Grew up in China (moved to Australia since early 2008) where GFW is in place and getting overwhelmingly powerful, I've been through multiple stages to cross the `great wall`, SSH Dynamic Forwarding, PPTP, OpenVPN and now IPsec (strongSwan). The GFW has evolved so much (capable of massive scale MITM attack, DNS spoofing, traffic sniffing etc. you'll be amazed how capable the GFW is - of course courtesy of the team behind it) that it makes increasingly more difficult for people to access the real Internet.
I've ditched PPTP (not safe any more) and shifted to IPsec (IKEv2 + RSA with X509, IKEv1 + PSK + XAUTH) as it is being used by a lot of MNCs - can't killall. The GFW has developed technique to detect OpenVPN well and it is easily blocked so I don't use it at all. Over the past few years many home brewed protocols emerge - e.g. shadowsocks and variants and many others (I've never used any of them).
The best thing to do with VPN is that to understand the basics of the VPN solution of choice, try to install and configure from scratch on VPS and use that as your main protection (encapsulation) while using public Wi-Fi or untrusted network. There's been many good discussions on how to do this on HN.
NOTE: I am maintaining around 10 strongSwan powered IPsec VPN and 2 OpenVPN to help family members and close friends to access the real Internet (have to keep a low-profile though). Funny though, my networking skills evolved with GFW.
Those applications may require a dedicated server or VPS to run. Once you set it up, it will act like a relay between you and the host you want to access (So that server or VPS must located outside GFW's shadow. And you better set it up and get it well tested before you move to China).
If you don't want to setup a server all by yourself, you can use Lantern or Psiphon, but they are considered not safe as you don't have any control once data leaves your machine.
I personally use Shadowsocks + my own one made with Golang. Both of them works very good for me. Some people may had problem with Shadowsocks but cause of those problems remain a myth.
ExpressVPN is the only one afaik that is allowed by the Chinese government. You can assume that it is actually not "private".
When I was in China last April, SSTP worked fine (though long-lived connections tend to become slower over time, and then need a few minutes of cool down before being usable again). Most Chinese people I met were using shadowsocks.
I think his assertion is that as it is "allowed" by China's government that they somehow have access to the keys (or the VPN provider is keeping a buffer of the traffic and has an arrangement to provide it to relevant government agencies upon request).
I have no experience with ExpressVPN, so I can't help you with that.
But in a vlog I've watched on Youtube, the host of that vlog said "Over the last coupe of days, ALL the VPN is been very difficult to use". So, I guess that includes ExpressVPN.
Im in china at the moment using expressvpn (been using it for a year by now) and since about two weeks only three server locations work well (Hong Kong, Tokyo, Los Angeles). Some others work off an on. Before that most locations worked and some of them, Taiwan for example, used to be very fast. Its still usable for streaming and surfing but I'm afraid the end is near. I think sometime in the future one will have to go with shadow socks and or similar protocols/solutions but until then expressvpn is quite convenient (mobile client, router with expressvpn client).
I was in China this year and found it surprising that it's as powerful as it is. Consequently, I also found out how powerful not having the entire internet is. The amount of information/sites I wasn't able to access due to it not being accessible at all; or "accessible" but never fully downloadable (i.e. javascript not able to download fully, other assets blocking actual content from being loaded) was staggering.
Coupled with the official cable TV service, which is amusingly abbreviated CCTV[1], and other state-controlled media, it's an eye-opening thing to see (more blatant) information control in action.
> The amount of information/sites I wasn't able to access due to it not being accessible at all; or "accessible" but never fully downloadable (i.e. javascript not able to download fully, other assets blocking actual content from being loaded) was staggering.
Can you read Chinese? I ask because if not, the experience of people who can might be very different.
I'm completely against the censorship; I just wonder how effectively they implement it.
Not OP, but I suppose that people only reading Chinese in China won't notice this much, because most (all?) of what they find is inside the Great Firewall and thus under control (direct or indirect) of the Chinese government. But that's exactly as intended.
Hijacking the top comment to link to something I wrote recently.
As someone who owns and works and knows the ins and outs of an ISP and had the 'pleasure' to deal with many 3-word government organization, I can't help but feel that many people think privacy exist in some form and using VPN somehow makes you immune.
Please learn to understand double-speak.
If the FBI says they are having a hard time cracking smart-phones or some kind of encryption, understand that they actually want you to use that security because they have figured out how to get around it.
I may sound like an alarmist, but it isn't intentional - because the government is much much more powerful in terms of resources they can throw at a problem - if they can't crack something they will find a way to intimidate someone to install a backdoor for them while completely denying it in public. This happens ALL the time. Most of us just don't know about it.
"Please learn to understand double-speak. If the FBI says they are having a hard time cracking smart-phones or some kind of encryption, understand that they actually want you to use that security because they have figured out how to get around it."
Do you have any evidence, or is this just speculation? I can buy that governments have access to zero-day exploits; I don't buy that every form of encryption they complain about has been secretly been broken.
I just went to Shanghai, bought a local SIM card and installed any VPN app from the App Store on my phone (I used "HexaTech"). Had no problems at all with it, even with the free tier. I was kind of surprised how easy it was to get through the GFW
Being in China now, I can say that just because it works doesn't mean that it's great. I think the government has demonstrated multiple times that they can block and throttle VPN connections at the flick of a switch. If one works, it's because of the government's mercy, not because of some circumvention team's ingenuity. That's my final conclusion. Yes, new methods might break through those times the switch gets turned on to block, but those new methods get blocked eventually too. It's an arms race where one side has near unlimited funding.
The most terrible fact about GFW is that it makes people forget they have a chance to access the other part of internet. Most netizens here don't even have a idea to cross it.
I'm in Beijing. After ExpressVPN was down a friend of mine recommended to give a try for NordVPN as Astrill looks like China's government VPN which logs everything. And I was surprised - Nord works significantly and costs just over 3 bucks.
Another option is roaming on a foreign SIM card - this usually bypasses the GFW quite effectively; roaming is effectively a VPN back to the home provider, and there seems to be some whitelist for these roaming tunnels. The providers probably provide surveillance access to the Chinese govt, but you will not have trouble accessing Google and other blocked sites, and any VPN you like should work fine through a roaming SIM.
Whether you can find one with reasonable data rates in China is probably the main question.
Two that I have used with great success are Kyivstar from Ukraine and China Unicom HK (note it must be HK, not mainland China). Others may be listed at [0].
I can confirm that the foreign SIM card override works from my experience a couple of years ago.
My T-Mobile had free international roaming baked in at 2G speeds. Unlike the US however, most foreign carriers in developed Asian nations (China/Korea) don't support 2G fallback, so I had free 3G everywhere.
It was pretty much like using the American internet.
Try to change the default port 1194 to something else (e.g. 443) - this may not help as the GFW has the ability to detect OpenVPN specific traffic.
If it is only for yourself and traffic is very little, it may survive the period of your stay in China. Nobody I know in mainland runs OpenVPN any more so I cannot really prove that, sigh...
I used PIA with relative success. The caveats being:
1. DNS resolution may not work, so you'll need to find a way to resolve the domain name (i.e. hk.privateinternetaccess.com) to IPs for your config.
2. Even if you get an IP it may not work all the time. You will have to keep resolving the domain name for another IP (or maybe just look at all the DNS records?).
EDIT: I should mention I used PIA's PPTP (yes, it's discouraged but it worked for my purposes) and L2TP configurations just fine.
A few months ago, I went to Shanghai. Before going to China, I setup the Shadownsock on my server. My 4G network is roaming SIM card. I can surf on Google Map over my SIM card without any proxy or VPN. To prevent from sniffing, I always connect to the network via OpenVPN with non default port.
