# General VPN/Security question.

## Budoka

I more often than not must use public WiFi spots primarily at hotels. Some are open networks and some are password protected but of course as a general practice I use a VPN.

At the moment I use 3 different services. I noticed that with one of the services, SecurityKISS, all of my ports are "stealth" which is good but on another service, VPNBook, ports 80 HTTP and 443 HTTPS are "Open". The remaining ports are a mix of "Closed" and "Stealth". I have researched VPNBook and the general consensus is that although it is free it is not a honeypot.

I guess my question is what should I be looking for in terms of port behavior when choosing a VPN service paid or otherwise? If port 80 and 443 are open isn't that insecure???

The connection is definitely being encrypted TLS according to the transmission feedback in console.

Also, if I connect to the hotel WiFi minus a VPN all ports are either closed or stealth. I assume this is pretty secure except that data traveling over the network is not encrypted?

Thanks.

----------

## nlsa8z6zoz7lyih3ap

 *Quote:*   

> I guess my question is what should I be looking for in terms of port behavior when choosing a VPN

 

I can't answer your exact questions, but as to choosing the VPN service, due to worries about 3rd parties etc, I use my home router as the other end of my VPN when travelling.  I put an open VPN server on my lynksys E300 running tomato shibby firmware.

I run openvpn client on my laptop while travelling.  If I leave my home desktop on I even have access to its file system over the vpn from my laptop.

The tomato shibby also  utilizes a DDNS service so that I can connect via a domain name rather than an IP in case my home IP changes.

I have use this system for many years and am very happy with it.

----------

## Hu

Budoka, though I am familiar with the stealth description, I am unclear on who or what is telling you the status of these ports or on which IP address you are detecting them.

It is perfectly safe for a port to be open, if the program listening on that port cannot be exploited.  Making a port stealth may slightly impede some network scanning software, causing it to spend more time to determine that you are not offering any interesting services.

----------

## dataking

 *Hu wrote:*   

> Budoka, ... I am unclear on who or what is telling you the status of these ports or on which IP address you are detecting them.
> 
> 

 

+1

----------

## dataking

OK, after a bit of googling, I think I have a better understanding of what's going on (although, it would still be nice to know how and from where you're getting the port status).

So my googling revealed that SecurityKISS and VPNBook are VPN services.  (Maybe that was obvious to others.  /shrug)  So, Budoka, what you're effectively doing just anonymizing your internet activity.

VPNBook says on their website that there are profiles for TCP/80, TCP/443 and UDP/53,UDP25000.  So the ports you are seeing open, are probably different options for your VPN.  I wasn't able to look at SecurityKISS, because I'm at work and they block that kind of stuff.  (SecurityKISS's website also doesn't run HTTPS, which I though was somewhat ironic.)

So all that said, you really only need to be concerned about is open ports on the system you are using to browse.  If that's the case, then it's probably related to how the VPN is constructed.[/list]

----------

## Budoka

My apologies everyone. I should have explained how I check the ports. I always use Gibbons Research's SHield's Up  for this. Have done so for years and highly recommend it. It is quite a nifty tool.

https://www.grc.com/x/ne.dll?bh0bkyd2

I guess I am just the nervous sort. I would think having all ports closed or stealthed would be the best option so was worried when I saw 80/443 open on VPNBook.

----------

## Budoka

 *nlsa8z6zoz7lyih3ap wrote:*   

>  *Quote:*   I guess my question is what should I be looking for in terms of port behavior when choosing a VPN 
> 
> I can't answer your exact questions, but as to choosing the VPN service, due to worries about 3rd parties etc, I use my home router as the other end of my VPN when travelling.  I put an open VPN server on my lynksys E300 running tomato shibby firmware.
> 
> I run openvpn client on my laptop while travelling.  If I leave my home desktop on I even have access to its file system over the vpn from my laptop.
> ...

 

I like this idea very much and will look at doing it myself.

----------

## Budoka

 *dataking wrote:*   

> OK, after a bit of googling, I think I have a better understanding of what's going on (although, it would still be nice to know how and from where you're getting the port status).
> 
> So my googling revealed that SecurityKISS and VPNBook are VPN services.  (Maybe that was obvious to others.  /shrug)  So, Budoka, what you're effectively doing just anonymizing your internet activity.
> 
> VPNBook says on their website that there are profiles for TCP/80, TCP/443 and UDP/53,UDP25000.  So the ports you are seeing open, are probably different options for your VPN.  I wasn't able to look at SecurityKISS, because I'm at work and they block that kind of stuff.  (SecurityKISS's website also doesn't run HTTPS, which I though was somewhat ironic.)
> ...

 

So then do you think I would be fine just going through the hotel network as it is without a VPN?

----------

## Hu

 *Budoka wrote:*   

> So then do you think I would be fine just going through the hotel network as it is without a VPN?

