Every time you connect your Windows or Mac laptop to a public Wi-Fi hotspot, you risk the possibility that someone else on the network might tap your Web traffic or even steal data from your computer.
Common wisdom advises that you use a virtual private network (or VPN) to protect such a connection. XOnet, from x.o.ware, offers a different solution, one that’s hardware-based and ultra-secure.
It provides that secure VPN-like connection, but needs an ease-of-use overhaul.
How It Works
The $99.99 combo package reviewed here contains one XOnet unit and one XOkey. You can also purchase an additional XOkey for $40, or an additional XOnet for $70.
The XOnet itself is a small black box, about 0.7 by 3.4 by 3.1 inches (HWD), with two Ethernet ports on the back, as well as a USB port on the front.
Status lights for power and the two Ethernet ports round out XOnet’s visible features.
A typical software-based VPN utility encrypts your browser’s request for data and sends it to a VPN server.
The server connects to the website, makes the actual request, encrypts the returned data, and sends it back to your PC for decryption.
This has the added effect of hiding your actual IP address from the receiving website; all the site sees is the IP address of the VPN server.
And of courses any location-based permissions or restrictions are applied based on the server’s address.
Paired with its companion XOkey, the XOnet device offers a direct encrypted connection to your home network, without going through a third-party server.
That hacker in the corner of the Internet café can’t see any of your Web traffic. Your surfing activity takes place from your home network. You don’t get the anonymity or location-spoofing that comes with a standard VPN, but there’s no middleman, no remote possibility that the VPN provider might turn evil and steal your data.
And, as I’ll detail later, there are other advantages to having a direct line into your home network.
Configuring the XOkey
The XOkey device is tiny, about 1.4 inches square and 0.4 inches thick.
It comes with a small USB to Micro-USB adapter.
In testing, I found the adapter to be a bit flimsy; my company contact confirmed that using a third-party micro USB cable may give you a more reliable connection.
A page of instructions included with the combo advises configuring the XOkey first.
Amusingly, the XOkey comes in a foil packet labeled “Always use protection.”
To start, you install a driver on your Windows or Mac laptop and reboot.
For testing, I used a Lenovo ThinkPad T420s.
After rebooting, plug in the XOkey to its adapter, and plug the adapter into the laptop.
It takes about 15 seconds to boot into its Linux-based operating system.
Once it boots, you log in using any four characters. Of course, the very next step is to create your actual password, which must be strictly alphanumeric.
Don’t forget that password! If you do, your only recourse is to reset the device by poking a paperclip into the tiny reset hole, and start all over. With XOkey configuration complete, you can put the XOkey aside and get the XOnet set up.
Configuring the XOnetYou can install the XOnet in two ways, LAN Mode or In-Line Mode. LAN mode is incredibly straightforward. Just connect the device to a spare Ethernet port on your router or a network switch and plug in its power.
It’s now ready to provide remote access to your Internet connection and local network resources.
If you plug a network switch into its output port, any local devices connected through that switch get the benefit of XOnet’s filtering (more on that later).
It’s possible that your router’s firewall might interfere with the XOnet’s operation.
According to the company, giving the device control of port 4500 can help.
Failing that, you can install it in In-Line Mode, connecting it between the incoming Internet connection and your regular router.
In In-Line Mode, you can remotely access your home Internet connection, and any filtering options you turn on affect the whole network. However, you won’t be able to see or use any other network resources manually.
Savvy users can take advantage of an unstated third mode by using the XOnet (with a little help) to replace the existing router.
Since it only has one output port, you’ll definitely need a network switch.
If you need Wi-Fi, you’ll have to connect a separate wireless access point, like the EnGenius ENS1750 Dual Band Outdoor Access Point.
In this mode, the XOnet offers remote access to your Internet connection and devices, and also filters traffic for all of those devices.
To configure your newly installed XOnet, you simply log into it from any browser. Well, almost any.
In testing, I found that certain features did not work under Internet Explorer, a fact confirmed by my company contact. Note, too, that when you first log into the device, you’ll see a scary warning that the connection is not secure.
That’s not uncommon with hardware-based security products.
I saw the same thing when reviewing the Circle with Disney and the Peace Wireless Router parental control devices.
As with the XOkey, you log in the first time using any four characters and immediately create a new, strong password.
It can be the same as your XOkey password, though security purists would surely advise making it different.
Now it’s time to introduce the XOnet and XOkey to each other, and it couldn’t be easier. Just log in to the XOnet’s user interface, plug the XOkey into the XOnet’s front-facing USB port, and wait until it offers to register the key. Just be sure to use Chrome or for logging in to the XOnet.