In hotel, the Wi-Fi network cannot connect to many sites. Sometimes, I can connect the Internet via OpenVPN, but, Shadowsocks is more stable.
If your VPN server is used by many users it tends to be detected and blocked by GFW. In case you found managing shadowsocks servers cumbersome, you may want to check out https://foxshadowsocks.com They manage shadowsocks servers for you and allow you to move servers across regions (to get a new IP).
International companies can apply for VPN which allows them to legally use one. They need to attest that it will be used for business purposes; this should sensibly part of the negotiation process when investing and establishing a presence.
I'm not sure about VPNs? As I understand, it's corporate lines to overseas that's allowed. That's what we use, we lease bandwidth on a major submarine cable that goes to California and sign a contract that says we won't be using it to break laws, and Vvv we tell our employees to only use it for work.
The data has to get from office to submarine cable, VPN is needed. When logging in from home, I need to select the end-point of the VPN, so I'm pretty sure it is a VPN. This is common with any country - connecting to the corporate network must be via VPN (unless the corporate is crazy and in violation of many laws disclosing customer data).
Nope, ISP gives us fiber that goes from our PoP in Shenzhen to Guangzhou to Hong Kong (roundabout way because they have no fiber direct from Shenzhen to Hong Kong), and somewhere down the line, it hooks up with the submarine cable. No VPN at all.
If it is a loophole it is not legitimate. To keep business and trade IN ORDER it would be legal. I think some of the loopholes are “honeypot” just to capture potential intelligence.
SSH Dynamic forwarding (ssh -D) to do application-level port forwarding and configure browser to use remote host to do DNS lookup was 1 of the earliest techniques to bypass the GFW and was countered by the GFW long time ago. The wall can easily detect non-administrative SSH traffic and block it. So I won't recommend using it, it is not reliable.
When evaluating a VPN service for trustworthiness, I always look at what their webpage loads in terms of tracking scripts.
Basically, if you offer me the service to protect my IP address and don't even have the decency to let me inform myself about your offering without handing over my IP address to Google et al., then I'm not using your service.
Unfortunately, VPN providers collectively don't seem to be aware of this presentation layer, so it's neigh impossible to find one which doesn't violate privacy here.
So far, I've found exactly two: azirevpn.com and airvpn.org
They load in Piwik, which I'm okay with.
These two providers also check a lot of other boxes for me, but yeah, it's still just two providers after hours of research, so if anyone knows any other VPN providers with privacy-respecting webpages, please do tell.
Fully aware that I sounded like a dick there. I even apologized for it.
As for sorting out my threat vectors, I think you should sort out your threat vectors, if you don't consider the biggest data broker on the planet to be part of that.
But even if you yourself are entirely unaware of Google being a threat vector, I do think I made it abundantly clear in my initial comment that I don't want my IP address shared with Google, so then linking me to a Google webpage has got to either be a bad joke or so incredibly oblivious that I very much do think, it warrants a dick response.
First of all, your apology still made you sound like a dick. Secondly, enlighten me, what is the threat in reading an open spreadsheet on Google detailing pros and cons of different VPN vendors?
What I know is that Google will store that data point indefinitely and will correlate it with a near-infinite number of other data points to generate conclusions about me. Whether those conclusions are right or wrong doesn't even matter.
They'll also make these data points and conclusions available to intelligence agencies around the world. Which might use it to damage me as part of the ongoing cyber war or if it's my own country's intelligence agency, then they might use it against me, in case I'm unpleasant for the reigning government.
I consider something safe when I know that it's safe, not when I don't know it to be unsafe.
It is the first time I have ever encounter a philosophy close to mine about this subject.
Check out my VPN service, DataBuster[0]. I made the VPN only for myself at the beginning but my friends requested the features and it became a viable product.
The only "tracking" I do on the main page is a passive analysis of Apache logs made with Piwik, so there is no visible JS tracking code or third-party tracker.
Why does this matter for anyone not doing something that would attract the attention of a government agency? If you're running illegal weapons, sure. But if you're just trying to connect to your company's server or prevent Comcast from seeing your search history, this shouldn't matter. It reminds me of the recent uproar over Facebook supposedly listening though the mic at all times. It sounds like a severe lack of appreciation for how much data we leak at any given moment.
What I mean is that just by reading this thread, we've all been added to whatever VPN user list the (insert bad guy name here) has set up. From there it's just simple data mining. One of the easiest ways to link user to VPN service might be through tracking scripts, but that's not specific to the VPN sites. Presumably your're researching which VPN and then reading more on specific VPNs as you narrow down your choice. Then you want to be "anonymous" so you search for bitcoin info. Then you suddenly stop searching for bitcoin and VPN info. So, you have the data from all those searches (specific breadcrumbs), the length of time searched (length of time correlated to how serious and educated you are about the topic), the time the searches stopped (correlated to VPN subscription start), your previous un-anonymized topics of interest that led to the search for VPNs, the exit nodes of the VPN you probably chose, etc. That's on top of all the physical variables - when you're likely to be awake, schedule of connections, location, etc.
I would argue that just having a tracking script on the VPN provider's website is a drop in the bucket, even from a legal perspective - it's better to have a preponderance of evidence. You're not giving 'them' any more information than they'd already need for a search warrant, which is the real danger threshold for this conversation.
Be cautious of the potential legal headaches, register it as a limited liability company, and host away from your place of residence (so police don't raid your home).
Even if you're entirely above board your users may not. Child porn, illegal substances, gambling, stalking/bullying, fake emergency calls, bomb threats, and so on. Your users are just waiting in the wings to place you into law enforcement's crosshairs.
If I opened a VPN I'd spend 10% on equipment and the other 90% on lawyers, fraud prevention, and liability insurance.
This is good advice. I had to deal with crap like this just from running a high traffic message board. Not OP, but I want to do this as a side project just for myself though.
Windscribe.com appears to be behind Cloudflare, which means that they allow a third party to MITM https connections to their site. I would not trust their service.
I always ask this on the VPN threads here, and don't feel like I get a solid answer (I'm not particularly well-versed on the topic so I'm genuinely curious and would love to be corrected).
If I go to Bob's website on my computer without any VPN, and Bob wants to find me, all he would need to do is get my IP, call my ISP with a warrant, and then get my information.
If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions. Then he calls the VPN company, and asks them to associate the IP and specific browser sessions with me. In that case a) the VPN really does store logs even though they advertise they don't, so they're able to associate me with my activity, or b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.
It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?
So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?
If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users? Wouldn't it be easier for Bob to call AWS with a warrant and get your account info than mess with some offshore VPN provider?
So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?
The downside in a nutshell:
"Researchers recently tested 300 free VPN apps on Google Play and found that nearly 40 percent installed malware or malvertising on users’ machines."
"Bob" very likely doesn't know you even exist and doesn't care. The downside of VPNs is that many VPN hosting companies are even less trustworthy than "Bob" and do care who you are. An unscrupulous VPN provider can MitM your connections, harvest anything you give the VPN's app privilege to see (probably a lot), etc.
Step one of security is to understand the threat you want to defend against and make sure your defense against that is (a) adequate, (b) appropriate, and (c) not compromising you in other ways.
Also, don't choose a VPN based on some online review. Most of those are basically paid advertising. Either "pay if you want a good review" or "pay more for highter rank", or stuff by independent affiliates, who get paid for referrals.
Better, choose VPNs that have been recommended by consensus in relevant communities. Torrent users. Wilders. Me ;) And by the way, I do consult for IVPN, but my opinions are otherwise unbiased.
well, I've suspected that. But can you point to evidence?
