wallachee Posted March 13, 2013 Share Posted March 13, 2013 As everyone recommends VPN to port forwarding, I took the plunge and setup a NetGear SRXN3205 VPN for remote C4 access with my iPhone. I'm having the following issues and don't know if this is how it is supposed to be or if I'm doing something wrong. If this is how it's supposed to be, it seems as though remote connection is hardly worth the hassle. If anyone has any insight, please respond!1.) You have to go into settings on the iPhone and enable the VPN any time you want to go to the C4 app remotely. 2.) I'm using IPSEC, and the iPhone does not store the VPN password.Therefore, it asks for the password every time I connect to the VPN. 3.) I've found once inside the app when connected to VPN there is usually a connection error which cause me to go into settings and hit the connect button in order to reconnect to the system.4.) I've found the app frequently crashes when on VPN.With everything setup, it can take me more than 5 minutes to turn off a light remotely.... Link to comment Share on other sites More sharing options...
turls Posted March 13, 2013 Share Posted March 13, 2013 #1 is yes. Not really a big deal but kind of lame.The rest, not sure why you are using IPSec. Most posts here refer to using PPTP, and it seems pretty flawless once connected (do not have to type password every time for starters). Have you seen those posts that refer to the setup?I have previously stated I think C4 needs to let the remote apps piggyback on the 4Sight infrastructure somehow so you don't have to do the VPN hassle, or some way to avoid the VPN. Just kludgy. Link to comment Share on other sites More sharing options...
AK1 Posted March 13, 2013 Share Posted March 13, 2013 1) No big deal - but wait for OS 2.4 to improve on this2) PPTP is inherently insecure and harder to tunnel through routers than IPSEC. I use L2TP - far more secure than PPTP, iPhone remembers credentials and no tunneling issues.3) I have also found this more frequently with the latest version of the IOS apps4) Not my experience, although I do have to restart it occasionally to get it to behave correctly Link to comment Share on other sites More sharing options...
turls Posted March 13, 2013 Share Posted March 13, 2013 2) PPTP is inherently insecureNot to start this argument again, but there are ways to mitigate the risk. Lots of people here use PPTP and I don't think they are getting hacked. Maybe luck, maybe they are being careful like not using PPTP on an open hotspot. Link to comment Share on other sites More sharing options...
pstuart Posted March 13, 2013 Share Posted March 13, 2013 PPTP is hacked, don't use it, can be compromised very easily, frankly, PPTP is worse than port forwarding, as it is a far more well known vector of attack...iOS will store IPSEC passwords IF the configuration on the VPN server allows passwords to be cached. This is not an iOS issue but a VPN server config setting.If your VPN connection is unreliable, then it could be many things, from your ISP filtering VPN connections, either end (phone carrier, home ISP) or somewhere inbetween. Could also be that the router is overheating and dropping the connection.The app has its issues with memory / garbage collection. It needs basically all the free memory on the device to run. Most crashes are due to calling memory that isn't available. Try closing all open apps first before launching the C4 iOS app and see if it is more stable. I don't think being on a VPN connection will make the app more or less reliable, other than it is using more memory.Also, if you can, try using OpenVPN as it has a free, separate app you launch, establishes the connection, and can install and configure the clients with one click... I switched from IPSEC to OpenVPN and am loving it, of course, your router / firewall must support it, or put an OpenVPN server behind your firewall... Link to comment Share on other sites More sharing options...
