|At a glance
|WiFi Consulting HotSpotVPN () [Website]
|HotSpotVPN is a barebones VPN provider that aims to secure your wireless traffic at public hotspots.
|• Quick set up depending on OS
• Relatively quick access speed
• Tutorials for all supported platforms
|• Frequent use could get expensive
• VPN connections to unknown network could be security concern (issue not just with HotSpotVPN)
• Gateway could be overloaded and slow down your connection
VPN is usually a term associated with a business wanting to have its employees access LAN resources while at home or traveling. Some products, like LogMeIn Hamachi are focusing on both on home and corporate users to bring the benefits of VPN to more consumers.
VPNs are useful for reasons other than extending corporate shackles into the home. VPN technology offers some of the most advanced cryptography available and can be used to encrypt more than just LAN traffic.
This is where products like HotSpotVPN market themselves. HotSpotVPN’s creator, Glynn Taylor, originally created it after watching someone hack and sniff a chat session occurring on an unsecured WiFi network. He realized that he should probably VPN his traffic, and saw an opportunity to offer a service to people who might not already have access to VPN networks.
It’s an interesting concept from a security perspective. Many Wi-Fi cafes use access points plugged into an Internet connection. I’ve run across several that hadn’t even changed their default password (if I like the place, I will usually inform them and offer to secure it for free.)
These consumer APs aren’t meant to be used in such a fashion, and don’t offer many of the security tools such as client segregation. Or if they do, they aren’t configured. You basically connect and are now part of a LAN with unknown people. Add in that most Wi-Fi cafes aren’t encrypted, and you have an argument for encrypting all your traffic.
It’s important to note that HotSpotVPN has an important difference from a VPN that you would set up yourself. With HotSpotVPN, the encrypted tunnel is from the device running the HotSpotVPN client to HotSpotVPN’s VPN gateway. So once your traffic hits HotSpotVPN’s gateway, encryption stops and your traffic is on a subnet with only a firewall rule to separate you from other HotSpotVPN users hitting the same gateway.
With your own VPN, your connection would be secured from your client to wherever your own VPN gateway was located, usually your own network. So, in the Wi-Fi cafe example above, what you’re buying with HotSpotVPN is protection from other cafe users, but not protection all the way "home".
Before we jump into the account types, I want to point out that HotSpotVPN doesn’t have account management in the traditional sense. You pay for HotSpotVPN service using PayPal, using PayPal subscriptions for monthly/yearly subscription fees. You then cancel the subscription through PayPal. Dropbox also offers PayPal subscriptions, so this method is not unheard of.
Products and Technology
HotSpotVPN offers two different products: HotSpotVPN1 and HotSpotVPN2. HotSpotVPN1 is a PPTP-based, MPPE encrypted VPN product. This means almost universal compatibility among devices, including mobile phones. The encryption is not as strong though and PPTP traffic is blocked on many hotel networks.
Costs are billed either monthly at $8.88/mo or $88.80/year. You can also purchase one, three, or seven day passes for $3.88, $5.88, or $6.88, respectively.
HotSpotVPN2 is a SSL-based VPN using OpenVPN client technology. It comes in 3 flavors: 128-bit Blowfish, 192-bit AES encryption, or 256-bit AES encryption. It is available only in monthly subscriptions, and will cost you $10.88, $11.88, and $13.88 for the respective encryption levels. It comes with a complimentary subscription to HotSpotVPN1 for your mobile device.
Confused yet? Great! Let’s clear up some things. First, know that there is an upcoming “Day in the Cloud” article discussing security in the cloud and will go into greater detail than I plan on doing here.
Basically if you can avoid using PPTP, avoid it. The encryption technology used in PPTP is rather dated, and has been shown to be easily defeated by modern computers (you can read more about it in this Wikipedia article). Mobile devices are the exception here, since they only support PPTP reliably (iOS supports L2TP/IPSec, but that has its own issues).
This leaves the SSL product. “But Matt, hasn’t SSL been shown to be easily hacked?” This is true, but SSLv3.x/TLSv1.x is quite secure by most standards. SSL VPN is also a bit of a misnomer. SSL in this case is merely a conduit for an IPSec tunnel, where IPSec ports are multiplexed onto a single port (usually UDP, but can be TCP too), and sent over the network after being SSL encrypted. You can read about how OpenVPN accomplishes this on this Wikipedia article.