I wrote a post last summer for IVPN's blog. Bottom line, AhnLab and Emsisoft seemed to be the only commercial ones that don't share data.
AhnLab: “AhnLab will not collect any personal information other than [data collected during software use] and will not disclose such data to any third party.”
Emsisoft: “Any information we collect from you is only used by us to serve you better. Your information is never given to a third party.”
They've been recommended by a lot because they recently backed up their claims of no logging (FBI asked them for data, and they couldn't provide it). You'll see that they are ranked pretty high on this list, where there are some breakdowns. They are pretty cheap and popular too. Popular helps by making associations more difficult. That is seeing a VPN server accessed page X and that you were accessing the VPN server at said time. A college student was connected to a bomb threat by this method, being he was the only one on campus to be using TOR at the time the bomb threat was made (from TOR). You'll be fine with any VPN that is relatively popular and doesn't do any tracking.
A relevant detail to that story is that he admitted his guilt under questioning. Had he continued to deny any involvement, they would not have been able to prove that he was sending the bomb threat, as it could have been from someone who wasn't on campus.
Very true. But there have been several instances of cases like this. And this thing doesn't matter if your VPN logs or not[+]. But what I was trying to point out is that these types of access collisions are important to understand. And why I don't think people should roll their own VPN.
[+] I'm not trying advocate crime here or advising how to avoid it. Just trying to bring to light a vulnerability.
Criminals are great examples, because their OPSEC failures are often detailed in court records, reported in the media, and discussed online. One of my articles on IVPN's website uses several such OPSEC failures (Silk Road, Sheep Marketplace, etc) as examples.
Enough. You do this on every mention of PIA and you have been told to stop or get banned [0]. I don't know why you are on this crusade when there is not even the slightest hint of wrongdoing [1] so please, easy on the conspiracy theories.
It's not about conspiracy theories, but about concentration of power.
If control of PIA — for whatever reason, and be it that Andrew Lee dies and his heirs sell it, or that he can't finance it anymore, or that a three-letter agency forces him to — ends up in the wrong hands, then also all of Freenode and Snoonet end up under control of that entity.
It's not that I don't trust PIA, but that I fear that PIA itself may end up in the wrong hands.
And I'm not on a crusade against PIA — I won't complain about their donations without requirement to advertise in return to projects such as KDE, with a transparent funding process.
But I am on a crusade against centralizing any services, be it killing XMPP federation (thanks, Google), be it pushing a "secure" Messenger that is bound to a single social graph and server infrastructure controlled by one group in the US (thanks, Moxie), or be it a single compsny gaining significant control over several major IRC networks, clients, libraries, and over Matrix at the same time.
To be honest, my only problem with them is their customer service. And their phone app. My connection is half speed on my phone. :( They also have some strange problems with the linux app (which I wish they would open source). Otherwise I'm really happy with them.
I actually haven't. I will try later and report back. But I have a 60/30 connection (down/up) and am getting 26/5, after messing with settings (which strangely is using TCP instead of UDP). And yes, this is under 5G, and I've tried multiple servers.
As for the Linux side, their app just needed some better instructions on their site, and then works fine. So I'm not really upset on that, just had to argue with tech support for awhile to get transferred to somebody that knew what I was talking about.
Yes, and interestingly, the Freenode staff had previously disabled Tor access to the Freenode network for over a year or so because of "attacks" which they claimed they could not handle. This was a pretty flimsy excuse once I finally found someone that knew the technical details, and though I chased the "right" people down several times to ask why Tor access had not been enabled, I never got a good answer. Cue PIA taking over Freenode, and within a couple of weeks, Tor access to Freenode was once more enabled. I've been a happy PIA customer for some years now, but that left such a huge and positive impression on me. I'm not completely sure the two things are simply correlated, but after talking to all those Freenode staffers over the years about it, I can't imagine it wasn't pushed by PIA.
I was actually primarily talking about their donation to the Krita Foundation [1], but yeah, it's good to be aware of the above, even if thus far I haven't seen anything nefarious from them.
I'd use them. They're among the least expensive. And they don't seem to retain logs or detailed access records, based on testimony to a US court. But that was about an exit in the US, where there's no legal requirement for VPNs to log. Where there are such legal requirements, maybe they (or any other VPN) would retain and produce logs.
When I checked in mid 2016, their custom Windows client leaked while the VPN was reconnecting after uplink interruption. But then, only six of the 29 VPNs that I tested didn't leak: AirVPN, FrootVPN, IVPN, Mullvad, Perfect Privacy and SlickVPN. Strangely, FrootVPN didn't leak using open-source OpenVPN, suggesting that they're doing something unusual at the networking level. PIA's OS X client didn't leak, however.
They do tend to oversell their servers, however. So you'll often get less throughput than with AirVPN, IVPN or Mullvad.
I've been very happy with PIA. It's cheap with minimal impact to my bandwidth. The concern is that, like all VPNs, we are trusting them not to keep logs. PIA claims that they proved in court that they do not keep logs because they provided no useful data to an FBI request. There's a debate over whether this proves they don't keep logs or not here:
Is this semantics? I am uncertain. I do think that it's in PIA's best commercial interests not to keep logs. It's the core of their business model. The moment a PIA customer's identity is revealed through them is the moment they lose all business.
I think they're good, but there are some downsides. Sometimes traffic can really slow down because they're _too_ big.
Another issue is, all their IPs are well known. When browsing while connected to them, you can run into a lot of issues: captchas, blocked sites, etc.
The other day I was accidentally connected and made a purchase. What a giant headache. My purchase was flagged and blocked and it took a lot of my time to call the company and get it cleared up.
A few weeks back I ran in to the same issue with accidentally making a purchase while connected to PIA. Mine was also flagged and I had to jump through several hoops to prove I made the purchase. It was a pain but I completely understand why that happened and I'm still very happy with PIA.
I will mention that while it doesn't magically fix slow speed issues, they have the ability to report a slow server through the app (on Windows, I can't attest to any others). You just right click the icon in the notification tray and click "Send Slow Speed Complaint." They do add more servers in areas that are overloaded.
I've used PrivateInternetAccess, they are trustworthy, but US based so count on them rolling on you if someone has a good reason to be interested in you.
Well, they apparently didn't roll for a US court, in a case involving harassment, as I recall. Would they roll for the NSA? How would they handle a NSL? I have no clue. Their founder has said that, although he lives in the US, none of their server admins do.
>"Buy the gift card with cash then there is no trail."
Until it's important-enough for them to track down the card, figure out when it was bought, go over the security footage of who was buying at the time, extract footage of you buying it. They can then extract your face and match against a DB. Or perhaps see what car you enter into, and extract its license-plate.
Heck, even if they don't have that, they can ask the cell-phone companies to see which phone-numbers were connecting to the nearest tower during that period. That already narrows down the list to say, 1000 people?
We're almost there. All the technology is already in place, and the only thing stopping it from happening is consolidation.
I have been pleased with their service. It wasn't much hassle to set up, particularly. Was certainly a little trickier on my linux machine.
I find the speed has almost been completely acceptable. I have had only a handful of times where it seemed sluggish and bogged down.
I know there is a some question of whether they can truly be trusted? Do they truly not keep logs? And they are US based which are all things to consider. I weighed those factors against the customer reviews, price, and simplicity of their service, and I think my choice has served me well. Their rates are dirt cheap for what seems to be a reliable service.
Well, of course I would! They're one of the oldest. Except for the the first generation, anyway, such as Anonymizer (now basically owned by the CIA) and Cryptohippie (still very cool, but very expensive).
