Runtime Arguments

7: VPNs - Connecting Safely

Jim McQuillan & Wolf Episode 7

Share episode

If you need to connect to remote networks, or if you are outside of your network and would like to connect into it, then almost certainly you need a VPN. Jim has lots of real-world experience connecting networks together. In this episode we talk about various ways to connect and list some of the issues that you might run into.

Take-aways from the episode:

  • There's a difference between a "VPN" and a "VPN Service"
  • If you are looking for something simple allowing you to talk to a home machine while you are outside the home, Tailscale works REALLY well. It doesn't require you to "poke a hole" in your firewall.
  • If you want a bit more control and host everything yourself, Wireguard is GREAT for that. I used to recommend OpenVPN but now I think Wireguard is the best choice because it's so much easier to set up.

Hosts:
Jim McQuillan can be reached at jam@RuntimeArguments.fm
Wolf can be reached at wolf@RuntimeArguments.fm

Follow us on Mastodon: @RuntimeArguments@hachyderm.io

If you have feedback for us, please send it to feedback@RuntimeArguments.fm

Checkout our webpage at http://RuntimeArguments.fm


Theme music:

Dawn by nuer self, from the album Digital Sky

Wolf:

Howdy everybody, it's another episode of Runtime Arguments. I'm Wolf.

Jim:

And I'm Jim.

Wolf:

Uh as usual, we're gonna talk about uh stuff that came up over lunch. Uh today Jim did the research and um maybe didn't even have to do as much research as usual because it's a topic about which he knows a great deal and has interacted with a lot. Um the first thing I want to say before we get started is thank you so much for listening. We really appreciate our listeners. It is um the excitement and feedback from you all that helps keep us going, lets us know when we're doing the right thing, and points us in a better direction uh when when we aren't. Um because you're listening, please tell your friends. Uh you I'm certain you have friends who would enjoy this just as much as you, tell them. Um we would love to have more of your feedback. It'll be in the show notes, and I'll tell you again at the end. The best way to reach us is by email uh feedback at runtimearguments.fm. Um and we do have a little feedback today, um, and this is about the episode we just recently did on uh measuring performance, and the thing we want to mention here that we got in feedback is a thing often called the observer effect. Um whatever features it is you need to measure performance, no matter what tool you use to measure that performance, there is going to be some impact on how your program actually runs. Typically, adding measurement slows your program down, so the numbers you collect don't represent the real speed of your program. Sometimes the performance tool you use extracts less of a toll on your application. But essentially, as in physics, as in every kind of science, it's true too in performance measurement. You cannot observe a thing without affecting that thing. So that is the feedback we got, and I wanted to uh share with you. Um I'm going to hand it over to Jim, who's gonna start with a disclaimer, and then he's gonna go straight into his topic.

Jim:

Go ahead, Jim. Yeah, and uh uh Wolf, you you you haven't yet mentioned what the topic is. Uh tonight or today we're gonna be talking about uh VPNs, virtual private networks. And here's my disclaimer: Wolf and I are not security experts. There's an awful lot we're gonna talk about. Uh there's a lot going on with encryption and authentication, and we can't pretend to understand everything that's happening. Uh we just use the technology, so we're gonna talk about using the technology. If you want a better source of uh learning about encryption, uh uh search the net. There's a lot of information out there, a lot of great books on it. Uh I've got some of those books.

Wolf:

Can I actually name a really good book? Sure. And also um mention this. So, first of all, um there is a uh pretty thick book by Bruce Schneer on uh encryption, and that might be uh the most important book in the field. It covers uh just about everything you might need to know. I don't think it's totally up to date, but if you need to know something about encryption, almost certainly it's in that book. And the second thing I want to say is um previously we've talked about having broad focuses and narrow focuses, and um a lot of the episodes we've made so far, um at least half, uh have been aimed more at people who are programmers. Uh and this is a more broad topic. I think it will be interesting to a larger crowd. It's not just for programmers, it's for everybody who uses a computer. Uh, and that's what I wanted to interject there. Jim, go ahead.

unknown:

Yeah.