That explained, I would say go with the AES-256 if you can. Technically, HotSpotVPN is wrong here to call Blowfish the “fastest” encryption standard, as AES-256, and more-so AES-192, have many key features that make them run really well on older hardware. Blowfish is an older encryption standard and has some encryption/key-generation issues that slow it down a lot. AES-192 is a fine substitute, and all three standards are very secure.
Installation, Setup, and In Use
Installation depends on the platform(s) you use. HotSpotVPN1 uses whatever your local OS happens to provide for a PPTP client. I used my Mac as the testbed for these tests, but Windows XP and up have equally easy installations. Video guides are provided on HotSpotVPN’s website for all supported platforms.
Once I finished setting up the PPTP connection (as easy as entering the domain,username, and password), I connected right up and was out surfing. An important note with Mac OS clients is they allow split tunneling. So I recommend when you set this up to go into the “Advanced” options and select “Send all traffic over VPN Connection”. Otherwise your internet traffic will still go out unencrypted.
Speed seemed reasonable. I ran through a bunch of speed tests and I averaged around 3-5 Mbps down on my 25 / 25 FiOS connection. Surprisingly, I had really high upload speeds around 10 or 12 Mbps, even when testing to servers out in Seattle using Speakeasy’s bandwidth tester.
An example of the TunnelBlick Mac Client connecting
Some of the speed I was getting with PPTP & SSL VPN
My average speed when not connected to the VPN.
Here’s a configuration issue on the Mac. Make sure to check the box to send all traffic across.
HotSpotVPN2 was a little harder to set up on the Mac, as you have to use Tunnelblick, which is a 3rd party OpenVPN client. Tunnelblick has its own configuration files, which require you to take the HotSpotVPN-provided OpenVPN configuration files, put them into a folder and subsequently rename that holder to a file name with a TBLK extension. It’s a weird process if you aren’t familiar with creating file packages on the Apple platform.
The other issue is, since it’s an open source client, TunnelBlick doesn’t have stellar documentation. So I had to sit watching logs for 10 minutes figuring out what combination of files to use. As it turns out, the openvpn.conf file was the culprit, even though TunnelBlick’s error messages didn’t say so.
Windows users don’t have any of this grief, because OpenVPN has an official Windows client. Windows users simple run an EXE or MSI file (provided by HotSpot), which installs the official OpenVPN client preconfigured to work with HotSpotVPN.
Once I got things sorted, I connected quickly and easily over AES-192 and was surfing the web. Both TunnelBlick and the official OpenVPN client automatically set up your computer’s routing table so all your traffic goes over the HotSpotVPN connection. This avoids the run-around on Macs with PPTP.
Speed tests showed about the same speed as the PPTP servers. HotSpotVPN runs a number of servers in the US, so depending on the gateway you connect to, your browsing speed may be different.
Access, Support, and Security
HotSpotVPN is very accessible thanks to the myriad client options available for both HotSpot1 and HotSpot2. OpenVPN has clients on all major platforms, either official or 3rd party. PPTP clients exist on all modern operating systems and are usually provided by the manufacturer. The exception being the Linuxes / BSDs where you grab your own client. But usually one is included in bigger distros.
Support is speedy. Glynn himself does a good amount of the support, and is quick to help out. Tutorials are available for all the major operating systems, including Linux (the tutorial uses Ubuntu). There is also an iPad tutorial.
Security can be a bit of a sticky issue in these hosted VPN products in general, as noted earlier. Many hosted VPN and proxy service are used heavily by overseas users aiming to get access to US only websites, like Hulu. Many of these site actively block VPN providers like HotSpotVPN, both for protection and to remain compliant with geographic restrictions in content licensing.
However, a good number of HotSpotVPN’s servers are “stealthed” (Non-DNS’d) to get around these blocks. HotSpotVPN itself was the target of a couple hack attempts a few years ago, so the stealthed servers also help to avoid its own hacking problems.
In closing, HotSpot operates as advertised. Even though it might not be the speediest solution (I was missing the 25/25 connection on my FIOS while testing), 5 Mbps is plenty to surf the web, especially from a mobile device. The blocked sites issue could be a problem for some, but I didn’t run into it while testing (from the U.S.). Even Hulu seemed ok.
The service could get expensive if frequently used, though. If you need all-the-time VPN, you’d be better off using a VPN-capable router, like the Cisco RV 120W or the others reviewed over on SmallNetBuilder