And they have great clients for Windows, OS X and iOS. I've found a few others that are just as leak-free.[0] However, the data there are old, and just about all VPN services have improved their clients. What's most relevant about the site is the testing protocol. There's more about that in an IVPN guide.[1]
I also recommend AirVPN, Mullvad and PIA. But not necessarily for their clients. I mean, IVPN doesn't have a custom Linux client. So in many cases, you need firewall rules. And you need to make sure that you're not using an ISP-assigned DNS server with the VPN.
Even better, with Mullvad you can now use WireGuard instead of OpenVPN, for considerably better performance and possibly better security. I've configured my EdgeRouter Lite to route all wifi traffic on my default home network through WireGuard for a couple of weeks and it has worked very well.
You can use open-source OpenVPN with any VPN service that offers OpenVPN connectivity. You can also use AirVPN's client Eddie, which has a pretty decent built-in firewall.
My VPN activities run on a old Windows box, and I did not want to trust the VPN clients to not fail and blast my data in the open for a day or two before I noticed. I ended up writing a SafeVPN Windows service that kills processes within 30 seconds of VPN failure.
I used PIA for a couple of years without issue, but then it went into some kind of decline for me, always driving network traffic to zero after a few hours. After changing hardware and reinstalling the OS with no effect, I finally tried AirVPN and things went back to normal. AirVPN is a bit more expensive, but their client is light years ahead of the PIA client.
It's better to use Windows Firewall, because blocking is virtually instant. Basically, you set LAN as a private network, and the VPN as a public network. For LAN, you allow connections only to the VPN server(s) that you use, plus a DNS server that's not associated with your ISP. You can also allow connections to other LAN devices, if you like. For the VPN, you allow all output, but only input for established connections.
No, sorry. I used to know a URL, but ... And most of your search hits will feature application-level blocking, which seems silly to me. Also, I don't use Windows much anymore. And I've forgotten the specifics.
But. It's basically what I described. For public VPN network, just use the default (all output, only established input). For private LAN, deny all output and input, and allow output to selected IP addresses (VPN and DNS servers).
Interesting feature of Windows firewall, thanks. As the AirVPN client connects, it checks several hundred servers for the lightest load, so for that default behavior, I don't know which IPs to configure locally.
AirVPN, IVPN, Mullvad or PIA. They've all been around for several years, and focus on privacy. And I've never heard anything bad about any of them. PIA is the least expensive, and IVPN costs the most. AirVPN and IVPN are probably the fastest. IVPN and Mullvad probably have the best technical expertise.
Say for instance there are two vpn services. Both have a 100,000 users. One makes $1,000 a year off of advertising, and the other makes $1,000,000 a year($9/month). Now both are approached by a nefarious gentleman who offers them $20,000 a year to harvest their user's information. But every year there is a 25% chance people find out and your service is shut down.
Who takes the deal? Maybe the free guy, but very few people would risk a 1M/year revenue stream to make a little extra cash, but someone might risks a much smaller revenue stream for a comparatively bigger payoff.
Payment means there may be a viable business model other than sharing private information. Realistically I don't know how you can ever be sure, but I'd absolutely never trust a free VPN service.
Why not just use a trusted solution like openvpn and only use providers who provide openvpn servers? That immediately gets rid of one half of your problem; and as for the other half, vpn services that allow for connections via openvpn are likely to be more trustworthy. In addition, the vpn company can't MitM connections which are already on an encrypted channel outside of the vpn conneciton.
This suggestion is intended to solve the "free VPN app installs malware" problem and not solve the "VPN provider who actually logs/is in league with govt/MPAA/etc" problem.
OpenVPN is a protocol. If the VPN provider supports it, you set it up in your own client that supports OpenVPN. Using a VPN provider that requires you use some proprietary app is madness.
I recently signed up for such a service, in order to get my Nintendo Switch online for multiplayer gaming. My home internet connections sub-let from the landlord and could be considered semi-hostile -- not able to connect to peers on the Switch due to triple NAT, and I suspect some QoS throttling as well. The VPN solves my routing problems, but if anyone has a suggestion for another option here I'm all ears.
It is irrelevant what software the provider is using as long as they use the openvpn protocol. This will be obvious to anyone who tries to connect using openvpn.
To the client side or the server side? On the client side, you should download the code from a location you trust. On the server side, it is irrelevant if something is added to the software for the attack we are discussing.
It's arguably no more a "hack" than TLS is one. Right?
Re OpenVPN vs IKEv2/IPSec, this IVPN FAQ seems accurate.[0] But then, I helped edit it, so I'm biased. Still, if anyone can point to inaccuracies, I'll recommend fixing them :) The major weakness is pre-shared IKE keys.
On the other hand, I get from IVPN that the IPSEC implementation in iOS is very secure.
Don't see why you're getting downvoted. From a user standpoint, IKEv2 doesn't require a secondary client and integrates with most major OS better.
For example: It's way easier for a client to install a mobileconfig to ios that supports on demand VPN than it is to have them download and configure openvpn. Fairly set and forget.
OpenVPN protocol is sorta weird (I wrote a clean room client and server impl). But IPSec stuff is such a pain to deal with that it is not worth it despite it having better OS integration.
>So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?
Rarely addressed: VPN CLIENT ISOLATION.
The majority of us sit behind a NAT'd address range provided by our physical router, thus isolating our machines via a hardware router / firewall from our ISP. When you connect via a VPN, you are not automatically isolated from other client-peers on that VPN and must implicitly trust the VPN provider has properly configured client isolation. You can do testing, like firing up Wireshark and listening for broadcast traffic or simply by trying to nmap other hosts on the network, however, whatever you find could change with a configuration setting at any time.
One way to further "secure" this would be to run the VPN client on a hardware router like pfSense (instead of directly on your laptop) and block all incoming connections on the vpn client tunnel interface?
A disadvantage of this method would be that the WIFI signal from your Laptop to the router is no longer secured by the Vpn...
That's how I do VPN. I have my ISP connected router, then a DMZ network with my test servers & three routers: 1) guest, 2) main, 3) VPN. I then use a virtual LAN from (2) to (3) over a virtual interface on (2) to connect to (3) which is NAT'd. Honestly though, the whole advice of "get a VPN to be secure" is ridiculous because it can end up exposing you far more than what you were previously, especially if you are running a VPN client on a host that is running a media client / server like Plex, Kodi, WinAmp, iTunes (Bonjour), etc. If you are a developer and using The Fiddler, Charles Proxy, or the Burp Suite, then there's an easy route to the rest of your internal network. I know the first time I was on a VPN and saw someone on the VPN come through my interception proxy it freaked me out enough to instantly understand the dangers of VPN services.
It's more effective to block what you want on your host firewall and not rely on the the network to keep you safe.
"Processing in hardware", meaning application specific hardware acceleration, is a not a plus in security related things: it's not safer, and it doesn't exist in most boxes, and it's often impossible to field upgrade when bugs are found. It's done to speed things up/lower cost at large scale, but that's irrelevant for consumer/small office gear.
>It's more effective to block what you want on your host firewall and not rely on the the network to keep you safe.
I agree and am a big fan of host firewalls and host intrusion prevention systems, however, they must of course cover the VPN tunnel in their scope. In many cases they do not.
It is a configuration option, for sure. But I've never even heard of a VPN service that put multiple clients on the same subnet. It'd be a security nightmare. And I can't imagine what the advantage to the provider would be.
Recently the Federal Government sent out a malware to certain persona of interest. That malware played a higher pitch sound than can be heard by the human ear. They were able to track that person and identify them because they heard the sound on the computer's microphone. TOR or VPN can stop this.
I slightly agree. However, these days it seems more and more that "thing elite spy agency does to track terrorist" is on about a 6 months to 1 year lead on "thing startup does to target ads."
