Scott's Weblog The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking

Thoughts on VPNs for Road Warriors

A few days ago I was talking with a few folks on Twitter and the topic of using VPNs while traveling came up. For those that travel regularly, using a VPN to bypass traffic restrictions is not uncommon. Prompted by my former manager Martin Casado, I thought I might share a few thoughts on VPN options for road warriors. This is by no means a comprehensive list, but hopefully something I share here will be helpful.

There were a few things I wanted to share with readers:

  • I found commercial VPN services too unreliable (it’s not uncommon for commercial VPN services to get blocked and thus defeat the purpose of using a VPN).
  • Instead, I’ve found more success using something like AutoVPN. AutoVPN helps you stand up an on-demand OpenVPN endpoint on AWS. I used this successfully in Beijing, setting up endpoints in Seoul, Singapore, Tokyo, and sometimes Sydney. Because these IP addresses are “ephemeral,” they’re far less likely to be blocked. (Here’s another example of using AWS as a personal VPN service.)
  • I also had success using AutoVPN not to get around traffic restrictions, but to change my source IP. My wife needed to access some real estate-related sites while she was traveling in Europe, but because her IP address was outside the US the login process was failing. I had her use AutoVPN with an instance in us-east-1 from her Mac. It worked very well!
  • If you have a static IP address, you can host your own VPN endpoint (Martin Casado shared that this was something he did for years when he had a static IP address).
  • If you don’t have a static IP address but still want to host your own VPN endpoints, one potential workaround is to use a dynamic DNS service like DynDNS. I did this for several years, and it ran flawlessly.
  • Be sure to appropriately secure your VPN server! Use two-factor authentication, use a secure OS (I built mine on OpenBSD), keep it patched/updated, etc. The last thing you want is folks routing traffic through your VPN endpoint without your knowledge/approval.
  • OpenVPN seems to be the VPN of choice, probably due to flexibility of encapsulation (UDP or TCP). It’s also well-supported on the client side, with your choice of clients on macOS (Tunnelblick and Viscosity spring to mind) and Linux (both command-line and GUI options are available).

Hopefully something I’ve shared here will prove useful to readers. If anyone has any other suggestions they’d like to mention, hit me on Twitter. Thanks for reading!

Metadata and Navigation

Be social and share this post!