- TunnelBear is a bit more expensive (4.99$/mo, paid annually vs 4$/mo).
- TunnelBear supports up to 5 connections per account vs 2.
I use TunnelBear regularly for my browser and phone. Both works great.
My subscription is going to expire soon and I'll be open to try other VPN providers, not that there is anything wrong with TunnelBear. Any recommendations?
This site [2] has feature comparisons but experience using VPN services is another story.
HN gets regular "what VPN should I use?" questions and my answer is always the same: Algo [1]. It is designed to be simple to set up, simple to tear down, and usable with numerous cloud providers or your own Linux server.
In terms of privacy, doesn't it kind of let the cat out of the bag if you host your own VPN server? It's not your home address, but it's still just as much an address associated with you, isn't it?
Indeed it doesn't provide anonymity against the sites you visit - quite the opposite, it makes it even easier to correlate your browsing regardless of device/location.
But many (the undersigned for example) use VPNs for many other purposes:
Unencrypted WiFi (airport, hotel, etc)
Secure connectivity but provided by someone you aren't willing to trust (your employer?)
Fooling Geo-IP based restrictions (hello Netflix/BBC)
Not having your VoIP traffic mangled by a shitty carrier who's trying to extort protection money from you in the form of some "VoIP-optimized" expensive plan
It's less private for some forms of traffic, but for me, my main goal is to avoid ISP tracking and provide encryption on potentially malicious networks, which it works well enough for.
I think you misunderstand the reason for using a VPN. Privacy is not the same as anonymity.
Let me try to explain. You use a VPN to protect your connection from MiM attacks, for example if you connect to a public wifi-hotspot, or even when you are connected from home. It also gives you some privacy, because nobody can sniff your traffic, but it does not give you anonymity, well it can, but you'll not be able to verify that it does.
Sure, you hide from your ISP, but you can't verify that your VPN-provider is more trustworthy than your ISP. They might actually log everything and send it on to a third party and you'll never know. Hell, they might even be funded by the NSA...
Use Tor if you want anonymity, even though that's not 100 % sure either.
It just shifts your traffic egress location to a cloud provider, but this is valuable because all of the last mile Internet providers in the US colluded with the government to get permission to use your internet traffic to sell ads, so if you care about privacy, and not allowing your ISP to inspect your traffic, it's a huge benefit.
AWS will make no secondary use of customer data. The ISPs have told us they will, and the FCC gave them permission to do so. Which one will you trust? I know I would trust AWS any day over the ISPs...
I strongly agree with this, with the one caveat that right now algo doesn't provide seamless integrated support yet for a VPS provider that offers a flat bandwidth cap (like OVH or Scaleway) vs a high burstable data cap oriented offering like DigitalOcean. The flat bandwidth (generally 100 Mbps on the cheap plans) tends to come at the expense of burst/cpu/disk storage, but none of those matter in VPN vs reliability and not having to ever think about going over limits, even if you want to let family members for example use it. While for a lot of general projects I'd definitely agree with their current easy cloud choices, for this particular application, for most people, I think the likes of OVH or Scaleway or similar would be a far better fit, though I realize the major holdup is Ansible support. Of course, it can still be setup wherever, just without the same ease of use for someone only mildly technically oriented which is how it truly excels right now.
Still, I think it creams every general public offering. I agree with fictioncircle above that the "anonymity" thing is a total red herring. VPNs in this application are fundamentally about creating a hack to let individuals change their Internet access from a natural monopoly situation to a strongly competitive and customer oriented market situation via virtual end point shifting. That's "it", though it's a big deal. But "anonymity" is a far, far trickier problem, requiring not just extensive infosec but also significant opsec. At a bare minimum most people would need to use something like the Tor browser, not just for the "tor" part but for the hardening they put into the browser to make it somewhat harder to get tracked anyway regardless of IP address. I think a lot of the "anonymity" marketing claims some public VPNs make verge on not merely disingenuous but outright dangerous to the extent they can create a totally false sense of security.