> A team of researchers from the Brunswick Technical University in Germany discovered [234] Android apps that employ ultrasonic tracking beacons to track users and their nearby environment.
Tested my kids - they could hear an alleged 21khz tone out of laptop speakers. The actual level of the tone doesn't matter - it was above my level of hearing. Wasn't a double blind, but they told me when it started and stopped based on a bash script with random intervals.
I could when I was 20, did a proper hearing test when I joined my company. 15.625khz was very noticeable - I scoffed at the old timers who couldn't hear it.
I can no longer hear it. Still I can hear 1khz, so that's what's important.
Most wouldn’t, I’d imagine OP is referring to a mobile device, look at Androids dev docs they recommend sticking to 44.1khz, which we know does fail into the range of human hearing with its 22khz reproduction, albeit fewer people. I’d suspect the person being spied on would become suspicious upon many children they encounter and even more dogs fleeing from their direction.
You're saying that the persons of interest in this case were identified and targeted only based on an IP address and not based on some other aspect of their online activity?
that is not how they caught him. They used a correlation attack. He was stupid and posted something using his personal email on stackoverflow about setting up tor website and processing bitcoin transactions. He then used a linked account to advertise silk road a few times. This made him a prime suspect. They followed him for weeks and watched that every time dread pirate roberts logged in and posted on silk road he was sitting in a cafe or library on his computer connected to a vpn. This was enough for them to get a search warrant and they found all the other evidence they needed to convict him on his laptop
Not really an answer to any of the questions you asked, but I'll provide my perspective.
I don't use a VPN to hide my identity from the websites I'm connecting to. I use a VPN to hide the websites I'm connecting to from my ISP.
Residential ISPs in the UK are supposed to log a bunch of internet stuff (not clear exactly what), which is then made available warrant-free to over 40 government departments, including for purposes obviously unrelated to "national security" (not that that would make it OK), e.g. HMRC and the Food Standards Agency
I've been using DO for my VPN needs and it's been a very good experience.
You can start a 5$ Ubuntu droplet, which is more than enough to host OpenVPN, and then configure your VPN manually. Check here :
I just tried that but on my VPS the 'tun' device was not enabled and the automagic script died. Seems that is not easy to fix on a VPS depending on your provider. Thanks for the tip though.
Not the OP and I don't use DO specifically, but I've found using a VPS provider to be a more or less painless VPN experience. Providers like DO, OVH, and Vultr have scripts for easy one-click OpenVPN setup, or you can roll your own if you don't trust their scripts (though if that's the case maybe you don't trust the VPS provider at all...)
That said, always verify that the tunnel is operating correctly before assuming it is and taking off. I've found on more than one instance that the OpenVPN client was misconfigured and seemed to connect, yet my IP was still being reported as my ISP's.
I think that's an OpenVPN restriction, not a Vultr specific restriction. You have to pay for a commercial license if you want multiple connections with OpenVPN.
It's a bit trickier (and more time consuming) to set up than I initially imagined but not at all undoable. A lot of tutorials are bit out of date or conflicting so it wasn't quite as easy as just following a recipe.
I didn't use DO but an even cheaper host and set up VPN at router using DD-WRT.
Occasionally I have to turn it off at router as certain sites/ services recognize the datacenter IP but not all that often.
Main reason I set it up is I use a small local ISP and know the owners and no need to have them watching net traffic.
The settings on both ends have to match perfectly. Don't forget to set DNS for openVPN also.
Add to that many shopping sites (Best Buy for instance), deal sites, ticket buying sites, hotel/airline sites, heck, even my state's offender tracking system blocks the handful of VPS services I've tried.
VPNs aren't a defense against subpoenas or warrants, they're a defense against ISPs scraping your connections and selling them to advertisers.
No advertiser is going to come after your VPN provider asking for logs, and even if they did your VPN provider is going to tell them to get fucked anyway. Again, unless the advertiser in question happens to be the federal government and they have a subpoena or a warrant, no VPN provider is going to give you logs to help you associate a user, I have no idea why you would even think that.
If you don't want traffic from users on the VPN you are free to block them (Netflix does this) but nobody is going to give logs over to a random webmaster to help deanonymize users.
If you want to remove the VPN provider from the question entirely (many of them are on the shady side), you can use Algo to automatically deploy a Digital Ocean droplet or Linode instance to relay your connections for you. However this doesn't fundamentally change anything - if someone comes after you with a warrant or a subpoena, then Digital Ocean/Linode is going to give you up.
This is not exactly a difficult concept to understand so if you have asked this question repeatedly and still aren't satisfied with the answer, perhaps you should look inward.
>VPNs aren't a defense against subpoenas or warrants
They absolutely are for a huge number of people. Why do you think so many VPN's advertise the fact that they don't keep logs? I imagine far (_far_) more people use VPN services as a way to evade copyright holders than as a mechanism to avoid marketers (most people don't give two craps about the latter issue.)
BTW, was the snarky bit at the end really necessary?
There are lots of problems you see in practice which are not discussed often....
* Inability to send mail though a mail program
* Daily disconnections of VPN service
* Captchas and other verification/friction when using services (eg youtube, amazon etc)
* Some services may believe you are in a different country incorrectly, meaning you have to force them to use the right location, or be happy with it being wrong
* Some services will not work at all (for example purchasing through apple)
* Paid streaming services – like netflix, hbo go and amazon streaming will likely not work at all
* You may not be able to port tunnel traffic inside the VPN
And of course you have to trust the provider. For example PureVPN claims 'no logs' but it seems that isn't the case...
There is a lot of friction in using a VPN. Which makes the idea, often proposed by technical people that if you are worried about privacy - 'just get a VPN' either naive or disingenuous. That said even with the friction it is worth the cost and hassle IMHO.
In practice you have to have a way to flip on and off VPN on some machines/devices.
Sure, adversaries could pressure VPN providers for logs, account information, help tracing traffic, etc. So you pick VPN services that have been in business for several years, are well known and recommended in relevant communities, and have no history of giving up their customers. There's a recent relevant thread on Wilders: https://www.wilderssecurity.com/threads/purevpn-keeping-logs...
Even so, it's prudent to assume that your VPN provider logs, works with your adversaries, etc. Just like the Tor project assumes that any particular relay may be malicious. So Tor clients create three-relay circuits, to distribute the risk. And one can do the same with VPN services. I'm currently working through a nested VPN chain, using servers from multiple providers. I use pfSense VMs as VPN gateways, and workstation VMs. It's also easy to add Whonix to the mix, so I can use Tor through nested VPN chains.
You're assuming that private parties have the ability to get warrants or subpoenas to get information from your ISP. They do not.
If "Bob" wants to know who you are when you visit his website, he doesn't have any options to get that information. If "Bob" thinks you are violating his copyright rights, he can file a DMCA complaint against you. If "Bob" doesn't want people from Iceland to access his site, he can try to filter based on IP range.
VPNs do three things: 1. obscure your identity 2. obscure your location 3. prevent local inspection of your network traffic.
How effective that "obscurity" is depends on who wants to know and why.
Speed, in terms of bandwidth and latency. I consistently get slower speeds using a VPN. Granted, I'm using Google Fiber so I have symmetric gigabit, but there is a downside to it, depending on your use case.
I'm in the same boat as well. I'm not in the US but I do have symmetric gigabit as well. I've been using EC2/DO boxes to setup VPNs for me, but they hardly ever come close to my home speed.
This is usually due to the ec2/do instances being the cheapest or second cheapest with bad CPUs and overcrowding.
You're also only guaranteed gigabit speeds on the higher tier instances. I'd be interested in what you get using iperf3 between EC2 and your home connection.
