VPN: A lesson about being too prepared and caught unaware

I was contacted about a possible business deal in providing for a piece of hardware that could do Virtual Private Networking last Wednesday. Initially, I rejected it because I haven't done VPN installations for a long while. The last time I had done any form of research and installation of VPN was nearly 3 years ago. After a night's thought, I contacted the person back, and told him, yes, it would be possible.

In layman speak, VPN allows 2 parties connected to the Internet to talk to each other, without anyone else being privy to the discussion. The software and hardware do this by encrypting all the data that travels between the two parties. The encryption is so strong that it would take many years, with better and faster hardware than what we have now, to even come close to breaking the encryption. For interested parties, VPN specifications are: RFC2917, RFC2764, RFC2735, RFC2685 and RFC2547.

Anyway, I contacted my hardware sources, and they have stock. So, I contacted the other party, and provided a quote. Unlike most people, I have a commercial grade switch running at my home, capable of load-balancing and redundancy. One of my dreams is to automate my home so that everything can be remotely controlled, either by phone, SMS or a remote controller. I have already written portions of the software to automate my home. Once I have completed the software, and assembled the necessary hardware, at any time, anywhere in the world, I would be able to contact my home and tell it to switch on the TV, off the fridge, on the lights, or turn up the aircon. The switch is a portion of that master plan.

In the meantime, I began a firmware upgrade on my current switch, in order to familiarise myself again with VPN installation. Unfortunately, during the firmware upgrade, some disaster struck, and my switch couldn't function any more. At this time, I hooked my main system directly to the Internet. It was also at this time that my system refuse to boot up properly. Unlike other folks who shut down their system everyday, I do not shut down my system, unless I've performed an hardware upgrade, or software upgrade, and I have to reboot to get the changes immediately. Otherwise, months could go by without me even rebooting my system.

Anyway, having no choice, the first thing I did was to restore the system. The first thing I should have done is to patch my system, however, before I did that, I connected to the Internet. Then, my system started rebooting nearly every minute. This was not due to a virus on my system. This was due to packets that was being sent to my system, exploiting a vulnerability that was present. It went away after I patched the system.

The VPN installation practise went without a hitch, however, the party told me that due to some MAS regulations I wouldn't have the deal. I was quite sure that the regulation didn't exists, and after looking up MAS site, I confirmed so, but I forgave the other party. He certainly have his own reasons for doing what he did.

Meanwhile, I came across a piece of undocumented information, and managed to re-enable my switch. So, my home network is up and running again. These days, it's just too dangerous to connect to the Internet without a firewall, and without disabling default services.

While the network was down, I discovered a Windows service (that I wrote to counter terrorism attacks on my website) didn't respond properly, and would take up to 60 - 70% of the processor time. This caused other processes in the system to respond sluggishly (Yep, it's a real Windows service, not an application masquerading around as a Windows service, and I couldn't use Task Manager to kill it). The issue here was that, failing to issue a HTTP request, the code in question threw an exception, and continued. If the code in question didn't throw an exception, in a normal course of execution, it would have done some checks, and then if conditions were satisfied, update the URL to point to the new IP address. It would then sleep for a while, before checking again. The “Continue” instruction neglected to execute the sleep instruction, and skipped around it, hence causing it to tax the processor heavily.