I found that if I logged into the XOnet using Internet Explorer, the offer to register never happened.
A single XOkey can connect with various XOnets, and vice versa.
To help keep them straight, you define two names for each connection.
The Connection Name is the name that appears in the XOnet’s list of registered XOkeys.
The Real Name is the name found in the XOkey’s list of available XOnets.
Confusing? Not once you get used to it.
By default, the XOkey gets access to your Internet connection and to network resources.
If you wish, you can disable LAN access, giving it Internet only.
Define a password for the connection (yes, another password!) and you’re ready to go roaming with your XOkey.
The great thing here is that the encryption keys reside only on the XOnet and the XOkey.
They’re created during the hardware handshake, they never exist anywhere else, and they can’t be viewed or exported.
That’s definitely a win for security.
But what if you need to connect an XOkey that’s far away? Don’t worry, that’s possible too.
Rather than insert the key, you click a button on the XOkey management page to create a new key. You go through the same steps, entering the Connection Name, Real Name, and password. When you’re done, it generates a file with extension .VPEX. You convey this file securely to the location of the XOkey and import it, then securely delete all copies of the file.
It’s not quite as airtight as the hardware-to-hardware method, but not too bad.
You can also connect two XOnets to each other, either by passing the encryption keys using an XOkey or by generating a .VPEX file as above.
But wait! There’s more! Android users who are also network hotshots can use the strongSwan VPN app to connect with the XOnet.
The process involves generating an IKEv2 configuration file, copying it to the Andoid device, and using it to configure strongSwan.
I did not attempt this particular feat.
XOnet’s features overlap somewhat with those of Bitdefender Box.
The Bitdefender device is very specifically aimed at extending malware protection to your entire network, a feature that’s only rudimentary in XOnet.
But it does offer Private Line, a VPN-like link that keeps your devices connected through the home network even when they’re elsewhere. However, Bitdefender’s solution is software-based; it doesn’t offer anything like XOnet’s hardware handshake.
Web Traffic Filtering
If you scroll to the bottom of the left-rail menu in XOnet’s configuration screen, you’ll find Firewall at the bottom.
Clicking this item reveals just two configuration options, both off by default.
One option prohibits access to the XOnet management user interface from any source not connected through the device’s Ethernet out port.
This would be especially important if you installed the device in In-Line Mode, since in that mode it’s directly exposed to the Internet.
The other option, titled Bandwidth Optimizer, filters out ads for any devices connected via XOkey or via the XOnet’s output port.
It also blocks access to known malicious and phishing websites.
At the time of this review, it blocks over 68,000 sites.
To test the ad-blocking feature, I visited a number of clickbait websites from a PC plugged into the XOnet, while simultaneously visiting the same sites in an adjacent PC without the XOnet connection.
That made it easy to see when XOnet filtered out ads.
Given that XOnet does have an impact on connection speed, it makes sense not to waste your bandwidth displaying ads.
I run a malicious URL blocking test for all antivirus products.
It starts with the previous day’s feed of newly found malware-hosting sites, supplied by MRG-Effitas.
For an antivirus tool, I note whether it blocked access to the site, destroyed the malware payload, or did nothing.
In XOnet’s case, there’s no antivirus component, so all I had to do was note whether or not it blocked access to the site.
I ran through 100 nasty URLs without seeing a single reaction from XOnet.
At that point, I bummed a sample URL from the company contact, just to make sure the feature was working.
It correctly blocked that sample, replacing it with the XOnet login. My contact explained that XOnet updates its blacklist from Malware Domain List daily, and the XOnet updates from the main blacklist daily, so the list can be up to two days old.
With no need to download files, this test went really fast, so I had no qualms about running it again using a ten-day-old URL list. Once again, I checked 100 URLs.
This time around, XOnet blocked access to exactly one.
That’s not a very impressive track record.
In a recent test (using the latest URLs of that day), Avira Antivirus 2016 blocked 99 of 100 nasty sites.
I also test antivirus products to see how they handle phishing sites, fraudulent sites that try to steal login credentials. Phishing sites are ephemeral, so I try to use very recently discovered URLs, typically just a few hours old.
Given that XOnet’s phishing blacklist only gets updated every week or so, I didn’t feel a need to test its antiphishing prowess.
Travels With XOkeyOne thing you can’t do is connect via the XOnet when your laptop (with its XOkey) is on the same network.
