The Story of the PING Program:

I quickly coded up the PING program, which revolved around opening an ICMP style SOCK_RAW AF_INET Berkeley-style socket(). The code compiled just fine, but it didn't work -- there was no kernel support for raw ICMP sockets! Incensed, I coded up the kernel support and had everything working well before sunrise. Not surprisingly, Chuck Kennedy (aka "Kermit") had found and fixed the network hardware before I was able to launch my very first "ping" packet. But I've used it a few times since then. *grin* If I'd known then that it would be my most famous accomplishment in life, I might have worked on it another day or two and added some more options.

The network nightmare that ate my week | Occasionally Coherent:

I used Ubuntu as an example, but it is hardly the worst offender. We have seen Windows machines with more than 300 IPv6 addresses — which, recall, means that every 150 seconds they will be transmitting 30 multicast packets per second which have to be flooded through the network.

After reading a lot about various evil ISPs and other such fun I decided it would be good to have a self-controlled VPN server out there for when I am using a device of mine on a network I'm not so sure about. I could pay someone else for this, sure, but I already have a server "out there" that's not being used to its fullest capabilities and I'm pretty handy with the Linux and the vi so ... why not?

Using a recent Ubuntu, I did the following:

apt-get install pptpd

/etc/pptpd.conf:
localip 192.168.0.1
remoteip 192.168.0.101-200

/etc/ppp/chap-secrets:
[username] *  [password]  *

/etc/ppp/options.pptpd:
ms-dns 8.8.8.8
ms-dns 4.4.4.4

/etc/sysctl.conf:
net.ipv4.ip_forward = 1

sysctl -p

ufw default allow
ufw enable
ufw allow [things you use, like ssh, http, https, pptp(!), etc.]
ufw [and carry on to your heart's content]
ufw default deny #BE CAREFUL!

service pptpd restart

I'd explain it line-by-line but I'm going on a simple notion here: if you can't understand that, you shouldn't be running a VPN server and more research is needed on your behalf.

I've tested it with both my MacBook Pro and my iPhone and it works like a charm (traceroutes and routing tables confirm usage).

So now if I'm on someone else's network and need to do something that I really don't need snooping on, I have a solution. Now, Rackspace charges $0.12/GB for outbound traffic so I can't leave it on all day, but when I need it I won't be pulling down OS installs, either.

Now you just have to worry about the leg of the Internet from your server to the other server, and that's what SSL is for. This just keeps them from mucking with your data on the last leg (DNS, content injection, port-based throttling (unless they throttle VPN, of course)) and it keeps people in public areas from casually reading your email because you're a moron and using a non-SSL connection anyway.

It's 128-bit encryption and can be busted in a short (hours) timeframe. Don't go believing you're bulletproof -- you're not. You're safer, not safe. You've moved out of the "easy pickings" group and into the "too much effort" group. But if you pull this at DEFCON you'll find yourself the virtual equivalent of drugged, stripped, and handcuffed to a police car at 2am with "I HAZ DONUTS" Sharpied on your forehead.

Context matters.