Today I was looking at my lab configuration and noticed that my configuration had a flaw. To give some context, the lab runs through VMWare. Within the environment there are 3 network interfaces.

1. Red interface which faces the internet via my interface .
2. Green interface which is essentially a private network connected to IPFire as a gateway.
3. Blue Interface which is similar to green, but is to represent more of a wifi/guest network.

When running some tests I noticed that I was able to go via the IPFire Router and access the local network. This is not what I wanted. However this did make sense to me as I was using NAT for the interface.

So what was the Problem?

Well I wanted to use the VPN of my host system for my lab. Though I am using full tunnel, connecting to my interface directly will provide the red interface with an IP from my networks router essentially bypassing the VPN.

The VPN works by using a loopback through the VPN Interface and out via the provider. This is proven when I move up the OSI Stack and am able to connect to the internet using my VPN when NATed. Here is a workflow example :-

This means really there is only one way to work around this issue, and that is to set a VPN connection from my Red Interface. This is where things get interesting, and is more the fuel to the fire that is this article.

Check this Article https://community.ipfire.org/t/feature-request-easy-way-to-add-vpn-service/2256

I found this article to be infuriating, as the writer does not seem to understand that the perception of risk, in their case, is flawed. for those who are TL;DR the writer Peter Müller is claiming that using a VPN is less secure than going via the potential adversarial network you are already in. The claim is that VPNN providers may be collecting logs over the ISP’s who are weakens the argument. In fact, the exact argument presented is both the same reason to use VPN versus not.

There was even some argument to use TOR, but this, without VPN is also a weakness for anonymity…

So lets breakdown this argument and try and find the right answer FOR YOU, not what someone else “reckons”.

1. What layers of defense does your current provider offer?
   • Does the provider protect the source IP address or assist with masking it when connecting to servers which you may not have full trust with?
   • How is that traffic transported?
2. Does you provider offer a public statement that may impact stock prices, if discovered to be false (e.g. protecting you from being logged)
3. What information is shared with 3rd party services, when you attempt to connect to a target?
4. Do YOU Trust your;
   • ISP
   • VPN Provider
   • TOR Circuit
5. If you are using TOR, the first node in the Circuit would know your IP.
6. The Argument does not take into account mobile lab environments, or access via public networks.

Before I start ranting, lets just look at those 6 points, and add them to our thought process around, “Should I use a VPN?”. Yes, there are points in Peter’s article which think about the overall implementation and should be used when weighing up options. But, none of there reasons specified are balanced enough to argue the point that “VPN is BAD”.

What do I “Reckon”

Take note of what you are using your provider for. Yes there are things that could happen, such as changes in law, data breaches, and potentially misinformation provided by the company you have selected to trust for a VPN. Equally this applies to your ISP as well. Realistically, you could build your own VPN if you wanted to be certain, connected to the internet, located in another country(ies), not via a provider (like AWS, Rackspace etc.) and tunnel that way… however the practicality of this is low, unless you have really good reasons and the funding.

The right thing to do is to use caution, and be educated on what trails you leave. Being anonymous online is challenging, but protecting some of the basics is not. If you are an organisation, you may be able to afford enterprise class security tools, and are able to build secure solutions using them for protected access. However, for those who are a one-man-band or just an enthusiast, well this type of information is wildly misdirecting, and does not consider the higher level thought processes and rationality required to conclude such conversation.

My Advice

A VPN helps defend your identity from malicious attackers by introducing additional layers of security. It defends your foot print from your ISP, though they will know you are routing via their network to a concentrator. Large VPN Providers have a reputation to maintain, but they will look out for themselves in the long run. Equally so will your ISP, which is less inclined to defend that part of their reputation, as we know they will provide information on request.

Using TOR is an option, however for true anonymity across this network, using a VPN helps to mask your source address. So if you consider an attack on the VPN provider, vs your limited budget home security, well it is likely the provider is more secure as this is their business.

Ultimately, consider what you are connecting to, where you are connecting from and what degree of digital foot print you are happy to leave. Would you be happy if I could identify your systems by simple connection, or should there be efforts to obfuscate this information, essentially making you are more challenging target.