Jim:

Yeah, thank you. So when you get into encryption, there's an awful lot of terms. Uh it's it's really like acronym salad. There's so much going on. You you've got hash functions like MD5, uh SHA1, SHA 2. Uh you got those. You got authentication standards, you got HMAC, you got IKE, you got uh encryption ciphers, uh like AES 128, 192, and 256, and uh so many more. Um we're not going to get into depth about what all those are. And for some of the VPN solutions, you don't need to worry about it. Uh others, like IPsec, you do need to worry about it because you need to make sure that you and the other end, or your end and the other end, are talking the same uh uh standards, using the same uh um uh ciphers and everything else. Uh but I do want to talk a little bit about uh another thing, and that is with encryption, uh, and it's heavily used in a VPN, uh, you've got symmetric encryption and asymmetric encryption. And they're different. Um symmetric encryption is where you use the same key or password or passphrase uh in both directions. So you can encrypt uh some data using a uh a secret, and on the other end, they decrypt it using the same secret. That's really, really fast. Uh the other kind of encryption is asymmetric encryption, and things like SSH uh use it, and a lot of things use it, and that is where you have like a public-private key pair. Uh you use one key to encrypt the data, and you use the other and other key to decrypt the data. Uh that's much slower. Uh you wouldn't want to do that for a streaming type encryption where you're trying to blast a bunch of data across a network. Uh uh asymmetric encryption is too slow for that. So, what happens is you end up using a combination of both. You'll use asymmetric encryption to pass the secret key the other side. Uh so for a brief moment you're gonna use asymmetric encryption just to get the connection up and running, and then you start using symmetric encryption, if that makes sense. I I think it does.

Wolf:

Um the reason the reason you do that, um, I guess I'm not really asking. I guess I'm commenting. Uh, but the reason you do that is because uh key negotiation is a big deal. If you want to share one key for symmetric encryption, getting that key around, that's a weakness. Um because that secret key has to go between where you are and where you're communicating with, and that's where a man in the middle or whatever attacker you're facing can get it. And once they get it, they can decrypt everything that you say. So um symmetric encryption has a significant problem. Um, key negotiation. Asymmetric encryption is slow, just like you said, but because there's one key that's public and one key that's secret, and what you encrypt with one key decrypts with the other. That means the quote public key, unquote, can be anywhere. Everybody can have it. There's no need to hide it. And the secret key never leaves your machine. So nobody can guess it, nobody can trick you out of it, they can't pretend to be you. It's slow, but it doesn't have the key negotiation problem. When you put those two things together, when you use the slow system with no negotiation problem to create um a mechanism for sharing the key, now you've got the best of both worlds. You can share the key with no worries about interception, and your actual encrypted stream is really fast. That's why there's two different things and we care about them both. So that's my comment.

Jim:

Yeah, and I'll I'll add one more thing if we haven't talked about this enough yet. Um public key, private key pairs. You would use the public key to encrypt data. So anybody could encrypt the data, but only the private key could decrypt it. That's how a lot of things work. Uh you you want people to send you something securely, whether you're doing PGP or HTTPS or whatever. Uh you want to be able to encrypt that data and send it to somebody who they're the only people that can decrypt it because they're the only holders of that private key. So I I think we've talked enough about synchronous versus asynchronous. Maybe too much. Uh so I want to talk real quickly about uh some forms of communication before we get into a VPN. And uh let's start with HTTPS. Um it used to use SSL, now it uses TLS. Uh SSL was the secure socket layer. TLS is its is its uh newer uh uh uh uh enhancement to it. Uh transport security layer. Um that's how websites are encrypted. You've got a certificate. Uh the the again it's public private key pair, right? Uh the the owners of the website have the private key. Uh the public key is in the certificate, so you can talk back and forth with a website. And and it's secure. Um another thing that we all use, a lot of programmers use, is SSH, the secure shell. Uh the big one is uh open SSH. I I don't even know if I've at least in the last ten years, I have not used anything other than SS than open SSH. Uh Wolf, can you think of any SSH implementations that aren't that?

Wolf:

Um you know, I'm not sure that I can. Uh of course, um Apple always wants to do things differently than everybody else, so they might have their own. But as far as I know, uh same as you, last ten years, almost certainly, every time I use SSH, it's Open SSH.

Jim:

Yeah, well a uh SSH on the Mac is Open SSH. Well, there you go. Yeah, and within OpenSSH is several tools. There's SSH, the command line tool for connecting to a remote machine. Um for those of us who've been around for a while, you know, we used to use things like Telnet, which was not secure at all. In fact, it's it's doesn't even exist in most uh Linuxes and and Unixes anymore. You have to if you can, if you need it, you can install it, but it's not there by default.

