VPN and iPhone Issues - Need Help

[wallachee]

As everyone recommends VPN to port forwarding, I took the plunge and setup a NetGear SRXN3205 VPN for remote C4 access with my iPhone. I'm having the following issues and don't know if this is how it is supposed to be or if I'm doing something wrong. If this is how it's supposed to be, it seems as though remote connection is hardly worth the hassle. If anyone has any insight, please respond!

1.) You have to go into settings on the iPhone and enable the VPN any time you want to go to the C4 app remotely.

2.) I'm using IPSEC, and the iPhone does not store the VPN password.Therefore, it asks for the password every time I connect to the VPN.

3.) I've found once inside the app when connected to VPN there is usually a connection error which cause me to go into settings and hit the connect button in order to reconnect to the system.

4.) I've found the app frequently crashes when on VPN.

With everything setup, it can take me more than 5 minutes to turn off a light remotely....

[turls]

#1 is yes. Not really a big deal but kind of lame.

The rest, not sure why you are using IPSec. Most posts here refer to using PPTP, and it seems pretty flawless once connected (do not have to type password every time for starters). Have you seen those posts that refer to the setup?

I have previously stated I think C4 needs to let the remote apps piggyback on the 4Sight infrastructure somehow so you don't have to do the VPN hassle, or some way to avoid the VPN. Just kludgy.

[AK1]

1) No big deal - but wait for OS 2.4 to improve on this

2) PPTP is inherently insecure and harder to tunnel through routers than IPSEC. I use L2TP - far more secure than PPTP, iPhone remembers credentials and no tunneling issues.

3) I have also found this more frequently with the latest version of the IOS apps

4) Not my experience, although I do have to restart it occasionally to get it to behave correctly

[turls]

2) PPTP is inherently insecure

Not to start this argument again, but there are ways to mitigate the risk. Lots of people here use PPTP and I don't think they are getting hacked. Maybe luck, maybe they are being careful like not using PPTP on an open hotspot.

[pstuart]

PPTP is hacked, don't use it, can be compromised very easily, frankly, PPTP is worse than port forwarding, as it is a far more well known vector of attack...

iOS will store IPSEC passwords IF the configuration on the VPN server allows passwords to be cached. This is not an iOS issue but a VPN server config setting.

If your VPN connection is unreliable, then it could be many things, from your ISP filtering VPN connections, either end (phone carrier, home ISP) or somewhere inbetween. Could also be that the router is overheating and dropping the connection.

The app has its issues with memory / garbage collection. It needs basically all the free memory on the device to run. Most crashes are due to calling memory that isn't available. Try closing all open apps first before launching the C4 iOS app and see if it is more stable. I don't think being on a VPN connection will make the app more or less reliable, other than it is using more memory.

Also, if you can, try using OpenVPN as it has a free, separate app you launch, establishes the connection, and can install and configure the clients with one click... I switched from IPSEC to OpenVPN and am loving it, of course, your router / firewall must support it, or put an OpenVPN server behind your firewall...

[AK1]

The point being everyone acknowledges it is insecure (and harder to tunnel). It's likely fine for low-risk residential uses. However, why bother when there are better, more secure alternatives?

2) PPTP is inherently insecure

Not to start this argument again' date=' but there are ways to mitigate the risk. Lots of people here use PPTP and I don't think they are getting hacked. Maybe luck, maybe they are being careful like not using PPTP on an open hotspot.[/quote']

[wallachee]

Thanks for the replies. Does anyone have info on how to setup the L2TP server on a Netgear SRXN3205. Every time i try to connect it is telling me the L2TP server is unavailable. IPSEC works fine aside from requiring a password every time, and I've been unable to find any information to allow the SRXN3205 to allow password caching. (Everything I've found is for Cisco routers.)

Also, do you guys have your VPN setup to allow for simultaneous internet connections (so you can be on the VPN and internet at the same time), or are you turning the VPN on and then off every time you want to control C4?

[cvlboy]

^ yeah, you might want to route your VPN DNS IPs to recommended openDNS IPs: 208.67.222.222, 208.67.220.220, so you can VPN and internet at the same time.

[turls]

The point being everyone acknowledges it is insecure (and harder to tunnel). It's likely fine for low-risk residential uses. However, why bother when there are better, more secure alternatives?

2) PPTP is inherently insecure

Not to start this argument again' date=' but there are ways to mitigate the risk. Lots of people here use PPTP and I don't think they are getting hacked. Maybe luck, maybe they are being careful like not using PPTP on an open hotspot.[/quote']

Because that was the only thing I could find good documentation on a few months ago that would work in an Android/iOS environment with vanilla DD-WRT setup on my router. I'd love to move to something more secure if it will work with my setup. That being said, between the amount of time I use it and the other precautions I take it is not a big worry for me.

Edit: my iPhone is not jailbroken (and won't ever be) and I don't have OpenVPN.

[turls]

PPTP is hacked, don't use it, can be compromised very easily, frankly, PPTP is worse than port forwarding, as it is a far more well known vector of attack...

