Comments on Shimo, a VPN client

In another thread, I reported significant problems with Cisco AnyConnect, a VPN client. One responder helpfully noted that Shimo had worked well in the past, so I tried it.

Here are my thoughts after not quite two weeks of using Shimo in trial mode. BLUF (Bottom Line Up Front), I expect to pay ($59) for a license and continue using it. But it was not all pleasant.

On first run, Shimo verified itself, then asked to install a helper tool, with no explanation of how to uninstall it, either before or after authenticating for installation. Shortly after the initial startup, Shimo presented a window with no title bar, offering me three choices: Quit; Activate License; and Buy Now. I selected Shimo Help from the Help menu and got a dialog box saying Help isn’t available for Shimo. Not a promising start to a free trial. For better or worse, apparently Shimo prevents itself from being added to the Recent Items menu. Also the About window is about two pixels too narrow to avoid having a horizontal scroll bar, which shows a lack of attention to cosmetic detail, making me wonder where else attention to detail is lacking. (None of this, of course, is to say that any other product is any better.)

My notes don’t remind me what happened next, but I expect I chose Quit and then started Shimo again. Since then, when I start Shimo, I choose Continue Trial or something similar. But mostly, I just leave it running. It places an icon in the menu bar that allows one-click connection to my VPN.

Shimo claims to allow the user to set “triggers” that cause actions. If I understood this feature, it could be used so that a connection to a network that is not on an exclusion (whitelist) list will automatically cause Shimo to activate a VPN. This is a feature I had wanted with AnyConnect, and is probably worth the purchase price (for me). I would be happy to provide more details (please ask), but after many failures and two reports to the developer about two distinct issues, I got a terse reply from Shimo support: “triggers are no longer supported.” It does seem like the preferences pane could be removed or at least the ability to set a trigger could be blocked.

During the evaluation period, I have been using Shimo with my home ISP, where I rarely use a VPN. (Should I use a VPN even while at home?) Shimo detected that the VPN connection had been broken (because I turned Wi-Fi off) and asked if I wanted to re-establish the connection. I clicked Not Now, whereupon Shimo thought about it (with the spinning ring) and then asked again if I wanted to re-establish the connection. I clicked Not Now, whereupon Shimo thought about some more, but did not ask again. In a way, this is good, because it gives me a chance to recover from a wrong answer. On the other hand, if I answered No by mistake, I could just manually tell Shimo to connect.

For what it’s worth, Shimo apparently believes the VPN continues for long after I turn Wi-Fi off, as evidenced by it retaining a green badge with the number 1 in it on the application icon in the dock and the icon that apparently indicates a connection in the menu bar. If I turn Wi-Fi back on during the many minutes that Shimo indicates the connection is still established, Shimo acts as if I had never left.

Why would I keep Shimo? Because I have no-added-cost access to a VPN service, but the client AnyConnect caused severe problems. A minor benefit of Shimo is that it remembers my VPN credentials so I needn’t enter them each time I connect; AnyConnect required both username and password every time.

Partly because Shimo has had so many missteps during the trial and partly because I’m just a paranoid person, I wish I could confirm that I actually have a VPN connection without relying on Shimo’s indicators. I also wish that Shimo provided on-line help. As I said earlier, I don’t know that any other client would be better, and Shimo does claim to do what I need it to do, so I expect to keep it.

Thanks for this detailed review. I’m pleased that you find Shimo somewhat useful, but that’s quite a list of annoyances – and $59 seems a lot of money, though from what I understand it’s a one-off cost, not a subscription. Good luck, and keep us posted.

With regard to checking whether Shimo is working: If it’s a corporate or university network, shouldn’t you be able to see resources that are not available when the VPN is not connected? Alternatively, does either your own IP address or your DNS server change when you are connected?

Correct. I should have emphasized that. I think of it as $59 down and nothing a month for the rest of my life—or Shimo’s life, whichever comes first. I’m hoping that most of the annoyances exist either because I’m in trial mode or because I haven’t learned the quirks of the program, and so will fade. But I do wish I could use triggers.

I am no longer active, so I haven’t tried to look for any resources. But even on campus, one was required to authenticate to the desired resources. (With that in mind, I’m not sure why the VPN is even provided, but I’ll use it since it is.) Certainly the one resource I continue to use, infrequently, requires authentication even when Shimo says I’m on VPN, but it requires authentication even from a computer on the campus intranet.

Where would I look for a changed IP address? My Mac connects to an AirPort Express and gets its IP address from it, and System Preferences > Network > Advanced shows no change when I connect to VPN. The AirPort Exress seems to get an IP address from my ISP, and AirPort Utility shows no change when I connect to VPN. I think I’m missing something.

I haven’t used this particular client, but in general, I think VPNs generally work in one of two ways:

• Via a proxy server. The software creates an encrypted connection to a remote server. Your computer sends all of its non-local traffic through that connection. The other end of the connection is a server run by the VPN company, which will rewrite your headers as appropriate before forwarding them on to the destination.