Wolf:

That's part of open SSH.

Jim:

Well, sure. In order for you to SSH to a machine, you need a daemon on the other end to accept the connection. So that's SSHD. That's part of the Open SSH package. Uh then there's SCP, the secure copy program, and that's how you would copy a file to a remote machine over the SSH protocol. And SFTP is kind of like SCP, it's kind of like the old FTP, only it's secure. It's uh the the old FTP worked on two different ports, I think what, 20, 20 and 22 or 21 and I don't remember. It uses different ports. Uh it needs a control channel and a data channel. Anyway, we're not here to talk about FTP. But SFTP is a secure version of that that uses uh open, it uses SSH. There's also FTPS, which is a secure version of FTP that kind of works the owner. I haven't even heard of that. Really? I I've used that. I don't like it. Um I I I just I I prefer uh if I want to copy a file, it's SCP. Uh I'm in the medical world, and we f send files to insurance companies and send files to labs, and a lot of those, if you're not doing streaming connection, then you're gonna probably be using SFTP. And it's it's kind of a nuisance. You have to script it. It's it's it's not easy. Um but uh anyway, that's there. That's all part of uh SSH. Um one of the cool features about SSH, at least with open SSH, is the idea that you can do tunnels. You can create a tunnel between two machines, and then all the traffic between those two machines will go across that tunnel. Um well assuming all the traffic is using a certain port. Um you can port forward stuff through that port, so you can hit a website on the other side over an SSH tunnel. It's a little bit clumsy, but sometimes it's what you need to get the job done. Uh those of you who have used the X window system, um, I I did a lot with X Windows back when I was doing LTSP. Um that can tunnel over SSH, and that's really kind of neat. So now your X window traffic is tunneled kind of automatically for you across SSH. It's really handle handy. Uh and then I think Wolf, you've set up an SSH jump server. Um you've got a little experience with that.

Wolf:

So I'm I have a home network and I've got multiple machines on my home network. Um and yet I have to drive into work. It's it's not as bad as a full-on commute, it's hybrid. So I'm only there in the office three three days a week. But a lot of times when I'm at work or someplace else that's not at home, I want to reach my machines at home. Um so I have dynamic DNS. Um that means there is a hard to say host name uh provided to me by my Eero, which is the mesh network uh devices that I use, and I've got that name in my SSH config file. And the the thing I do is this I have one machine um that is a gateway. I've got a Mac Mini hanging off the back of one of my monitors. Um and that Mac Mini um is the thing I can reach from outside the network. And then I have various other machines inside the network that I want to reach once I've already connected to that Mac Mini. I could do it in two steps. There's no problem with that, SSHing first to the Mac Mini, and then assuming the Mac Mini also had keys on it, or else um I uh had set up the uh s setting in SSH config to forward keys so that the keys that are on my machine where I am in Livonia or wherever would go through and let me to connect to one of those other machines. Or there is a feature, minus capital J of SSH, um, that lets me jump through the Mac Mini. I don't have to mention the Mac Mini. Um well I kinda do. I have to name it in my SSH config file. But using minus capital J, my command to to do the SSH connection can go straight to my Linux box and I can start doing Linux-y things on that box. Um so I use ma Minus Capital J a lot. I love jump uh jump servers and the jump uh facility. Uh I use it much more than I use tunneling. Um and uh this episode is about VPNs. As of this moment, I don't use VPNs myself. I I mean I do at work. At work we we have to use a VPN to connect to our work machines. But for my home machines, it's all SSH. I like that, but maybe tonight I'll learn better.

Jim:

Yeah, I I I hope you do, and I hope our listeners uh can take something from this. So we've kind of talked about HTTPS and SSH, and those are certainly methods to communicate securely. But the meat of this episode is really about VPNs, virtual private networks. Um a VPN allows you to act as if you are connected to the network, uh, whether the network's at home or at the office or whatever. Uh it lets you be on that network virtually, privately. Um there's a couple of topologies.

Wolf:

I kind of have a very naive question. Um, why would you want to do this? I think I know maybe why I wouldn't want to do it. Maybe. But why does a normal why does it why does anyone else want to do it?