Tried them out yesterday and they give about 10% of my Internet speed on any server. So my 400 Mpbs connection slowed down to 40 Mbps, which is a pretty rough drop. And I haven't been able to find an OpenVPN connection that could handle more than that 40 Mbps.
PIA is cool because it works seemlessly with your phone as well. It used to be you had to have some special access to get it to work with a provider like Verizon, but it works flawlessly now.
It's a legitimate point to consider. I've set up my home router with Tomato by Shibby, which allows routing all traffic over a VPN link. I was finding the router couldn't keep up with a 50 Mbps link. Granted, these routers aren't designed with that use case in mind. But, running a VPN link all the time on mobile devices kills battery very quickly, so setting up the link on the router is preferable. Consequently, I don't route all traffic over the VPN, which is suboptimal.
I put a 2nd router behind my regular router and switch the gateway, on devices I want to use the VPN, to this 2nd router.
Benefits:
1. allow devices to use non-vpn friendly sites
2. Keeps everyone on the same subnet so the VPN is not in the way for local file transfers.
3. main router not overburdened by VPN software
Tomato allows selective routing, both by destination and by device, so that's helpful. Your setup definitely avoids some of the overhead mine has. But, really, I'd just like the little ARM processor in my R7000 to be able to keep up so I can saturate my link. I'm not familiar with ARM's ISA all that much, but it seems an AES-NI equivalent would be really nice to have.
VPNs protect you from snooping by 3rd parties on the way to Bob's site, such as your ISP, anyone on your network, or anyone on any of the intervening nodes between you and Bob's.
If you don't want Bob to identify you then yeah you need more than just VPN such as ad blockers, disabling cookies, and more.
Depends on what you mean by VPN but the let-me-bittorrent ones don't get you confidentiality (or integrity) to web sites you visit, past your immediate ISP.
I've been using one pretty consistently ever since the legislation passed allowing ISPs to sell your browsing history. I generally don't have any problems with it, but that isn't to say it is not problematic:
* Connection issues are really annoying. At home it is manageable, but reconnecting to a different wifi network with a phone introduces a delay that sometimes lasts minutes before it becomes functional again
* Some websites make you enter captchas in order to use them, probably due to VPN abuse by malicious users. Others outright block traffic to any detectable VPN traffic.
* It is slower in general, but the worst case slowness seems much worse and more common. Unavoidable really, you're introducing another potential point of failure.
* Useful LAN functions (like *.local domains) become non-functional
> Useful LAN functions (like .local domains) become non-functional
Is that true if you 1. disable the "force all DNS traffic over VPN" setting, but then 2. have a local resolver (e.g. dnsmasq) that resolves LAN domains but forwards all other traffic to a DNS server on an IP that will end up routed through the VPN?
I'm not sure if your methods would fix the issue but you can get around it if your router supports acting as a VPN client. After you configure the connection it becomes invisible to all your lan clients and you can use all of your local network goodies.
>b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.
>It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?
I'm not sure how you made this jump. If the provider doesn't have logs, Bob can't find you. The end.
Is Bob a cop? Does he have probable cause that you were involved in criminal activity. I don't think you can just handwave "call my ISP with a warrant".
Chief on my mind would be the issue of trust. Your traffic is coming out of the VPN node unencrypted. They could snoop you, MITM you, basically anything. So, who do you trust more? Your ISP or a mysterious VPN service probably in Russia that you learned about yesterday?
I figure my ISP is quite likely to sell my data and do other unfriendly things. But I figure they are quite unlikely to attack my traffic and do other illegal things.
Think about it this way: What if your VPN operates in another country? It becomes an international issue if Bob wants your VPN to tell them who you are.
On the other hand, if your VPN operates in another country, some websites within your country may block you due to content licensing issues.
My favorite formula, in constructing nested VPN chains:
1) First VPN, that only my ISP and second VPN see: I choose one that's popular where I live, and commonly used for torrenting, and I have a torrent client up 24/7.
2) Second VPN, that only the first and third VPNs know about: I choose one that does business from a jurisdiction that isn't very friendly with my government and its friends.
3) Third VPN ...
4) Final exit VPN, that only the previous VPN and websites see: I choose one that doesn't attract too much attention. For Mirimir, that's IVPN, because I'm already so associated with it.
I mostly use VirtualBox, or VMware in Windows. pfSense VMs make great VPN gateways. VPN and pf setup are pretty easy with their webGUI. Debian VMs also make great VPN gateways, but setup is harder, and their disk footprint is greater.
I've thought about doing it all in one OS, with iptables or pf to control routing. It'd be lots lighter, but more fragile.
Another option, if you want more security against exploits, is Qubes. But the hardware requirements are far more restrictive, and the learning curve is steeper.
It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP
If the VPN is malicious or self-hosted.
If the servers and the company headquarters are located in a country not part of the "14 Eyes", and most importantly, host a lot of other traffic that is not you, there is obfuscation, legal barriers, and plausible deniability that you did not do what "they" are claiming you did.
> If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions.
Every TCP connection is uniquely represented by (src ip, src port, dst ip, dst port). Bob can provide all four of these, and a timestamp, to the VPN provider. The VPN provider can then resolve that to a specific user if they are logging connections.
in which case, if you can't trust 1 VPN, can't you jerry-rig a better VPN by daisy chaining several together, so that each VPN will have to be asked to sort through traffic?
You will sometimes face hassle authenticating with certain sites. Your VPN will trigger two-factor auth verification, or sometimes trigger an account lock-out or force password resets, etc.
Your VPN provider might not log. Or it might log and sell your internet activity. Of course, the same is true of your ISP, so you have to see who you trust more.
If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users
I believe there is the alternate option of setting up your own VPN .
Instead of using AWS, you could set it up on an additional router or on your PC/pi wherein you'd lose the advantage of anonymity amongst other users but your information is still encrypted to be acceptably safe.
Such a VPN that did keep logs would lose their entire business model if it broke that they kept logs - even if they kept logs (and why should they? That might always leak and kill their business) why should they help a third-party to them?
Whether it's through negligence or ignorance or intentional lying, it's nearly impossible to not log user activity in some way.
And really, think about this: Even if you try really hard not to log, as a provider you're competing with thousands of forensic scientists who do nothing all day but figure out how to associate activity with the people who committed that activity.
And once a federal agency has identified your VPN traffic, every single thing you've done through that VPN provider is all wrapped up in one neat bundle for them to peruse.
Think of SSH as the secure networking swiss pocket knife but that it is free for everybody to use, learn and script with. Now think how someone could make money out of it. They can't. So they start creating an alternative, that is so complex and hard to understand, that no person alone can manage it, and even the best solutions are unreliable, expensive and corporate. This is something you can sell and argue well that you need a shitload of engineers to maintain. This is VPN.
What should you use if you're smart enough to come to HN for reading? SSH of course.
Do you mean you can use SSH for anonymous browsing? I genuinely don’t know how that works out, isn’t that just transfer the risk to the server you ssh into, so you end up having to trust the server? Do you have some links for reference?
SSH has a Socks compliant proxy built in. That said, you are right, you are basically shifting responsibility to the SSH server you are connecting to so you have to trust it the same way you would a VPN provider. As such, it’s essentially the exact same and so GP was clearly misguided.
You can provide the ssh server yourself. Which is not so hard. And security is something different than avoiding tracking. Avoiding tracking is very simply done by not using a centralized proxy which is maintained by someone else (like in VPN). When you are really under attack it's very different and in that case you couldn't trust VPN either. Even the VPN client would be a danger.
Though this can provide an extra level of defense against MITM, if you trust your personal connection to the internet less than the server's connection to the internet.
