OpenVPN is great, but there were some things we wanted to change.
Our Backend Engineer, Jack, explains how we did it.
OpenVPN is great, but there were some things we wanted to change.
Our Backend Engineer, Jack, explains how we did it.
This advert was brought to you by OpenVPN… OpenVPN, the VPN you can trust.
Please say, considering you are using the community OpenVPN app now, that you would consider opensourcing elements of your new solution so people and move to a similar efficient model as you suggested?
Also, the push notification - is that via a custom app or existing app on the devices to proceed?
I wonder if anyone will ever explain what VPN is, let alone openVPN?
Ah. I see. That’s why a backend engineer started this thread. All understood now. TVM.
Find it really odd you would share any information at all regarding your infastructure I mean most people won’t even know what a VPN is so why put the info out there ? Asking for a friend
Because people like me find it fascinating and interesting, thanks to Monzo sharing their knowledge i can look into how I can improve my business VPN.
This sharing of info lets us know Monzo’s heart is in the right place and that they’re not only transparent but passionate about the tech they use
I can try and explain a VPN;
Without a VPN; if you go to monzo. com the request goes from your computer over to monzo’s computer, which sends you the files to display monzo. com
With a VPN; you ask for monzo. com, and that request goes to the VPN provider, the VPN provider asks monzo’s computer for the monzo. com files, and then the VPN sends those files back to you.
One advantage here is that all your requests that go to the VPN are encrypted. If you were accessing a website that uses http (and not https) then someone snooping on your traffic could see what data your sending, including usernames and passwords. You may have heard of Firesheep: https://en.wikipedia.org/wiki/Firesheep. People would log into open public networks, like a cafe wifi, and were able to steal other peoples details, like facebook logins, because nothing was encrypted.
With a VPN you could still connect to that insecure cafe wifi, and access a site using http, but your traffic would be encrypted and sent to the VPN provider, so people snooping at the cafe couldn’t steal your details.
OpenVPN discussed here is just a free, open source tool that lets you connect to the VPN provider. Because it’s open source it means anyone can read the code that makes OpenVPN work; so people can make sure it’s not doing anything nefarious with your requests.
A VPN provider is a company you have to pay, and they make sure they have machines up and ready to receive your requests and send them on
Or just just think of a VPN as a front door.
My network is locked down, to get in and see anything I have to use my VPN.
I meant more along the lines of why would you disclose this information from a security point of view.
Awesome. Thanks.
VPN’s are good and all but have you heard of the concept Zero Trust? If you look into Google’s Beyond Corp initative, they now no longer rely on a VPN to authenticate onto their corp network when WFH.
Same where I work. We’re rolling out AppGate.
Because if the only thing keeping you secure is keeping knowledge like this secret then you’re not very secure at all. Sharing this does nothing to weaken their security and its pretty interesting to people who work in tech like me.
Interesting read, thanks for the insight! You say OpenVPN waits for all connections to close before the pod will gracefully terminate, how long does this typically take (a user could remain connected for hours)? Could you set the client to block traffic if the VPN connection drops and forcibly kill all connections, allowing new connections to be made on pods with a READY state?
I used to use a combination of bash scripts authenticating against a DB with hashed passwords to manage my single user but now use WireGuard. I’m now working on NGINX rules to only allow GET except from a few key urls which require POST unless I’m on my VPN, as Wordpress (plug-ins/themes) can come with vulnerabilities, I wonder if Cloudflare could help here but I might need to purchase extra rules…
This is late, but I love blogs like this that offer an insight on the different processes and decisions that take place in Monzo- even if they don’t make its way into anything visible on the app itself.
This is something pretty technical but it was very well explained- the diagrams really helped me visualise the process instead of picking apart text. Would love to see more blogs like this
Ok Tom
Yep
“Security by obscurity”
Always works out well that…