Jim:

Well, I'll tell you why we do it at my company. Uh we've got resources in our network that we don't want to expose to the internet. Um we've got uh we've got a wiki, we've got file storage, we've got uh development servers, um, and we don't want to put them out on the net, uh publicly accessible. Now, I know we can lock down our wiki with with uh with authentication, but you know, web software on the network, uh, if you're not really, really careful about it, uh you could you could have a breach. Uh and I don't want that. Um we have a file uh storage. Uh we don't want that on the network, uh, on the internet. We only want it accessible to people who we give permission to. Um so we use the VPN. It makes it look like everybody's on the same network. Sort of. Uh so that's that's kind of why. Uh you've got things on your network that you want to keep secure, right? Uh, I don't want to expose my my entire network to the internet. Uh so to get at my network, you have to connect through a VPN. Uh now it's just Starting to talk about topologies. With a VPN, you've got a couple of choices or several choices. You can do point-to-point. That would be one machine like my laptop, talking to one machine like my desktop. You know, my laptop when I'm out of the house and I want to connect up, I would connect directly to my desktop, and that's a point-to-point. Then you've got point-to-site where you've got your laptop, you're out roaming around, and you want to connect to the whole network. That's point-to-site. That's really useful for me. And then you've got site-to-site. You might have multiple branches in your corporation, and you have all these different offices or branches, and they want to communicate with all the other offices, and they want access to all the resources back and forth. You know, you've got multiple machines on one side, multiple machines on the other side, and they should all be on the same network. That's site to site. When you talk about topology, you have to talk about routing, how you're going to route the traffic. Make sure that all the machines on your network can talk to you and you can talk to them while you're connected. That interests me.

Wolf:

I really want to know about that.

Jim:

Yeah. Yeah, routing's pretty cool. I I uh I understand how to set up routes and how to trace routes. Uh I'm not using BGP or any of those routing protocols. Uh that's a little above my pay grade. I I can I can do what I need to do without that. Um but let's talk about types of VPNs or maybe not so much types, but uh VPN uh solutions. Uh for a long, long time I was a user of OpenVPN. I still am using OpenVPN, but OpenVPN has been excellent. Um it's a little bit clumsy to set up. You've got to create keys and a configuration file, and you've got to set up a server and make sure everything agrees on both sides. Um but boy, I got a lot of use on OpenVPN for many, many years. Uh it works great with Linux, it works with Mac. Uh, there's a client for Mac called Tunnel Blick. Um the client for Linux is built into OpenVPN. Uh there's clients for Android and iOS and Windows and the BSDs, and it works really well. Um, like I said, I used it for many, many years. Like, like I'm talking like 15 years. I've been using it. I've passed a lot of data across OpenVPN uh connections. Um another one is IPsec. That's another technology. IPsec is um man, it can be difficult. I uh where open VPN requires a config file, uh, IPsec requires so much in terms of both sides agreeing on everything. On uh all those acronyms I talked about earlier, they have to agree absolutely about everything. Um I like I said before, I'm in the medical world. I did a lot of work for a client where we connected laboratories, uh doctors' offices to laboratories. And for some reason, IPsec was the the favorite way to do that. And every time we had to set up a new connection, boy, what a struggle getting that working. That could take hours to get it to get everything negotiating correctly and and make it work and get the routing set up and stuff. So IPsec is there. Um you typically use that, like if you've got to talk to a Cisco router or Fortinet or Juniper or one of those, uh, some kind of a VPN device. There's lots of parameters you have to specify. So if you need to do that, uh uh you can. It just takes some work. Uh being a network security expert really helps for that. Uh another technology, a really, really old one. This is from Microsoft PPTP, point-to-point tunneling protocol. Um, that's from Microsoft created in 1999. And you know, I swear I've been using it longer than that. I it was the first kind of VPN I set up, and it seems to me I was using it in the mid-90s, but after doing the research, I see it just came out in 99. Anyway, that worked for Microsoft Windows machines to talk to other Microsoft Windows machines over a PPTP VPN network. Um it's really fallen out of favor, it's not very secure, nobody uses it anymore. Or I suppose some people do, uh, but it's not recommended. Uh, another technology is L2TP. Now that is a layer over the top of IPsec, but I think the parameters are a little bit easier to configure. Uh, I'm doing some L2TP now that's working pretty well. Uh, it's built into Mac OS and iOS, and um uh you can set it up on Linux and Windows, and and it's there. Uh it works. Uh newer technologies, though. This is what I really want to get into. Uh WireGuard uh has been around for a while. It's built into Linux, it's actually built into the kernel. It's amazing. Um there's clients for every operating system, it's easy to set up. There's just a configuration file. You do have to create uh a key. Uh it's just a string, like a hashed string. Uh you got to create that for each client. But it's pretty easy to do. They give you the tools to do it. The configuration file is really quite simple, and it works. I'm doing some of that right now. Um, if you're gonna do any of these VPN solutions, though, uh if you you're on a home network, you're almost certainly uh behind a NAT firewall, right? By net by uh NAT, I mean network address translation, where inside your home, you've got all these devices with an IP address of something like 192.168.0.something or 10.0.0.something, or whatever. You've got all these private IP addresses inside your network, and you've got one public IP address at your router. In order for all those devices to talk to the world, the address has to be translated. So you're coming from a desktop at 192.168.0.43, and you want to talk to anybody CNN, Yahoo, Facebook, whoever, uh, your address gets translated on the way out the door to your public IP address.