Please explain...I don't understand this as a port forward is open all the time and PPTP should have limited windows of vulnerability. I guess if you let your password get out it is open...

[pstuart]

PPTP is a connection to your entire network once compromised. Simple dictionary attacks for password, to buffer overflow compromization of the vpn server gives you access to the ENITRE network. Most PPTP installs on consumer grade routers do not have the appropriate intrusion detection or lock out on password failure, etc...

I can crack a PPTP password in a few hours with the right equipment, and I can find a PPTP system on the internet doing a simple port scan. PPTP is a well known port and a well known vector of attack. This makes it worse then just opening a port to a system.

However, port forwarding your controllers main access port does allow must less known methods of attack, but ultimately it is extremely difficult to compromise your entire network via this port, just your ENTIRE project file or house...

Neither way should be done, and security should be a higher focus for consumers then it is. Eventually ISP's will be tasked with securing their consumers, and then we will say goodbye to an open internet.

[cvlboy]

^ I'm using synology PTPP with Maximum MPPE 128-bit encrypting mechanism, is it easy to hack as well?

Thanks,

[turls]

Ok, point taken. Now I'm waiting for whatever other options that are as foolproof as PPTP, since C4 won't write their app to use the cloud/4Sight infrastructure.

And I'll still take the security of my setup over 95% of internet users, with their outdated AV, old java versions, shared admin login for kids, etc.

[wallachee]

I found a partial solution. If you jailbreak your iPhone, you can install StayAwake and Activator. This will keep your connection alive and eliminates the need of reconnecting to the VPN and reentering passwords. Downside is your phone has to be jailbroken which poses a certain security risk. Also, your battery should drain faster though I have not noticed a significant change as of yet.

This works perfectly when connected to wi-fi networks. However, I haven't gotten it to work on 4G yet. It shows that it is connected to the VPN when you wake up your phone, but then disconnects when trying to visit a webpage. Any thoughts on getting that working?

Also, thanks for the DNS tip. I can surf and be connected to the VPN at the same time now.

[pstuart]

^ I'm using synology PTPP with Maximum MPPE 128-bit encrypting mechanism, is it easy to hack as well?

Thanks,

Yes.

Anything PPTP is easy to hack, regardless of the encrypting mechanism...

https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807

https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

However, MS-CHAPv2 is the easiest to crack with 100% success.

Others take more time...

Any PPTP traffic should be considered unencrypted and any system using PPTP as a vpn should consider their networks publicly accessible, similar to putting an open wifi access point, except the world can access it.

[turls]

Splitting hairs, but from your 2nd link:

"In many cases, larger enterprises have opted to use IPSEC-PSK over PPTP. While PPTP is now clearly broken, IPSEC-PSK is arguably worse than PPTP ever was for a dictionary-based attack vector. PPTP at least requires an attacker to obtain an active network capture in order to employ an offline dictionary attack, while IPSEC-PSK VPNs in aggressive mode will actually hand out hashes to any connecting attacker. "

The way I read this there is a difference between a brute force dictionary attack, which could be very time consuming depending on the complexity of the password, and getting the DES keys from a sniffing session.

[dogdvr]

Ok, point taken. Now I'm waiting for whatever other options that are as foolproof as PPTP, since C4 won't write their app to use the cloud/4Sight infrastructure.

And I'll still take the security of my setup over 95% of internet users, with their outdated AV, old java versions, shared admin login for kids, etc.

From earlier in the thread

1) No big deal - but wait for OS 2.4 to improve on this

2) PPTP is inherently insecure and harder to tunnel through routers than IPSEC. I use L2TP - far more secure than PPTP, iPhone remembers credentials and no tunneling issues.

3) I have also found this more frequently with the latest version of the IOS apps

4) Not my experience, although I do have to restart it occasionally to get it to behave correctly

[turls]

I see what you did there.

[pstuart]

Yes, without getting into too much techy talk... Dictionary based attacks are such a simple attack vector, solved by complex and/or unique passwords, doesn't matter the encryption or method of connection.

If someone where to capture a packet session, say at a public wifi, or hotel, or even on a shared cable connection, PPTP is way easier to hack.

[LSDave]

i think the easiest secure vpn i set up with with software called iVPN. It leverages the existing VPN server on a mac computer and gives you a nice easy to use GUI to set it up. Only catch is that that computer needs to remain on all the time. Which wasn't a big deal in my instance as i have a mac mini being used as a media server. They give great instructions on how to set it up. I also found it to work more reliably then some of the PPTP connections i've set up.

[AK1]

Ditto. I use and love it. It speaks PPTP and L2TP. Costs approx $20 + Mac.

i think the easiest secure vpn i set up with with software called iVPN. It leverages the existing VPN server on a mac computer and gives you a nice easy to use GUI to set it up. Only catch is that that computer needs to remain on all the time. Which wasn't a big deal in my instance as i have a mac mini being used as a media server. They give great instructions on how to set it up. I also found it to work more reliably then some of the PPTP connections i've set up.