No VPN can reliably anonymize you against government agents so I think the con is a non-issue. VPNs are only really useful when the local network is hostile and/or you want some degree of privacy from the sites you visit.
Anyone with sigint capability is going to figure out who you are with a VPN. (i.e. Government agents)
This isn't about pretending to be James Bond, and "hostile" networks with "government agents" and all their "sigint" coming for your secrets.
In the real world, VPN are mostly used to download copyrighted material. They have a pretty much perfect track record in that regard. Running a cloud VPS, on the other hand, is no more secure than your ISP: they have records, and will share them when ordered to do so.
This is a trade I'm willing to accept. I trust a VPS provider more with those records than I trust either Verizon or Comcast, both of which are motivated by advertising.
Does not install OpenVPN or other risky servers: so what's risky about OpenVPN? And Algo is properly describe as IKEv2/IPSEC? I've read L2TP is recommended over PPTP, but the Algo read me says it does not use L2TP, considering it legacy, along with IKEv1.
There are a few main purposes for a commercial VPN:
- accessing non-encrypted stuff on an untrusted network
- firewall bypassing
- Torrenting
- IP ban bypassing (pretty popular for people writing scrapers or trolling)
Anonymous anything is garbage - many of them log and all can be logged by government agencies or datacenter owners ahead of you. Tor or similar is the best option there. Running something like Algo on your own server is pretty bad for both torrenting and IP ban bypassing as you only have a single IP and many cloud providers will accept DMCA and abuse reports.
All in all if you're looking for either torrenting or IP ban bypassing a commercial VPN solution is going to be a better bet. More IPs for cheaper and with lower risks.
I'm really interested in trying this but nervous with how much a cloud service will cost. Is there a free option for a cloud hosting service that I can start with?
Google has a lifetime free tier, AWS has a 1-year free tier, and Digital Ocean referral links for $10 (2 months on the cheapest server) are easy to find.
I second this. I can't make any claims about the security of the client, but the way they handle things is confidence-inspiring.
I have been in touch with them over some issues I have had,and the support is fantastic. I had an issue with mosh over my local network (SSH worked,mosh did not) and got a very detailed reply about why they treated LAN UDP packets that way, and why I was probably not affected since I ran a modern Linux distro and of course the setting that turned that safety feature off.
And, if you do t trust them to make such decisions for you (or you run an unsupported OS) they have regular openVPN files
They definitely aren't just running a VPN to make a quick buck. The amount of guides and such that they offer for integration, etc. is confidence-inspiring as well.
What sold me was their mention of using Qubes OS in-house. They clearly give 100% fucks about keeping their infrastructure safe.
Really? I know the client stores connection logs (configurable) but I asked them directly and they said they didn't log anything if it's turned off. Their privacy policy says the same [1].
If that's the case then I'm switching immediately.
They log when you connect and disconnect, plus what IP you are using when connected. They will pass on DMCA copyright infringement notices (although they say they do not pass on your details to the copyright agent).
Unless they've changed their policy in the last few months, TunnelBear won't let you use SSH over any port other than 22, so if you need to SSH into a server with a non-standard port you're out of luck.
Yeah, my understanding is they whitelist standard ports, and everything else is blocked. They say it's because of BitTorrent, but it prevented me from accessing a server on a non-standard port, so I didn't buy.
I think it's prudent to assume (even if not accurate in every case) that any VPN provider that reaches PIA scale has already been compromised by the relevant State Actor working its jurisdiction.
It's the tragedy of success in the privacy industry.
Except for the fact that PIA has been subpoenaed by the FBI and state police multiple times and PIA could give them dick all. Yes, their servers could be compromised illicitly, but if the NSA or GCHQ is willing to go to that much trouble just to monitor you, you have bigger problems.
>[...] but if the NSA or GCHQ is willing to go to that much trouble just to monitor you, you have bigger problems.
