Correct. For our use in the IRLP network, we are not trying to provide any security enhancements at all. We are simply trying to make a link work, over an otherwise incompatible infrastructure. Encryption is simply a side effect of OpenVPN. If we could turn encryption off, we would. In fact we point this out in our FAQ that is sent to all of our users.
Is my VPN traffic secure and anonymous?
Absolutely not. In fact quite the opposite. Most commercial VPN products are designed to hide or obfuscate customer traffic. IRLP VPN actually does the opposite of that. IRLP VPN brings a public Internet address directly to your node. All traffic is monitored, tracked and measured as it crosses the VPN hub. Your address is registered in global DNS as soon as your connection comes up, and tied directly to your node number. Confidentiality and privacy are absolutely NOT features of IRLP VPN. In other words, we know who you are, where you live and with whom you communicate.
IRLP does use PGP (PKI) to authenticate all connections inside the IRLP network, but there is no encryption natively in IRLP itself. IRLP does not keep a database of each users private keys. Private keys only ever exist on each IRLP node. Public keys for all nodes are widely circulated. But this has nothing to do with the use of IRLP VPN, when needed.
[FWIW, we chose OpenVPN over Wireguard because OpenVPN supports TCP based tunnels. WireGuard is UDP only. We found, quite by accident, that some ISPs, mostly Cable operators, are not particularly good at delivering packets in order. Using TCP ensures packet ordering and retransmits any dropped packets. There is a performance penalty. But we only need roughly 80 kbps unidirectionally per connection, when it is actually talking. It also plays better over some folks really crappy routers that seem to have trouble with maintaining a connection over UDP.]
On Feb 24, 2023, at 07:04, Charles Hargrove via 44net <44net@mailman.ampr.org> wrote:
Since it is an amateur radio endeavor, we treat it like it is on the open airwaves.
You know, unencrypted and able to be listened to. All that is being done with the
VPN is to provide access to the 44net to those who are having networking issues.
Did you ever watch the screen while people were connecting to the local packet bbs?
Besides, the only person with the "keys" is the issuer/sysop. Look, it works, it's
relatively easy to set up and it provides a needed service within Part 97 for others.
On 2/24/2023 4:42 AM, John Gilmore via 44net wrote:
... so they don't know to avoid a VPN provider who insists on having a
database containing all the private keys that protect all the clients'
identities and traffic.
--
Charles J. Hargrove - N2NOV
NYC-ARECS/RACES Citywide Radio Officer/Skywarn Coord.
44net Coordinator - Northeast USA