Between the phone and the cell-tower relatively secure, from there on to the telcos nearest internet gateway "it depends" and when your packets reach the internet they're on their own (so use protocol that encrypts the packet payloads if you worry about sniffing).

Note that "it depends" can go to ridiculously low values, at one time it was not uncommon to have the (highly directional) microwave links between cell-towers (not all of them have dedicated land lines) run unencrypted and with proper equipment it was easy to sniff all traffick going out of the tower (essentially negating the link-level encryption between the phone and the tower to all but the most casual eavesdropper).

I've set up openvpn server on my old N800 which I leave at home. I can then connect to it using my N900 on insecure networks and all the traffic goes through the secure tunnel to my home connection and then out onto the internet. It also means I can access devices that are sitting behind my home router and not made public.

Generic (not maemo-specific) setup guide:
http://openvpn.net/index.php/open-so...ion/howto.html
I used routing rather than bridging mode.

On my N800 (the server) I had to install iptables-ext and iptables-nat packages and install their kernel modules:
http://talk.maemo.org/showpost.php?p=89044&postcount=25

On my N900 I had to do this to make all traffic go through the tunnel:
http://talk.maemo.org/showpost.php?p=519753&postcount=5

It is quite a bit of work to set up, but now it's working, it's very easy to use and gives me piece of mind.

Hey cpm,

just curious, why did you choose vpn over ssh/vnc? Easier, better performance?

x

I set it up to prevent eavesdropping of any traffic while connected via public wifi. Normally your ssh connection is protected, but if another program on your N900 makes a connection to something else, that's not protected. Once the vpn's established, you can ssh and vnc to your machines at home without having to make them publicly accessible by port-forwarding them through your router (thereby exposing them to attack).

ic, couldn't the same thing be done with ssh and proxy? Or is it simpler to connect vpn and then everything automatically goes through the vpn?

Btw, not trying to put one over the other just seeing if perhaps vpn fits my needs better. thx

x

openvpn is really an ssh-tunnel with extra things around it to handle routing and stuff. I also use it like cpm describes, and I have set my server to listen on port 443, which enables me to use all kinds of traffic when I'm on a network that only allows http and https traffic. Yes, it actually tricks many filters that think my vpn traffic is https :-)

vpn is simpler than setting up lots of tunnels through ssh. It transparently sets up a virtual network (thereby the name..) and everything goes through it.

@demiurgus: I don't know if you meant it literally or not.. but openvpn is _not_ an ssh tunnel with extra stuff. openvpn usually works over UDP, not TCP, to start with. A VPN solution that actually works as you describe is the Fortigate VPN client.

Yes, I didn't mean it literally (technically), more from the point of view of usability and security; it's openssl doing the job in both cases.

Thanks guys, I haven't research enough yet to figure out if vpn make more sense for me than ssh/vnc. I spend enough time learn and getting my ssh stuff up and running, so I'm not really looking forward to setting up another one only to find out its not really better for me.

Also I did find that you can set up a ssh with tsocks to get the dynamic port changing/tunneling. So I might look into that first.

With vpn are you still accessing your system through the terminal? Meaning, I don't have to open a xterm on the machine I log into to run commands?

x

@xman:

VPN is transparent. If your VPN connection is to your home it'll look like you're just connected to your home network: You use the browser and everything else just the way you would at home. Everything is transparently sent through the VPN connection, it's not like an ssh command in the terminal.

(It's also possible to fiddle with the routing table so that something bypasses the VPN and the rest doesn't, but the default setup is that as soon as you engage the VPN connection you're virtually transfered to that other (home/work) network.)