This type of argument contains the assumption that it would be too much trouble for them/not worth it to monitor an affluent anarchist or semi- anti-authortitarian with an above-average IQ.
We've seen that A) their resources are as virtually unlimited as their paranoia B) tech developments have driven down the cost of sophisticated surveilance strategies C) xkeyscore and all of the other releases is confirmation.
This type of argument does us all a disservice by subtly shaming those who care about state-surveilance of private (and peaceful) citizens who value their privacy and/or who exercise their right to actively participate in progressive movements that challenge the establishment.
It also embeds an assumption that someone is targeting you instead of people like you. Compromising the servers of a VPN provider makes plenty of sense in the service of full-take or person-of-interest collection.
We've already seen that the NSA actively targets people searching for privacy tools (e.g. Tails, Tor). The act of using a VPN is mildly interest-provoking, so it's far from crazy to suspect that someone might try to scrape everything happening there in case some of it is interesting.
PIA might actually log everything and send to the FBI as a regular part of their operation, hell, they might even be funded by the FBI and you would never know.
You should not trust what people tell you over the internet.
If they have your data but won't give it to the authorities, the result is the same, isn't it? Unless you're suggesting the authorities aren't fooled, and will pry it out of them? That hasn't been the case so far.
They're asking how do you know they didn't hand the data over but just publicly say they didn't? Or that they agreed to give it to the FBI if the FBI would treat it as a confidential source.
I found malware in the PIA installer. Not sure if it was planted by PIA themselves or I was subjected to a MITM attack, and so I would never use any bespoke VPN software again. Best just downloading the OpenVPN config files and plug them into something like Viscosity[0] (which I trust over the more bespoke VPN clients made by the VPN providers themselves).
As a general rule of thumb, I have used various VPN services and made sure to never use their clients. Downloading an OpenVPN configuration file IMO seems the best way to go about it.
Speaking of PIA and not using the provider's client, I've written this simple python script that populates PIA OpenVPN routes for NetworkManager on a bunch of Linux distributions, which then pop right into the system tray or are accessible from nmcli, etc. (https://github.com/dagrha/pypia)
What so you mean "found malware?" You checked the installer and found that some aspect was malicious or some software you are running said it found malware? As the installer seems likely to cause false positives.
You're still better using independent VPN clients, but I would not trust them at all if the installer actually has malware.
I spotted loads of malicious network traffic, and using the Sysinternals Autoruns[0] utility I was able to spot attempts at persistence. I also checked the outbound connections and they were C&C servers. I can't remember if the installer was digitally signed or not, but there was definitely malware in it. I always make sure to opt-out of any AD ware that might be bundled with an installer, but this seems to have been injected surreptitiously, and installed with very little interaction.
Just be careful with the bespoke VPN clients as they are very juicy targets for MITM attacks. I know I would be going after VPN software if I wanted to do ex-filtration for a small subset of users trying to hide their tracks from governments and ISPs.
So an installer was trying to set up autoruns, and the outbound connection IP's were on some list? The first part seems like expected behavior, the second sounds like your list of bad IP's included several that one of the most popular VPN providers use.
This was before the client even connected for the first time. And the IPs were well known C&C servers used for collecting keystrokes and screenshots of your O.S
Checking if their various servers exist on install seems likely. And well known C&C servers probably hide their actual IP, they'd be fairly easy to shut down if they didn't.
- TunnelBear is a bit more expensive (4.99$/mo, paid annually vs 4$/mo).
- TunnelBear supports up to 5 connections per account vs 2.
I use TunnelBear regularly for my browser and phone. Both works great.
My subscription is going to expire soon and I'll be open to try other VPN providers, not that there is anything wrong with TunnelBear. Any recommendations?
This site [2] has feature comparisons but experience using VPN services is another story.
[1] https://www.tunnelbear.com/ [2] https://thatoneprivacysite.net/vpn-section/