Wolf:

This is this is one of the things we were discussing at lunch that led to this episode. Yeah. And a thing that um I found very interesting, I think you brought it up, is that network address translation really is a tool for dealing with the limited address space of IPv4. Yes. And that the protection NAT gives you it doesn't give it doesn't even apply to IPv6. Um can you mention that? Can you talk a little bit about that?

Jim:

Yeah, I you know, I set up a new router at home and it I was all happy with it. I was doing all kinds of IPv4 stuff, and then my friend uh who's a security guy at uh Facebook pointed out the fact that I've also got IPv6 running. And if I don't do something to protect that, it's wide open. Uh in the future, uh, I think in about six or eight weeks, we're gonna do an episode on IPv6. So we're gonna cover this a lot more than I'm gonna have a chance to do a lot more research. But IPv6 doesn't get NATO. The addresses can go right through a router. Assuming the route is set up, uh there's no NAT protection. So to think that you're protecting your home network just by having NAT uh is not right. Don't don't do that. Have a firewall. Make sure you got rules to specify exactly what kind of traffic can get through that firewall.

Wolf:

And and why is it that NAT doesn't help you with IPv6?

Jim:

Because IPv6 isn't NATE. Everybody has an IP address. Everything on the network has an IP address that's globally routable. Um if you ever look one for everything. Uh in fact, there's many for everything. If you if you're on a uh if you're on a fairly new machine, uh new, like the last 10 years or so, and you look at your network interfaces, like I'm on a Mac right now, and I've well I've got a whole bunch of network interfaces because I'm running some Docker stuff, I'm running some VPN stuff, but I've got several IPv6 addresses. There's some local addresses and some global addresses. There's enough IPv6 addresses out there. Uh, I don't know. I I hear things like uh every star in the galaxy could have an IP address and you still wouldn't run out. Um you know with IPv4, with IPv4, uh you're really only allowed about four billion IP addresses. Right? It's uh 2 to the 32nd. Is that right? 2 to the 31st, 2 to the 32nd. That's a little over 4 billion. Uh and then you run out. And guess what? There's more than that many devices that that can talk uh on the network. Um so in order for all the all those devices to talk on the internet, they have to be sitting behind a router that translates the address for you. So by doing that, how if I'm if I'm out like let's say I'm in a coffee shop with my laptop and I want to talk to my machine in my house, how do I do that? Uh using really OpenVPN, SSH, um, L2TP, WireGuard, whatever. How do I talk to a machine inside my network? How do I address that machine inside the network? Well, you probably have to do port forwarding. So on your router, uh, you have to set up a port forward to say uh somebody from outside the network can connect to let's say port 6000, and you're gonna forward that to an internal machine, like my desktop, and then you're gonna run WireGuard on your desktop. And now when I'm outside the network and I connect to port 6000 at my public IP address, I'm really talking to a machine inside my network. That's what you have to do uh to make that work. Uh it's clumsy. If you don't have control of your router, if you don't understand it, that's kind of a difficult thing to do. Um certainly doable, but you you need a little bit of expertise uh to make it happen. Um so there's some newer uh things that make that better. Um when I got into WireGuard, everybody was saying, you know, you gotta look at Tailscale. Tailscale is built on top of WireGuard. Uh it's a commercial service uh that kind of piggybacks on top of WireGuard, uh, but it makes things easier. It is a lot easier to set up. Uh, there's a free tier. Uh we are not paid by Tailscale, by the way. We have no affiliation with them at all, other than I happen to be a happy user. Um but with Tailscale you connect your laptop, you subscribe your laptop to Tailscale, you connect your desktop to Tailscale, and any other machines you want, uh, you you give them all accounts on Tailscale. Or it's all the same account, but it's different nodes. Uh they call it a Tailnet. So you have several nodes on your Tailnet. And what happens is each of those nodes communicate with a Tailscale server. Now that doesn't mean that all the traffic is going through Tailscale's server. Uh the machines that connect to a VPN actually talk directly to each other. But they use Tailscale to facilitate that uh by uh, you know, I talked earlier about NAT, uh IP masquerading, it's the same thing. Um when you talk to the internet from inside your network, you get a your your network address gets translated into your public IP address, and your port number gets translated as well. Well, Tailscale keeps track of that. And every machine you have that uh is on the Tailnet has a list of all of your other nodes and what public IP address they have and what port they're using. So there uh Tails Tailscale is kind of like a directory of IP addresses and ports so that two machines, uh one inside the network and outside the network, can talk. And it's really kind of neat. It's a technology called STUN, S-T-U-N. Um it's an acronym for Session Traversal Utilities for NAT. It's built for traversing NAT networks, uh, and it's really kind of neat. Tailscale basically harnessed that uh along with WireGuard, and they put it all together into something that's really, really easy to use. Um furthermore, with Tailscale, you can set up something called an exit node. So if I'm out in a coffee shop with my laptop and going through Tailscale, I connect to my desktop at home. If I tell my desktop at home that it's an exit node, then all of my traffic goes through that. So it appears that all of my connections going through that are coming from my home network. I'll tell you where that's handy, and uh maybe I shouldn't admit this, but I I was in Winnipeg uh two months ago, and we wanted to watch some TV uh and it wasn't available in Canada. It had to be in the US. So I on my laptop, I connected to my home network using Tailscale, and when I tried to get to the uh subscribe th the uh the the subscription service for the TV, I'm not gonna name which one it was, uh, but they thought I was in my house. So I was able to watch a TV show. Uh it's really kinda handy. Maybe that's what you want to do.

Wolf:

Um it's I n I know you want to talk about um another thing besides tail scale, yeah. But the thing you just said um sounds like an introduction um to the other thing people have been using VPN to mean.

Jim:

Yeah, we're le we're leading to that. Uh we'll we'll be there in just a minute. Um so anyway, by setting up my desktop machine as an exit node, and it's really simple to do, uh, then all of my traffic appears, no matter where I am in the world, it appears like I'm sitting at my desk. It's really kind of neat, very handy. Uh it's got a lot of uses. Um whether that works for you, um maybe it does. Um Tailscale, like I said, it's built on top of WireGuard. Uh really works nicely. There's another solution called NetBird that I looked briefly at it. I haven't tried it. It works like Tailscale, but it's open source. So if you want to set up your own Tailscale type network, uh Netbird might be what you want to look at. Um anyway, uh that's that's kind of the the VPN things uh that that I use. Now, VPN has a whole nother meaning, um and that is VPN services. You've probably heard of Nord VPN, um uh Zero Tier. There's a handful of them. There's there's too many to name, actually. Uh those are VPN services, those don't provide the same function of most of what I've been talking about. Those you wouldn't use to like connect to your work network or to connect to your home network from a coffee shop. Uh, those are more maybe VPN services isn't what they should be called. Um, you know, maybe they're uh anonymization services, uh, they allow you to uh be anywhere in the world and connect, uh let's say NordVPN, connect through NordVPN and make it look like you're coming from one of their services or one of their servers that might be somewhere in the world. Maybe you need to look like you're in the United States, and so you would connect to NordVPN's United States servers, and now you look like you're in the US. But that's a VPN service, you're gonna pay for those. I I looked around, I did not find one that even had a free uh test account. Uh what they all wanted to do was get me to sign up, take my credit card, and give me my money back if I wasn't satisfied. So I didn't actually sign up with any of those. But that's a VPN service, that's that's what they're trying to do. And if you're traveling uh outside your home country, you probably want to use a VPN. You might want to set one up yourself, you might go through one of these VPN services. Um it's it all those possibilities are out there. Um but you got to be careful. You know, there are some countries that using a VPN is illegal. Uh be careful. If you're going to China, China's got this thing called the Great Firewall. They want to monitor and and control every network connection. And if if you're inside China and you want to appear as though you're from the US, you've got to go through a VPN, and they may very well block that. So you might not be able to. Uh you certainly wouldn't be able to sign up while you're in China. So if you do want to do this, um sign up before you go. Uh, and then you your uh success uh may be varied. Um thing that's really really important though, with these VPNs, you're gonna have a secret or a password or user account. Please save it in a password manager. Use something secure. Uh yes. Right. Right. Don't don't uh don't make up a simple dumb password. Use use a good randomly generated uh password. For this, because you don't want other people getting access to your network. Right? So I don't have too much more to say about VPNs. I do have a set of takeaways though. Obviously, there's a difference between VPN and VPN service. Make sure you understand that. So if some representative of a VPN service tries to get you to sign up, make sure you understand what you're getting. If you're looking for simple uh allowing you to