24 Feb
2023
24 Feb
'23
9:39 a.m.
Correct. For our use in the IRLP network, we are not trying to provide any security
enhancements at all. We are simply trying to make a link work, over an otherwise
incompatible infrastructure. Encryption is simply a side effect of OpenVPN. If we could
turn encryption off, we would. In fact we point this out in our FAQ that is sent to all of
our users.
Is my VPN traffic secure and anonymous?
Absolutely not. In fact quite the opposite. Most commercial VPN products are designed to
hide or obfuscate customer traffic. IRLP VPN actually does the opposite of that. IRLP VPN
brings a public Internet address directly to your node. All traffic is monitored, tracked
and measured as it crosses the VPN hub. Your address is registered in global DNS as soon
as your connection comes up, and tied directly to your node number. Confidentiality and
privacy are absolutely NOT features of IRLP VPN. In other words, we know who you are,
where you live and with whom you communicate.
IRLP does use PGP (PKI) to authenticate all connections inside the IRLP network, but there
is no encryption natively in IRLP itself. IRLP does not keep a database of each users
private keys. Private keys only ever exist on each IRLP node. Public keys for all nodes
are widely circulated. But this has nothing to do with the use of IRLP VPN, when needed.
[FWIW, we chose OpenVPN over Wireguard because OpenVPN supports TCP based tunnels.
WireGuard is UDP only. We found, quite by accident, that some ISPs, mostly Cable
operators, are not particularly good at delivering packets in order. Using TCP ensures
packet ordering and retransmits any dropped packets. There is a performance penalty. But
we only need roughly 80 kbps unidirectionally per connection, when it is actually
talking. It also plays better over some folks really crappy routers that seem to have
trouble with maintaining a connection over UDP.]
—
Dave K9DC, K9IP
On Feb 24, 2023, at 07:04, Charles Hargrove via 44net
<44net(a)mailman.ampr.org> wrote:
Since it is an amateur radio endeavor, we treat it like it is on the open airwaves.
You know, unencrypted and able to be listened to. All that is being done with the
VPN is to provide access to the 44net to those who are having networking issues.
Did you ever watch the screen while people were connecting to the local packet bbs?
Besides, the only person with the "keys" is the issuer/sysop. Look, it works,
it's
relatively easy to set up and it provides a needed service within Part 97 for others.
On 2/24/2023 4:42 AM, John Gilmore via 44net wrote:
... so they don't know to avoid a VPN
provider who insists on having a
database containing all the private keys that protect all the clients'
identities and traffic.
--
Charles J. Hargrove - N2NOV
NYC-ARECS/RACES Citywide Radio Officer/Skywarn Coord.
44net Coordinator - Northeast USA