[malandrew]

How easy is it to fully automate VPN only computer usage so that everything I do comes out of a machine at Amazon EC2 for example?

I've never set it up and was curious what others have done to make it as invisible as possible.

[ma2rten]

How easy is it to fully automate VPN only computer usage so that everything I do comes out of a machine at Amazon EC2 for example?

Startup idea! Make a tool that automatically tunnels your connection when you are on a public wifi. Make it open source and offer a hosted service. Also interesting if you are in a country which censors the internet. The dropbox of VPNs. For marketing you offer to write articles like this but less technical for magazines ("on Page 10 learn how easy it is for hackers to steal your facebook account and how you can protect yourself").

[bradleyland]

There are a multitude of VPN services in the market already. The generally accepted "best practice" for those with VPN service is to use it everywhere (not just on the road). When you're paying monthly, most people feel incentivized to use the service as much as possible.

I've set up VyprVPN for a couple of ultra-paranoid friends, and the whole process was very smooth and end-user friendly.

[ma2rten]

And there were plenty back-up services before dropbox.

[bradleyland]

I get what you're saying, but Dropbox is not a back-up service. The distinction is that Dropbox didn't exist before Dropbox. There are unique aspects of Dropbox that were new when Dropbox was introduced.

There is nothing new or unique in what you described, with the exception (maybe) of automatic initiation of VPN services when you're on "public" wifi. I would argue that this is a differentiation of little or no consequence, because there's no reason to not use a VPN all the time.

You basically described every personal VPN provider in the market as a start-up idea.

[tonylemesmer]

and make it work for Android.

[MichaelGG]

If you really want to make it safe, I'd suggest using something with virtual networking (e.g. VMware) and configure a small VM to be your gateway. That way you can have a stripped down, firewalled configuration, with nearly no possibility that a local accident or compromise can evade your traffic policies. Otherwise, if your VPN drops, you run the risk that the system might just start sending traffic out over the public Internet (after all, it has to do so to connect to the VPN).

[culturestate]

If you're on a Mac, it's nearly plug-and-play — I use a small menubar app called sidestep[1] that automatically tunnels over SSH, but there are also a few (Viscosity comes to mind) that work in a similar fashion with OpenVPN.

There may be similar bits available for Windows, but I haven't looked into it there in some time.

1. https://github.com/chetan51/sidestep

[tcas]

Haven't used sidestep, but sshuttle [1] is a nice command line utility that does the same, just not automatically.

Much easier than setting up a VPN server.

[1] https://github.com/apenwarr/sshuttle

[icebraining]

It's easier (and I'm a fan as well), but setting up an OpenVPN server with pre-shared key is very easy too. It's essentially a matter of apt-getting openvpn and writing a three line config file: http://openvpn.net/index.php/open-source/documentation/misce...

[culturestate]

One of the advantages of using SSH is that it almost always works, even in environments (think China) that actively block detected VPN connections. SSH running on port 443 looks a lot like HTTPS.

[IgorPartola]

Beware: http://serverfault.com/questions/337791/if-i-am-using-ssh-fo...

In short, if I can hijack your DNS queries, I can do evil things to you even if I cannot directly MITM your HTTP/HTTPS traffic.

[username42]

I do not know for VPN, I use ssh. It is very simple and does not require any system administration right. Install a proxy (squid) on your Amazon EC2. Install putty if you are on windows and launch it with port forward using the option -L: putty -L 3128:127.0.0.1:3128 user@host

Add the option --proxy-server=127.0.0.1:3128 on you chrome shortcut and that's it.

[lotsofcows]

That'll tunnel your http traffic which is a good start but it's worth checking out ssh -D for an easy SOCKS proxy.

[acqq]

And even more critical, it doesn't reroute DNS queries, the default is "don't redirect DNS" in Firefox and the change must be done through about:config there's no dialog.

Bad the default isn't different when using socks :(

[Nick_C]

Do you know if either of those two methods do tcp-over-tcp, or is it tcp done correctly?

[lotsofcows]

If you're using a protocol that sits on TCP and you push it over SSH sitting on TCP then it's going to be TCP-over-TCP. Or in other words, for the vast majority of use cases, no.

[mseebach]

I've had success with OpenVPN. It can set up a default route so everything in channeled over the encrypted connection and it uses client certificates, so it should be solid against MITM. I always turn on OpenVPN when I'm not on a trusted network.

[thejosh]

There was a vpn provider (which I cannot remember now for the life of me) where if any traffic went over non-VPN it wouldn't work.