“But why?”

Backstory and my issues with commercial VPN services

I happen to be a Turkey resident at the moment, and Turkey is a country with significant internet censorship, with even some simple websites like pastebin blocked. VPN use is widespread.

Turkish government, as a result, also goes after many VPN providers.

I used to have an account on PIA, but they got banned, and PIA not only did nothing to help Turkish users work around these bans, but also didn't even cancel our subscriptions, forcing us to get onto alternative VPN providers simply to cancel our subscriptions.

I grew overly suspicious of commercial VPN services over the years, but after hearing many good things about Mullvad (and even seeing stickers of them on 36c3 sticker exchange) I ended up getting an account with them. Everything was alright for 6 months or so, but Turkey, or at least my household ISP (Superonline) banned them around January 2021.

Mullvad, unlike PIA, didn't have my email and as such no way to contact me, and (hopefully) don't keep data on my IP geoloc, so I don't blame them for not cancelling my account or contacting me.

When I contacted them, I was told that they're aware of some Turkish users having issues connecting to Mullvad. I was recommended to use the Shadowsocks option in the app, but I ended up cancelling my subscription anyways as I wanted to go back to defaulting to self hosted options.

“So why not selfhost?”

I'm lucky enough to be a person who owns and operates a bunch of servers, and I already have Wireguard deployments on most of them (some older ones also have OpenVPN).

However, there are limitations with self hosting on non-dedicated hardware. Some stuff that come to mind include:

• Privacy concerns as you have a static IP that is already associated with services you host (or in my case, also potentially a company I own)
• Stealthy ports being already potentially taken by services you host on that box
• Overall limitations caused by infra being in a limited number of countries for latency reasons.

A dedicated self-hosted VPN box solves most of these except for the static IP and the number of locations.

bigbigvpn approach solves all of these, at least to some degree.

“How'd you even get the idea for this cursed thing?”

Me and my partner were watching a recent video by styropyro when he ended up interjecting a section about some commercial VPN service.

My partner ended up asking me why anyone gets them anyways, as a VPS costs the same. We did talk about this stuff before, and I'm rather outspoken against most commercial VPN services (for reasons I specified earlier).

I told her that I agree, but then went on to talk the limited number of benefits they provide (that may be good to have depending on some usecases), such as paying once and being able to access many locations and many IPs without having to pay extra... and then I started talking about how you'd need to pay hourly fees in the region to self-host a similar service in addition to your main VPN server...

Then I realized one can just make a VPN service that just does that for all your boxes. At the end of the day:

• There's many VPS providers offering cheap servers all around the world
• Most VPS providers bill hourly, have little to no setup costs, and have no commitment requirements
• One can spin up and down a VPS in mere seconds and have it VPS be configured to their pre-defined requirements (using things like cloud-init)

and I had what can only be described as a “eureka moment“.

So I started working on designing it right there and then, and may have turned off the video. (Sorry styropyro!)

“insert random technical questions“

• bigbigvpn currently supports Hetzner, Scaleway and DigitalOcean. More stuff are planned as I stated on the main blog, potentially even just using smth like terraform so that we can support everything.
• Automatic kill on idle code involves a daemon running on the VPN server, checking for the last Wireguard handshake from all peers. It then kills the server after a configurable amount of time, unless someone connects, in which case it resets the timer.
• bigbigvpn does indeed support IPv6. Currently it's NAT'd but that's one of the things I intend to improve as I add multi device support.

I, however, was too lazy to even Google until today. The only resources I could find were teardowns by HexView of Yubikey Neo and Yubikey 5 NFC.

These were quite impressive, and I was honestly surprised at just how little was in them, and how the author mentioned being able to melt the Neo in acetone. I honestly would've expected more, but I suppose that change came with Yubikey 5 series.

Even though I have now moved onto using a Yubikey 4 for my PGP and U2F needs (and Solokey Tap for NFC FIDO2 needs), I still have my first ever Yubikey 4 Nano lying around. While the key in that is still needed to decrypt some of my ancient stuff, I thought that it'd be a good candidate for tearing down as I wondered what was in such a tightly packed product.

(Quick note for the curious: I was initially going to get a Yubikey 5 NFC, but their shipment costs to Turkey increased significantly since my Yk4n and Yk4 orders. They didn't have an authorized reseller in Turkey until recently, and that reseller only sells on a platform I refuse to use. So I got a Solokey Tap and use it alongside my Yk4. Both are great and do everything they promise to do.)

The Process

As the hexview article used acetone and stated that the changes in the material were made with Yubikey 5, I suspected that I could also use acetone, especially as I have a bunch of it at hand.

I have previously used acetone to delayer stuff like smartcards:

For the most part, it just involves putting in the card you want to melt, checking it every now and then to see if any unwanted layers are coming off and getting rid of them, and pulling it out when you reach your intended layer. The process depends on a bunch of factors, but I had a lot more luck when I moved from something flat (which resulted in the need to flip the card every now and then to get it to apply to the bottom side too) to something round like a jar where the acetone acted evenly.

I had no experience with any other type of stuff, so I just dumped it in and hoped for the best:

Quite shortly after I did that, I started seeing the “white powdery substance” that hexview mentioned in their Yubikey Neo teardown.

To ensure that the process is going smoothly and to also help it along the way I ended up pulling it out every now and then to wipe the “white powdery substance” or just peel it off using tweezers when applicable:

(Quick note: I did end up unintentionally touching and smelling this substance, and it felt, acted and smelled like super glue. This does indeed mean that I had a thin layer of it on my finger, which I quickly removed and thoroughly washed.)

Also, partially through, I saw the “milky-gray acetone solution” that hexview mentioned:

This wasn't a great sign for me as I tend to filter and reuse the acetone, and I wasn't sure if I was going to have to dump it all afterwards. (I still don't know. The hexview page mentions that it settled. I've filtered it off shortly after removing the Yubikey in hopes that it'd help but it didn't help at all. Instead of a hacky “filter”, I later tried using a proper coffee filter, which also sadly didn't help.)

I ended up doing this around 4 or 5 times until I clearly felt with my tweezers that the middle of the layer I was on was actually just the MCU. This was hard to photograph for obvious reasons:

I went through the edges in hopes of lifting a plastic-seeming thing that seemed to be in place, and ended up lifting it off:

I scraped off some of the “white powdery substance” that was left around the Yubikey with tweezers, and was left with the insides.

The Pictures

Before:

After:

(I also have a scan of the back here, which didn't end up being that good but it's higher quality at least.)

The Aftermath

Just to see if it works or not, I put the plastic piece back on to flatten it:

...and hackily padded it with some random adhesive label I had lying around to get it to the right height to stay in a USB port:

And would you believe it, it works:

Remarks

The Yubikey 4 Nano seems to be very clearly between Neo and 5 NFC, and this makes sense as Yubikey Neo was released in 2012 (was updated in 2014 with U2F support), and Yubikey 4 series was released in 2015, while Yubikey 5 series was released in 2018.

Yubikey 4 Nano shares the same case materials as Yubikey Neo, easily dissolveable in acetone, but has the same MCU as Yubikey 5 NFC (Infineon SLE 78CLUFX5000P01). Other than that there's not a lot I can say about the internals.

Bonus: It's not shown here, but I'd like to note that the keyring hole in hexview's Yubikey Neo teardown was improved on the full size Yubikey 4 with a golden ring (also visible in their Yubikey 5 NFC teardown). I did however have my Yubikey 4 nano's keyring hole fail on me as you can see above.