talk to a home machine while you're outside the home, Tail Scale works really well. It doesn't require you to poke a hole in your firewall because everything is an outbound connection. It works really nice. And they have a free tier. Even their paid tiers are really reasonable. And that's the difference between the free tier and the paid tiers, how many nodes you can have, how many users you can have. I think for a corporation, a paid subscription to Tail Scale makes a lot of sense. From what I've seen, their documentation is great. A bunch of really good people working there. If you want a bit more control of everything, you want to host it yourself, WireGuard is by far the way to go. I used to recommend OpenVPN all the time, but WireGuard is my go-to solution now. It's just so much easier to set up. There's a lot of information out there on the net. It's built into Linux, it's available for Windows, uh, Mac OS, iOS, Android. Uh it works really, really well. Um so having said all that, Wolf, after going through the last 35 minutes or so, uh, I know you use SSH and a jump host to bounce between work and home. What do you think? Would you switch to a VPN?

Wolf:

Um, well, you said some things that were very compelling to me. Uh one of the things you said was that I don't have to open any holes or do port forwarding um at the destination. That's a big difference from SSH. Um, if I want to get through with SSH to one of my machines specifically, then yeah, my router has to port forward to the right place, and that place has to have a hole in it for the SSH to get through. So, this combin and I like hearing the word uh free tier, that that made me happy. So, uh tail scale and wire guard sound like a step up for me, like that might be a place to go. Uh, but you did say something that made me uh feel a little cautious. Uh the thing that you said was, um, I think you were talking about Netbird. You said Netbird was open source. So what I got when you said that, the feeling that I got was um you can host NetBird yourself, but WireGuard is not open source, and it runs where it runs, and you use that or you don't.

Jim:

No, WireGuard is open source. Tail scale is not.

Wolf:

Oh, okay.

Jim:

Okay. Yeah. Just just to make sure.

Wolf:

I think that is what I meant to say. That is what I understood from your words.

Jim:

Yeah. Yeah. But if you're gonna go with NetBird, then you're back to uh open up something on your firewall to let it through. Uh, I think it's true. I really should give Netbird a try.

Wolf:

You you did worry me about Tail Scale, but all the things you said about Tail Scale and WireGuard that were positive, I think that was compelling enough to make me try it. As you know, I love to try new stuff. Sure. Uh and um this sounds like a thing for me to try. So uh you convinced me. I'm I'm interested in finding out uh what what new powers and benefits I'll get if I move to this system. Well, good. That's what I'm taking away from me.

Jim:

Um I'm here to help too. Um one thing one more thing I want to point out. I don't allow SSH connections into my uh through my router, uh either at work or at home. I we have to go through a VPN, and then we require SSH to move around, you know, to connect between machines. So we're running SSH over a VPN. It's not like you have to pick one or the other. Every connection from outside the house or outside the office are going through a VPN, and then we're running SSH through that VPN or HTTPS or whatever protocol we're running. Everything is going over a VPN between outside and inside networks.

Wolf:

Can I ask you a technical question?

Jim:

Sure.