AK1 Posted March 13, 2013 Share Posted March 13, 2013 The point being everyone acknowledges it is insecure (and harder to tunnel). It's likely fine for low-risk residential uses. However, why bother when there are better, more secure alternatives?2) PPTP is inherently insecureNot to start this argument again' date=' but there are ways to mitigate the risk. Lots of people here use PPTP and I don't think they are getting hacked. Maybe luck, maybe they are being careful like not using PPTP on an open hotspot.[/quote'] Link to comment Share on other sites More sharing options...
wallachee Posted March 13, 2013 Author Share Posted March 13, 2013 Thanks for the replies. Does anyone have info on how to setup the L2TP server on a Netgear SRXN3205. Every time i try to connect it is telling me the L2TP server is unavailable. IPSEC works fine aside from requiring a password every time, and I've been unable to find any information to allow the SRXN3205 to allow password caching. (Everything I've found is for Cisco routers.) Also, do you guys have your VPN setup to allow for simultaneous internet connections (so you can be on the VPN and internet at the same time), or are you turning the VPN on and then off every time you want to control C4? Link to comment Share on other sites More sharing options...
cvlboy Posted March 13, 2013 Share Posted March 13, 2013 ^ yeah, you might want to route your VPN DNS IPs to recommended openDNS IPs: 208.67.222.222, 208.67.220.220, so you can VPN and internet at the same time. Link to comment Share on other sites More sharing options...
turls Posted March 13, 2013 Share Posted March 13, 2013 The point being everyone acknowledges it is insecure (and harder to tunnel). It's likely fine for low-risk residential uses. However, why bother when there are better, more secure alternatives?2) PPTP is inherently insecureNot to start this argument again' date=' but there are ways to mitigate the risk. Lots of people here use PPTP and I don't think they are getting hacked. Maybe luck, maybe they are being careful like not using PPTP on an open hotspot.[/quote']Because that was the only thing I could find good documentation on a few months ago that would work in an Android/iOS environment with vanilla DD-WRT setup on my router. I'd love to move to something more secure if it will work with my setup. That being said, between the amount of time I use it and the other precautions I take it is not a big worry for me.Edit: my iPhone is not jailbroken (and won't ever be) and I don't have OpenVPN. Link to comment Share on other sites More sharing options...
turls Posted March 13, 2013 Share Posted March 13, 2013 PPTP is hacked, don't use it, can be compromised very easily, frankly, PPTP is worse than port forwarding, as it is a far more well known vector of attack...Please explain...I don't understand this as a port forward is open all the time and PPTP should have limited windows of vulnerability. I guess if you let your password get out it is open... Link to comment Share on other sites More sharing options...
pstuart Posted March 13, 2013 Share Posted March 13, 2013 PPTP is a connection to your entire network once compromised. Simple dictionary attacks for password, to buffer overflow compromization of the vpn server gives you access to the ENITRE network. Most PPTP installs on consumer grade routers do not have the appropriate intrusion detection or lock out on password failure, etc...I can crack a PPTP password in a few hours with the right equipment, and I can find a PPTP system on the internet doing a simple port scan. PPTP is a well known port and a well known vector of attack. This makes it worse then just opening a port to a system.However, port forwarding your controllers main access port does allow must less known methods of attack, but ultimately it is extremely difficult to compromise your entire network via this port, just your ENTIRE project file or house...Neither way should be done, and security should be a higher focus for consumers then it is. Eventually ISP's will be tasked with securing their consumers, and then we will say goodbye to an open internet. Link to comment Share on other sites More sharing options...
cvlboy Posted March 13, 2013 Share Posted March 13, 2013 ^ I'm using synology PTPP with Maximum MPPE 128-bit encrypting mechanism, is it easy to hack as well?Thanks, Link to comment Share on other sites More sharing options...
turls Posted March 13, 2013 Share Posted March 13, 2013 Ok, point taken. Now I'm waiting for whatever other options that are as foolproof as PPTP, since C4 won't write their app to use the cloud/4Sight infrastructure.And I'll still take the security of my setup over 95% of internet users, with their outdated AV, old java versions, shared admin login for kids, etc. Link to comment Share on other sites More sharing options...