All SSH does is move your traffic to a different computer.
When it leaves that computer it's no longer encrypted.
It's not hard to look at unencrypted traffic leaving the computer you've SSH'd into and associate the traffic with the computer you've SSH'd in through.
Presumably so; when I've tried the SOCKS support built in to Firefox, I've noticed that sites that I have blackholed via my hosts file begin working again.
While it’s not the right tool for the job, it is possible to connect two networks together using SSH as the secure transport. Many (most?) good network folks will recoil in horror though about tunneling TCP inside TCP.
Re Full network: How?, without additional software e.g. ppp+socat+ssh along with TUN/TAP or similar, or running a non standard SSH client/server and having various nonstandard utilities on both ends, which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'..
I've seen it done before where it was fully transparent to both networks. This required the tunnel to be setup on the default gateway for both networks. Again, as mentioned before and you agreed too, this is not a solution I would ever want to see in production for a company I was at.
> which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'
Which I agree, it isn't simple, but I was replying to someone saying it wasn't possible, not that it is easy to do.
I wish that we had arrived at a different term for third-party VPN proxy services. I use VPN connectivity to my home network whenever I am on the road so that my traffic is encrypted over-the-air (Wifi) regardless of its protocol or destination. When I read, "Do you need a VPN?" I think "I love having a personal VPN to my home network that I use from everywhere. You might love it too!" I am evangelical about creating and using a personal virtual private network—that is, a "VPN" in the more traditional sense of the term.
And then I realize the question is actually about third-party VPN proxy services, which seem to be a substantially different use-case.
It's just a shame that the term "VPN" has become so ambiguous.
Would you mind sharing your tips for setting this up? I've been considering doing something similar for a little while now but am unsure how to get started.
1. Add a VPN host to your home network, either as another role on your router/firewall or as role on a host inside your network. For example, if you're running pfSense as your firewall, you can add an IPSec/L2TP or OpenVPN role to the pfSense host. Many hardware router/firewall devices have VPN host capabilities. You can start simple by defining users at the VPN host. Later you can use your home network's LDAP directory for users, but I personally didn't bother doing that.
2. Set up your laptop(s) and phone(s) to connect to that VPN. Disable "split tunneling" on the devices. If split tunneling is enabled, only traffic that is intended for your private network would be sent to the VPN. Disabling it requires that all traffic—even traffic destined for the public Internet—needs to be routed through the VPN host.
3. Connect to the VPN whenever you are outside of your home.
4. You can optionally assign a static private IP to each device so that when you're connected, all devices use known IP addresses that you can name using a local DNS server. This would allow you to, for example, reach your laptop by the name "laptop.yourdomain.org" (or whatever). I give all of my devices hostnames so that I don't need to remember their IP addresses.
5. The result is you have a personal "virtual private network" that facilitates private LAN-like communication between all of your devices. For example, I use this to access my personal file server from anywhere.
6. You can get even more sophisticated by setting up site-to-site VPN connectivity between your home network and a machine or network you run at a data-center. This allows you to, for example, reach not just your home file server but also manage your personal public-facing Internet services running at your data-center hosted machine or VM—from any of your devices.
> 4. You can optionally assign a static private IP to each device so that when you're connected, all devices use known IP addresses that you can name using a local DNS server.
This is where I’ve always got hung up. I’ve for a long time wanted a static URI for a machine at home (e.g. SSH, IRC bouncer, music files, etc.)
I assumed I’d have to use some kind of local host tunneling solution (like pagekite.io), which are either expensive or difficult to trust/rely-on, or register as a business to get a static IP.
I was speaking of assigning private static IPs to everything on your virtual private network, and then using a private DNS server. This allows you to reach your devices/hosts by name rather than their IP.
However, the entire scenario relies on you having at least one static IP address for your firewall/VPN endpoint. You need to be able to reach that from anywhere on the public Internet.
I think the easiest way is to get a router capable of running DDWRT or similar that has an OpenVPN server built in to it, flash your router, generate some keys, and hook in with all the OpenVPN clients on Windows, Linux, Android, iPhone, and MacOS. It's really not that bad. I use it all the time when I'm out of my house. I can browse knowing that no one between me and my home can know anything about what I'm doing. Of course, my ISP at home can see everything all the time.
I can even access my home automation system. Shoot, I have one installed at my mom's house and can monitor her furnace when she's on travel in the winter. Everyone would enjoy a personal VPN.
One low maintenance way of doing this would be to setup a SSH server at home (and configure your home NAT/Router to forward traffic to that machine)
Once you have SSH access to home there are a number of ways to tunnel your traffic (on desktop platforms, not sure about mobile). Sshuttle works pretty nice. You can also optionally just tunnel traffic for certain apps or browser profiles by using ssh -D (SOCKS5 proxy)
Most of the time what people think they need a VPN for, a VPN won't actually help them much. They have a narrow use-case in privacy contexts, in which case you're better off using Tor.
The title of this should be "Don't expect VPN to magically protect your privacy," not "Don't use VPN services."
Here are some reasons I've used, and continue to use, VPN:
* When I am on a network that uses an idiotic blacklist to block certain types of content. The network might even be run by my employer and I might be accessing content that is necessary for my work, but there might be no way to appeal the idiotic blacklist.
* When I am on a network that INJECTS content into HTTP responses (a certain paid airline WIFI used to do this).
* When I am on a network that might allow other users on the network to snoop on / mess with my traffic.
* When I want to access services that I have paid to access but are only available to IP addresses in a specific geographic region, and I happen to be in another geographic region.
I used to be employed at a place that was so restrictive I couldn't even access asp.net (the website). I think it was something to do with it being in the cloud and looking like it was being hosted in the middle east. Most people probably don't know what it's like to work in a company with the extremely power hungry network admin that want someone coming to them for everything.
That github note doesn't really disagree with the article, which points out that you need to trust your VPN provider.
My general position is this: I don't trust my phone provider. At all. Just a week or so ago there was an HN post demonstrating how an ad provider can get your full name, cellphone plan details etc just by calling an API from a page rendered on your phone. But I also don't really have a choice - AT&T or Verizon or T-Mobile, they're all different flavors of the same crap.
Do I trust my VPN provider unequivocally? No. But I trust them a hell of a lot more than my phone provider, and they can't sell my personal info against my browsing history because they don't have it.
A VPN isn't the answer to everything, but nor is it useless.
It's a bit like how "stranger danger" isn't a thing kids get taught about anymore, because random strangers aren't risky if you go up to them, only if they come up to you. (Or, in more statistical terms: bad actors are a small proportion of the pool, but they have an incentive to self-select into interacting with you that good actors do not. If you just draw randomly from the pool, you won't get a bad actor. If you let the pool show the initiative, you'll get mostly bad actors.)
Your VPN provider is just some random company. You went up to them. They're randomly selected (insofar as your choices are random) from the space of all VPN providers, and most providers aren't malicious.
Your ISP is, at least in the US, almost always a monopoly. They're self-selected: they went up to you.
A VPN provider can tell you they're not logging your traffic because they think they aren't but really they are because there's a box somewhere that your traffic passes through that has logging enabled (for example -- and don't hyperfocus on the example, I know how you programmer types like to pick up the example and play ping pong with it for six hours).
So incompetence is a reason to not trust a provider as well.
Partially, at least, they don't need to earn my trust as much. They don't have my name, address, date of birth and social security number/credit data, like my phone company does.
The only positive point of trust a VPN provider has is that no-one has exposed them selling browsing data. Definitely not great, but also better than my phone company by default.
* My VPN provider explicitly states that they do not collect user information or store logs of user activity. Unlike my ISP that has a No Privacy Policy.