Wolf:

A problem that I encounter frequently, um, until I adjusted SSH to uh have some extra uh keep alive parameters uh for particular hosts, is that when going through any kind of connection to a remote machine, whether it's um encrypted or not, um it is typically the case that I can't rely one hundred percent on the connection between those two machines. They die, stuff quits. Um I know this isn't the uh thrust of our topic for this episode, but I think it's so related and so important. Um, could you talk about tools for keeping that connection alive or for surviving when the connection breaks anyway and getting back to where you were? I think it's related enough to mention.

Jim:

Well, uh WireGuard has a keep alive thing. Uh if the connection dies, it'll bring it back up automatically. Tailscale will do that, um OpenVPN would do that. They'll all do that. In fact, what I find when I run SSH through a VPN is it's more resilient. Uh if the VPN drops, you know, if if you lose internet connectivity and the VPN's going to drop, um your SSH session tends to stay alive a little bit longer when you're running it through a VPN. Because once the connection comes back up, the op the the uh VPN re-establishes a connection, then SSH can keep going. Uh I've kind of found it to be more resilient when I'm going through a VPN than when I'm not going through a VPN.

Wolf:

Um okay. I like that. And uh in the past, I have sp used specific programs, um, not no hub. I I'm not a big no hub fan, but um I do use tmux. Sure. Um, so that's a a thing. And our security friend uh at Facebook, he mentioned uh a special connection protocol that he uses on top of his connections, uh, which I can't remember exactly what it was, but um it was also resilient and would reconnect automatically. I don't know if you happen to remember anything about that. I know in the old days we used to use screen. Um I'm not a huge screen.

Jim:

And then TBX. Sure.

Wolf:

And then TMUX, and now there's a new thing uh called ZelaJ. I haven't tried Zela J. I I hear it's got some good features. It's something to look into, maybe, but right now Tmux is doing the job for me. Um do you remember what our Facebook friend was using?

Jim:

Um I'm sorry, I don't. I remember the conversation, and I looked at the thing that he used. Um and he said it it it was very resilient to crappy connections. Uh you know, I use changing locations and stuff. Yeah, I use TMUX myself uh w when I need it. But you know me, I open up so many SSH sessions, so many terminal sessions between me and the servers I'm working on. Um Tmux would be just too much to manage. You know, when you drop your connection and you you go to bring it back up, you've got all these TMUX sessions that you've got to remember what's what. So when SSH craps out on me, I just launch SSH again.

Wolf:

Um all right. I am feeling like um we covered the subject matter. I think we did.

Jim:

I hope we did.

Wolf:

I and and more to the point, I think that uh the things you talked about um are useful to ordinary human beings uh who have computers at two different places and want to get between them. I mean, I guess there's this other thing, VPN services, and maybe if you like TV and travel, that's a thing for you. I don't know. But VPNs themselves sound good and important and useful to me. Um so let me tell everybody else, all the listeners, um, thank you so much for listening. It really means a lot to us. Um we want to learn things ourselves, and uh it's even more fun if you can join us. Uh so it's great that you're here. Uh please, as I said at the beginning, um I know you've got friends who who would enjoy this just as much. Tell them. Uh hook 'em up. Uh send your feedback to feedback at runtimearguments.fm. Um we have a website. It is http colon slash slash runtimearguments.fm. Please notice it's HTTP. It's not HTTPS. I'm sorry. That's just the way it happens to be. Um there will be show notes. You will almost certainly see them in your podcast app. Um please tell us what you'd like to learn more about, because it's almost certain we'd like to learn more about it too. And uh again, thanks for listening. Jim, any final words?

Jim:

No, thank you very much. And boy, I sure appreciate all the feedback we've gotten in the past. So keep it up.

Wolf:

All right, cheers, everybody.

Contributor

Jim McQuillan

Co-host
Head Shot

Wolf

Co-host

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

CoRecursive: Coding Stories Artwork

CoRecursive: Coding Stories

Adam Gordon Bell - Software Developer
Two's Complement Artwork

Two's Complement

Ben Rady and Matt Godbolt
Accidental Tech Podcast Artwork

Accidental Tech Podcast

Marco Arment, Casey Liss, John Siracusa
Python Bytes Artwork

Python Bytes

Michael Kennedy and Brian Okken
Talk Python To Me Artwork

Talk Python To Me

Michael Kennedy