For testing, I made quite a few trips out to public Wi-Fi zones.
To start, I had to log in to the unsecured Wi-Fi hotspot.
As soon as I accomplished that, I plugged in the XOkey, waited for it to boot up, and logged into the XOnet. Yes, there’s a window of insecurity—you shouldn’t do anything online until your XOnet connection is complete.
I visited the WhatIsMyIP website both before and after connecting.
Before, it displayed the IP address of the public Wi-Fi provider.
But with the XOkey connected to the XOnet, the reported IP was precisely the IP address of my home network, verifying the connection.
The user interface for both the XOkey and the XOnet includes a Network Directory page.
This page lists all devices on the network, along with the IP address, MAC address, and number of supported services for each.
Globe icons indicate devices that offer Web access: green for secure, blue for standard.
It’s tough to figure out which item corresponds to which device from this list. On the XOnet, the list also includes the device maker’s name, when available, which is a big help.
But that information isn’t displayed in the XOkey’s interface.
I wound up tediously connecting with each device in turn by copying its IP address into the browser.
For subsequent outings, I brought along screenshots of the XOnet’s list.
Bitdefender Box has a similar problem, but in reverse. When you look at its device list, you see descriptions only, with no IP address or MAC address.
Descriptors like “BLACKBERRY-B5D9” or “A Smart TV” don’t necessarily help you identify the corresponding device.
I found that I could do a lot of things that wouldn’t normally be possible outside the local network.
I had no trouble logging in to the network interface for the printer, for example.
I browsed the files stored on the NAS server, and logged in to the control console for another attached backup device.
I really wish the designers had included the device name in the XOkey’s Network Directory.
I also wish they’d add the ability to associate a friendly name with the Mac address of devices you’ve successfully identified.
The Peace Wireless Router and Circle with Disney both include this ability.
Clean Router, another parental control router, makes the process even easier. Just log into its control panel from a device and add the friendly name for that device.
My contact at x.o.ware indicated that I should be able to remotely access files in shared folders on computer within the local network, but I couldn’t figure out how to make it work. He checked, and found that it’s a lot easier on a Mac than on a Windows device. You first need to configure network shares such that you can access one computer from another on your home network using its IP address.
Once you can do that, you should be able to do the same via the XOkey-XOnet connection.
But for many, getting that connection set up locally may be just too difficult.
Even my contact at x.o.ware, who normally uses a Mac, admitted that the Windows-style setup was a lot tougher.
Impact on Connection Speed
When testing at public Wi-Fi hotspots, I could definitely tell the connection speed was slower when using the XOkey.
But the speed at those public hotspots was inconsistent.
For speed measurements, I connected the laptop to a home network and then used the XOkey to connect to an XOnet owned by the company.
I ran several tests using Speedtest.net.
The results weren’t pretty.
Download speed when connected through the XOkey came in consistently at 21 to 23 percent of the speed without the device.
For example, in one test the default wireless connection rated 33.26Mbps, while a test immediately afterward using the XOkey got just 7.72Mbps. Upload speeds when using the XOkey were between 35 and 40 percent of the baseline.
The download speed impact of going through XOnet is greater than that of most software VPNs we’ve tested. Only TotalVPN and Steganos Online Shield VPN slowed downloads more.
XOnet’s impact on upload speed, was almost the same as that of TorGuard VPN. Here too, TotalVPN and Steganos were the only ones we’ve tested that had more of an impact than XOnet.
At the other end of the spectrum, HostWinds VPN only slowed uploads by 4.13 percent, and FrootVPN only slowed downloads by 5.82 percent. My tests using XOnet necessarily aren’t precisely the same as the tests my colleague Max Eddy uses for software VPNs.
I can’t flit off to Australia and test using a network in Alaska! Even so, it does seem pretty clear that connecting through XOnet slows your surfing.
Watch This SpaceI’m very impressed with XOnet’s hardware-based key exchange system; I’ve never run across anything quite like it.
The XOnet-XOkey connection verifiably gave me an encrypted connection through my home network, with no VPN middleman, and even let me view and configure network-aware devices. However, getting access to network shares remotely was difficult, and the XOkey offers no help to a user trying to find a specific device in the laundry list of IP and MAC addresses.
The product is supposed to filter out malicious and fraudulent websites, but in testing the filtering did almost nothing.
I like XOnet.
I think it has potential.
For some tech-savvy users, it can be a total security win. However, if it’s going to sell to more than the techno-elite, it needs an ease-of-use overhaul.