limitation you can now establish a second session to nat.openvpn.ipredator.se. This will give you a RFC1918 IP address from the 10.10.0.0/16 IPv4 range. A firewall does the NAT magic to multiplex your internet traffic with the one from other users.

We decided that VPN clients connected to the NAT pool should not be reachable to other VPN clients/users in the same network. This should help with clients that have no or weak firewall capabilities like phones or tablets. You cannot use the NAT tool for torrents or similar use cases that require an inbound port mapping. We are still working on a solution to allow you to map inbound ports.

The IPredator team

Maintenance done

Dear users,

the VPN and all other services are back online. We did updates on the core router and needed to reboot a few machines around it to deploy new kernels.

The IPredator team

Dear users,

we need to do maintenance on our core network infrastructure. Expect a short downtime. The service will be back online at around 18:00 UTC.

The IPredator team