  With this approach, your Mac will keep its addresses, but remote sites will see the rewritten headers. If you want to see the IP address the rest of the world sees, you should be able to use a web site like https://whatismyipaddress.com/.

• Via additional software-based network interfaces. Like the proxy server approach, the software creates an encrypted connection from your computer to a remote server. But your end of the connection is configured to act as a network interface (commonly called a virtual Ethernet or a tunnel interface). This network interface gets an IP address from the VPN company (possibly via DHCP traffic carried over the tunnel).

  Non-local traffic is sent over the tunnel using the same mechanism your computer uses for all traffic routing (same as if you had multiple physical Ethernet ports connected to different networks).

  The tunnel approach is probably the better solution because the VPN company doesn’t need to be running proxies on its servers. This means it can carry all network traffic, not just those protocols that the VPN’s proxy is designed to support.

Thanks, @Shamino. Once again, I learned something.

That was my (only) understanding, and that seems to be how the VPN I use works. After following the link, I did see a changed IP address.

With just a modicum of snarkiness, I say of course the VPN I use is not the better solution.

“When I have a 50-50 chance, nine times out of ten I make the wrong choice.”

Keep in mind that “better” is subjective.

I called the tunnel better because it will send all of your Internet traffic over the tunnel, not just traffic types for which the VPN company has proxy servers. This is the mechanism that VPN-based remote LAN access software (e.g. Cisco AnyConnect, OpenVPN, others) work.

But using a proxy, it allows the VPN provider to rewrite your traffic in order to improve your privacy. For instance, it can sanitize the HTTP headers you send out to strip out things used for fingerprinting. This is something that can’t be done by a tunnel (although I suppose tunnel-based VPNs could also use a proxy server, but that seems redundant to me).

Thanks for the additional information.

Since I’m replacing AnyConnect, I assume I’m connecting to a Cisco host at the institution that made AnyConnect available to me. (That convoluted phrasing is because I assume that AnyConnect is a client and the VPN service has a different name.) But I would assume that it is a “VPN-based LAN access software” that I’m accessing, in which case I would be using the tunnel method. I had believed I was connecting to a service providing a proxy server because my IP address had changed, as reported by whatismyipaddress.

Probably none of this is really significant since I am looking for a cheap, easy solution to a minimal need, and possibly no need. Almost everything I do on a public network is via a browser (almost always to an https page) or an Apple service (Mail, Notes, Calendar, and so on) that I assume takes care of security for me. The “shadiest” thing I do is record a song I play on YouTube so I can save it to my computer. Probably anyone could actually spy on everything I do other than check recent activity at a bank would fall asleep from boredom.

Please excuse my attempt at humor when I said that “of course the VPN I use is not the better solution.”

Different products serve different purposes. I call AnyConnect LAN access software because I’ve generally seen it used to provide secure access to corporate networks, not to provide privacy-protected Internet access.

My employer uses AnyConnect. I’m not sure if this the name of the entire solution of just the client app. When installed (at least on Windows), it creates a virtual network interface that is disabled when the VPN is disconnected. When I use it to connect to my employer’s internal network, an encrypted connection is mode to a server (I assume run by my employer on that internal network) and the virtual network interface is connected to my end of that connection. Then my local routing tables are changed so all of my IP traffic, regardless of destination, is carried over that interface.

This so-called “full tunnel” means that when the VPN is connected I actually have no ability to access anything on my LAN and all Internet traffic goes through the company’s LAN (and its various security gateways). This is a deliberate configuration decision, because it makes it impossible for a malicious device on my LAN to use the company computer as a gateway into the corporate LAN.

AnyConnect also supports a “split tunnel” where only traffic destined for the corporate network goes through the tunnel and everything else is sent through normal means. This is more convenient but it has the potential to grant malware access to the corporate network, so my employer doesn’t permit that configuration.

Previous employers have used other products (including OpenVPN) in similar capacities.

If, however, your goal is to protect your privacy instead of granting others secure remote access to your LAN, then you probably want to use a different kind of solution.

I use a VPN whenever I am on a public network, such as, airport, hotel, car dealer, etc. There was a time that one of my email addresses did not allow [!] encrypted password security (e.g., TLS) and I was afraid that email address would be compromised, since its password was in the clear. Of course, I could have deactivated that email address in those situations, but then how would I check email on that address?
I looked at VPN reviews and chose PIA at about $40/year.
Once in a while there is a glitch when using a VPN. For example, sending from a no-name email hosting provider is blocked as suspected spam. The VPN provider blocks SMTP unless it is for gmail, hotmail, or other major providers. I have to log in to Webmail on a browser for sending no-name email, rather than using an email client, such as Mail or Thunderbird, which uses SMTP.