 I would not send unencrypted traffic over a hotel network if I could avoid it.  If the hotel network is via wired Ethernet, you could hope that they isolate guests from each other, but I would not count on it.  If you know in advance that you are using their network only for protocols with strong encryption, such as ssh or a well configured https client, skipping the VPN would be fine.  If you might send unencrypted traffic, I would establish a VPN to a trustworthy peer first.

----------

## dataking

Pretty much what Hu said.

Hotel networks (wired or wireless) are notoriously insecure.  Using a VPN from a VPN provider is fine.  VPN'ing to your home network is arguably better.

Just be aware of what you're actually doing.  Using a VPN to home or service only encrypts the traffic to the endpoint.  You activity can still be monitored/intercepted after that endpoint (be it your home or a service's internet presence).

----------

## Budoka

 *dataking wrote:*   

> Pretty much what Hu said.
> 
> Hotel networks (wired or wireless) are notoriously insecure.  Using a VPN from a VPN provider is fine.  VPN'ing to your home network is arguably better.
> 
> Just be aware of what you're actually doing.  Using a VPN to home or service only encrypts the traffic to the endpoint.  You activity can still be monitored/intercepted after that endpoint (be it your home or a service's internet presence).

 

Thanks. I understand.

So a VPN is good on a public network because it encrypts the traffic. But what I am still fuzzy about is if I have open ports ie 80/443 on a VPN doesn't that leave me open to attack vs a VPN on which all ports are closes or stealthed?

----------

## depontius

 *dataking wrote:*   

> 
> 
> Just be aware of what you're actually doing.  Using a VPN to home or service only encrypts the traffic to the endpoint.  You activity can still be monitored/intercepted after that endpoint (be it your home or a service's internet presence).

 

At this point you're one step shy of advocating using TOR from the hotel instead of a VPN.  Then again, the Russians have a bounty out for someone who can crack TOR, and others have been assaulting its exit nodes.  (I don't know why the Russian bounty is only $10k, and who would sell such a crack for so little.)  If anyone is that well funded and wants your information, they'll just do it the easy way and break your legs.

You know, you run reasonable safety, and try to take comfort in being a small fish.  I have an OpenVPN endpoint at home and use that from hotels, to get to my own email services.  I generally don't do business at hotels, only a bit of random surfing, and any business is over SSL.

----------

## Hu

I read dataking's comment as a warning that the VPN is not total isolation.  If you set up a VPN to an endpoint you do not trust to maintain the confidentiality of your communications, then the communications are not confidential.  For example, avoid opening a VPN connection to your employer if you plan to browse content that would get you in trouble with IT or HR; avoid opening a VPN connection to a jurisdiction where your planned activities are illegal; etc.

Budoka: I have not seen anything yet that tells me what is listening on those ports, so it is unclear if there is a problem.  I suspect that the scan is reporting some property of the VPN endpoint, not a property of your personal machine running the VPN.  The only way it would reflect your machine is if your VPN provider had arranged to forward traffic received at the apparent IP back over the VPN to your real system.  The only reason to do this would be to support you running servers, which I doubt the VPN provider would encourage at all, and strongly doubt they would configure to be enabled by default.  If you are still concerned, then please post the details from the scanner tool.  We need to know not that the ports are open, but why they are open.

----------

## dataking

 *Hu wrote:*   

> I read dataking's comment as a warning that the VPN is not total isolation.  If you set up a VPN to an endpoint you do not trust to maintain the confidentiality of your communications, then the communications are not confidential.  For example, avoid opening a VPN connection to your employer if you plan to browse content that would get you in trouble with IT or HR; avoid opening a VPN connection to a jurisdiction where your planned activities are illegal; etc.

 

This is completely true.  Think of it as a tunnel (there's a reason why they call it that).  You're at one end of the tunnel.  Your Internet activity happens at the other end of the tunnel.  That other end of the tunnel is not encrypted, unless you happen to be using an encrypted protocol: HTTPS, SSH, etc.  In effect, you are trusting the security of the "other end" of the tunnel.

 *Hu wrote:*   

> 
> 
> Budoka: I have not seen anything yet that tells me what is listening on those ports, so it is unclear if there is a problem.  I suspect that the scan is reporting some property of the VPN endpoint, not a property of your personal machine running the VPN.  The only way it would reflect your machine is if your VPN provider had arranged to forward traffic received at the apparent IP back over the VPN to your real system.  The only reason to do this would be to support you running servers, which I doubt the VPN provider would encourage at all, and strongly doubt they would configure to be enabled by default.  If you are still concerned, then please post the details from the scanner tool.  We need to know not that the ports are open, but why they are open.

 

This is also probably true.  I'm familiar with grc.com and the Shields UP! application.  Chances are it's testing the (far) endpoint of your VPN.  Since VPNBook(?) specifically mentions that it has "profiles" for TCP/80 and TCP/443 (and specific UDP ports), those ports being open isn't a complete surprise.

----------

