betabug... Sascha Welter

home english | home deutsch | Site Map | Sascha | Kontakt | Pro | Weblog | Wiki

23 March 2010

S60 VPN: The reports of unusability have been greatly exaggerated

Sure, setup is a bitch, but daily use is great

It's been a month since I successfully set up a VPN from my e71 to my OpenBSD server. A twitter from Markus Mediger - that I found by chance - claimed that "S60 VPN only works with some obscore Nokia certified HW AFAIK. Practically unusable...". This reminded me to maybe publish a little report of what I'm doing and not doing with my e71 on VPN.

Because really, I don't have any business with Nokia (I didn't even pay for this phone, it's been given to me from my company), but I won't think it's right to have OpenBSD being called "Nokia Certified HW", even by mistake :-) Sure, finding out how to set it up was a chore, and setting it up is not really the easiest thing ever. VPN setup hardly ever is. Except maybe if you use a setup from some vendor where they control all parts of the solution. That just means that they did the hard part for you. In case of s60 VPN and OpenBSD, the OpenBSD guys and maybe me did the hard part for you.

So, I use the VPN for roughly two use cases: First, connecting to SIP/VoIP when the 3G providers setup blocks that. Using this is a breeze: Switch to the SIP-profile in question (I have 2 SIP profiles that I use, totally unrelated, if you have only one, you won't need this) and then select to connect through the VPN access point I have set up for the 3G connection. It just works. Sure, it's not always the best of sound quality, but it's roughly 1/3 the price of calling a mobile number or 1/30 of calling a fixed line number locally or ... I dunno, 1/100 of calling a foreign fixed number. The bandwidth used is pushed higher by the VPN encryption, so since I'm paying for the bandwidth, I use it sparingly. I can't compare the sound of "SIP/VoIP over 3G" with/without VPN, as SIP is blocked by the 3G provider here (I'm not 100% sure it's intentional).

Second: To browse and connect to SIP/VoIP from wifi hotspots that I can't control. This I do of course for security reasons, I don't like people to be able to sniff on me. Same setup here: Switch SIP-provider, select VPN access point, go... well, unless I haven't used that wifi hotspot before, in which case I have to edit or create a new VPN access point. That's currently my only user interface complaint about the s60 VPN, it doesn't matter much when you move amongst the same few wifi points, but for someone who travels all over the place it might be annoying. I don't go through the VPN when I'm in the office network, I'm not that worried about security.

Little tip: When you're on a public free wifi of the kind that uses a CAPTCHA to give free access, obviously the VPN client won't be able to connect. First open the web browser to go to any random URL, which gives you a chance to enter the CAPTCHA. Then use a different program to connect via the VPN, which now can use the same connection. Last, if you want to use the web browser over the VPN connection, close the web browser again and re-open it using the VPN access point.

Conclusion: It works. It works with OpenBSD, so it will work with all kind of other IPsec based VPNs. Setup might need some knowledge and tinkering. But reports of unusability have been greatly exaggerated.

A note on twitter: I'm not using or liking it. I think it's just a bad copy of IRC and where IRC was chaotic and open, this is just a commercial venture. What's more, as they say of IRC "what? you did that based on what a guy on IRC told you to do?" 140 characters does not give you the space to show all sides of an issue, to explain that you (e.g. Markus in this case) just doesn't really know (well, that's what the "AFAIK" could have been there for) and maybe better shouldn't talk about unknown stuff anyway besides saying "I don't know". On IRC that's not really a problem, since, well, it's IRC, just a place to rant and vent anyway.

Posted by betabug at 14:53 | Comments (2) | Trackbacks (0)
ch athens
Life in Athens (Greece) for a foreigner from the other side of the mountains. And with an interest in digital life and the feeling of change in a big city. Multilingual English - German - Greek.
Main blog page
Recent Entries
Best of
Some of the most sought after posts, judging from access logs and search engine queries.

Apple & Macintosh:
Security & Privacy:
Misc technical:
Athens for tourists and visitors:
Life in general:
<< Musik ohne Kabel | Main | Independence Day in the Countryside >>
Re: S60 VPN: The reports of unusability have been greatly exaggerated

Thanks for the great article. I have it bookmarked in my folder called Nokia VPN Success Stories. Now I have 4 links there as yesterday I have added #3 link to Nokia forum where another Nokia user is saying about using Nokia VPN on his Nokia N95.
As for my personal experience with Nokia VPN ... I gave up on it. Spent months of trying to get it work on my N95, read dozens of manuals, have called Nokia numerous times, browsed forums, asked for help from local IT guys and so on.

A few days ago one fellow from Nokia forum have sent me a link about new VPN software for Nokia, its called Symvpn.
It is not IPSec, it is PPTP VPN, but this is exactly what needed for mass users. Easy to setup, easy to use. Plain and simple.
Configured and got connection to home computer with Windows XP in less than 2 minutes, the same about Windows 2008 in office.
I think that this Symvpn software should be by default on any Nokia phone if Nokia it talking about business usage and connecting to computers.

Tell me, how many hours/days/weeks are needed for average phone user to get Nokia VPN working on the phone?
In my books the average phone users will spend at least a few days just to find out what is need for the whole process.
Then working with Policy file, Package file, Installation file, restarts, trying it again and again. Am I right?
Even if IPSec is more secure, I don't need such security if it takes 100,000 times more to make it working. If I am spending months on configuration and all this time I am using not secure connection ... what kind of security is this?

Any way, I am glad to hear that you did it. My congratulations!
Probably you can post somewhere detailed manual about configuring Nokia VPN. For those who got more free time than me. :)

Posted by: Andreo at March 24,2010 10:56
Re: S60 VPN: The reports of unusability have been greatly exaggerated

Andreo, the documentation is on my wiki under VPN Notes.

The idea of Nokia for VPN is probably "this is a business issue, so let the business IT department handle it". With that philosophy, they're doing it right. If someone has an account on my server and needs a VPN, I can send them the settings file and they will be running a VPN in 3 minutes. In a business setup, the IT-Department can create settings files for all users and have them up and running in no time.

Nokia VPN setup works less well for DIY people, as you and me and others already found out.

Personally I'm not at all interested in a PPTP solution. It might be OK to lower the standards of security a little bit for ease of use, but at some point there is nothing left.

Posted by: betabug at March 24,2010 11:40
You can trackback to:
There are no trackbacks.