wallachee Posted March 13, 2013 Author Share Posted March 13, 2013 I found a partial solution. If you jailbreak your iPhone, you can install StayAwake and Activator. This will keep your connection alive and eliminates the need of reconnecting to the VPN and reentering passwords. Downside is your phone has to be jailbroken which poses a certain security risk. Also, your battery should drain faster though I have not noticed a significant change as of yet. This works perfectly when connected to wi-fi networks. However, I haven't gotten it to work on 4G yet. It shows that it is connected to the VPN when you wake up your phone, but then disconnects when trying to visit a webpage. Any thoughts on getting that working?Also, thanks for the DNS tip. I can surf and be connected to the VPN at the same time now. Link to comment Share on other sites More sharing options...
pstuart Posted March 13, 2013 Share Posted March 13, 2013 ^ I'm using synology PTPP with Maximum MPPE 128-bit encrypting mechanism, is it easy to hack as well?Thanks,Yes.Anything PPTP is easy to hack, regardless of the encrypting mechanism...https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/However, MS-CHAPv2 is the easiest to crack with 100% success.Others take more time...Any PPTP traffic should be considered unencrypted and any system using PPTP as a vpn should consider their networks publicly accessible, similar to putting an open wifi access point, except the world can access it. Link to comment Share on other sites More sharing options...
turls Posted March 13, 2013 Share Posted March 13, 2013 Splitting hairs, but from your 2nd link:"In many cases, larger enterprises have opted to use IPSEC-PSK over PPTP. While PPTP is now clearly broken, IPSEC-PSK is arguably worse than PPTP ever was for a dictionary-based attack vector. PPTP at least requires an attacker to obtain an active network capture in order to employ an offline dictionary attack, while IPSEC-PSK VPNs in aggressive mode will actually hand out hashes to any connecting attacker. "The way I read this there is a difference between a brute force dictionary attack, which could be very time consuming depending on the complexity of the password, and getting the DES keys from a sniffing session. Link to comment Share on other sites More sharing options...
dogdvr Posted March 13, 2013 Share Posted March 13, 2013 Ok, point taken. Now I'm waiting for whatever other options that are as foolproof as PPTP, since C4 won't write their app to use the cloud/4Sight infrastructure.And I'll still take the security of my setup over 95% of internet users, with their outdated AV, old java versions, shared admin login for kids, etc.From earlier in the thread1) No big deal - but wait for OS 2.4 to improve on this2) PPTP is inherently insecure and harder to tunnel through routers than IPSEC. I use L2TP - far more secure than PPTP, iPhone remembers credentials and no tunneling issues.3) I have also found this more frequently with the latest version of the IOS apps4) Not my experience, although I do have to restart it occasionally to get it to behave correctly Link to comment Share on other sites More sharing options...
turls Posted March 13, 2013 Share Posted March 13, 2013 I see what you did there. Link to comment Share on other sites More sharing options...
pstuart Posted March 13, 2013 Share Posted March 13, 2013 Yes, without getting into too much techy talk... Dictionary based attacks are such a simple attack vector, solved by complex and/or unique passwords, doesn't matter the encryption or method of connection.If someone where to capture a packet session, say at a public wifi, or hotel, or even on a shared cable connection, PPTP is way easier to hack. Link to comment Share on other sites More sharing options...
LSDave Posted March 13, 2013 Share Posted March 13, 2013 i think the easiest secure vpn i set up with with software called iVPN. It leverages the existing VPN server on a mac computer and gives you a nice easy to use GUI to set it up. Only catch is that that computer needs to remain on all the time. Which wasn't a big deal in my instance as i have a mac mini being used as a media server. They give great instructions on how to set it up. I also found it to work more reliably then some of the PPTP connections i've set up. Link to comment Share on other sites More sharing options...
AK1 Posted March 14, 2013 Share Posted March 14, 2013 Ditto. I use and love it. It speaks PPTP and L2TP. Costs approx $20 + Mac.i think the easiest secure vpn i set up with with software called iVPN. It leverages the existing VPN server on a mac computer and gives you a nice easy to use GUI to set it up. Only catch is that that computer needs to remain on all the time. Which wasn't a big deal in my instance as i have a mac mini being used as a media server. They give great instructions on how to set it up. I also found it to work more reliably then some of the PPTP connections i've set up. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.