* My VPN provider has not done anything to lose that trust.
So which is worse, your VPN provider telling you that they don't store logs of user activity and then very well doing it (as has been proven in multiple cases), or your cell provider telling you they're going to fuck you, then fucking you?
> Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?
Which is basically also saying you can't trust a commercial VPN provider. I suppose it does differ in that it says it's still an option, though.
I trust most VPN services more than I trust my ISP. If what you are trying to do is avoid your ISP collecting your surfing data for advertisers, throttling Netflix traffic, or adding a super-cookie to headers, then a VPN might make sense.
My ISP choices are limited to two companies that are both terrible. A VPN is a nice way of limiting what they can do to you.
You don't get any additional privacy, the only way to really _guarantee_ that you get additional privacy is to use a solution that provides privacy by design rather than by policy.
> I'm not looking for a guarantee. Probably getting additional privacy is good enough for me.
I think we can both agree that wasting your money on wishful thinking ("maybe provider doesn't log") instead of using free open-source privacy-by-design solutions is a bad idea.
The privacy-by-design solutions have their problems at well (ex: speed). It would be better to use them over VPN IF AND ONLY IF their features would be strictly equal.
As they are not, one simply calculates the expected value of both, taking into account the probability of the VPN actually logging the traffic (which should be low for VPNs with good reputation).
For some use cases, even a VPN that logs traffic would be a good idea. For instance in many countries if you download a torrent they will log your IP and try to identify you. IF you have a VPN, they won't even bother asking the provider the IP because it is just not worth it for something like that. If you were exchanging child porn on the other hand they will ask for it and take time to find you.
Not everybody needs the same guarantee of privacy or has the same risk if the privacy was to fail.
Your statement is the same as saying one should never invest in shares because the return is not known in advance, so you should just buy government bonds which are safe.
You're thinking of these as Single Points of Failure, but they're not in parallel; they're in series.
Consider the attacker: a service you've visited that has your "outermost visible" IP, and wants to know who you are. From their perspective, it doesn't matter if your ISP is willing to give information freely, because they don't know who your ISP is until they've already gotten the information from your VPN provider. Each layer prevents the layer below it from being attacked, until it is removed.
Yes, a state actor could just ask "every ISP at once" to look at their logs of OpenVPN-protocol traffic and identify the packets that match the ones that arrived at the service. But state actors aren't the usual attacker profile, and require entirely different strategies (e.g. getting human "proxies" to use Internet cafes for you.)
Ignoring traffic analysis, you shouldn't have to trust your own ISP while using a VPN. Ignoring traffic analysis makes sense unless you're a high profile criminal, and it affects all low latency tools, including Tor.
They run massive PR campaigns with carefully structured press releases designed to convince the kind of people they want to detain that TOR is private and safe for any kind of activity.
Because of this people tend to get swole when you suggest that TOR is not any good for protecting your privacy because lots and lots of people have been arrested, tried and convicted after trying to use it to hide elicit activities.
The US government has made millions of dollars of investment into TOR:
AFAICT, in all current cases it isn't Tor itself that's been broken by the authorities. It's the client end that has been compromised; and in a way that isn't specific to Tor. Had these users been using a VPN without Tor, they could have been compromised in largely similar ways.
Please, find me a counter-example - because I haven't seen one.
Admittedly, one thing that has happened is that the authorities are able to target compromises in the Tor Browser specifically, rather than in a wider range of clients that non-Tor VPN users might use. But they're probably more vulnerable than the Tor Browser is anyway.
It's important to consider here that the average person using TOR is not a network administrator.
And that they'll follow the instructions that come with the TOR browser and assume that it's safe.
So when I say that TOR isn't safe, I mean that it isn't safe as it's presented.
Saying that TOR isn't safe if you know what you're doing is like selling someone a car with no seatbelts and then telling them well if you knew what you were doing you'd install seat belts yourself and then the car would be safe.
> So when I say that TOR isn't safe, I mean that it isn't safe as it's presented.
Sure. But it is no more dangerous to use Tor on its own than it is to use a VPN privacy service on its own. So your claim that the US Government is enticing people into using Tor to entrap them is nothing more than an unsubstantiated conspiracy theory. It would be easier for governments if criminals didn't use Tor.
Chrome is arguably more 'secure' than the ESR Firefox that the Tor Browser is running on. If you are realistically concerned about this type of targeted attack, you should probably be browsing with Chrome isolated inside of Qubes/Whonix.
My ISP is AT&T. I don't think there's much the VPN provider or their ISP could do to make things worse for me. The worst case scenario is that they are as bad as AT&T and there's a non-zero chance they are better.
The worst case scenario is not just that they're as bad as AT&T. The worst case scenario is that they're as bad as AT&T and still provide a false sense of security.
Even if you're diligent, other users with your (ISP, VPN) provider pairing might not be, and they could be harmed as a result.
The comments security nerds make here on HN aren't one-on-one individualized consulting (n.b. that's paid work in my field), they're general advice for the public to refer to.
is true for every network in the USA. You can be sure they ae all being snooped on by 1. the ISP collecting traffic data for profit and 2: the gov. because they get it all anyways.
That isn't great privacy wise as it's still privacy by policy. The best way to torrent is to use i2p which - unlike Tor - encourages that activity. (Short tuto: the default Java i2p bundle already comes with I2PSnark, a torrent client. To download a torrent, search through known i2p trackers such as the Postman Tracker: http://tracker2.postman.i2p )
The content owner could still request your information from the VPN provider and the VPN provider might provide it (even if they say they won't). I think the main benefit is that there are so many individuals torrenting copyrighted material that aren't using VPNs that it means you aren't the "low hanging fruit" so you're considered not worth the effort by the content owners.
Yes, but there is a big difference between "this provider might be lying about not storing traffic, and they also might give the data to someone" and "this ISP is 100% storing traffic and routinely gives that data to others."
For now, I am running my own VPN on Linode. The only real benefit of this is now my traffic is mixed with non-similar traffic. The hope is that this makes it less valuable to monitor the contents of my traffic. Of course, this just security through obscurity, and nothing more than a half measure.
The internet is not designed for privacy, and privacy does not benefit the majority of commercial stakeholders of the internet. This is probably why most privacy solutions feel like shoving a square peg through a round hole. My personal feeling is that we should combat commercial bulk surveillance through legislative means.
Your last paragraph ignores the existence of many privacy by design solutions such as Tor or i2p. Yeah, they can't protect against a global passive adversary - as any other low latency anonymity system in existence, but that's totally different from saying that there's no way to have privacy on the Internet.
Tor is a solution for specific use cases. It does not address privacy on the internet in a general way. For example, if I use tor to browse facebook, I am logged into facebook and still just as trackable as I would be if I wasnt using tor.
> Tor is a solution for specific use cases. It does not address privacy on the internet in a general way. For example, if I use tor to browse facebook, I am logged into facebook and still just as trackable as I would be if I wasnt using tor.
No, at least now facebook may not know your exact location (especially if you use their onion service: https://www.facebookcorewwwi.onion/ ) and they can't track your activity outside of facebook. Of course, it doesn't solve - nor can any other anonymity system - the fact that you transmitted personally identifiable information with facebook.
A confusing, content-less, arbitrary recommendation against Linode with no clear justification or reasoning given anywhere in the tweet stack is obligatory? I'm confused. Are there any actual reasons not to use them?
I'm fairly new to whole world of increased internet privacy, so I'm curious of the benefits of using a VPN or Tor. I'm not a political activist or engaging in illegal activity, I just want my personal data being passed around as little as possible (preferably by spending little to no money to do so). Is using Tor worth the effort? What are the benefits? Or do I simply use Chrome and resign to my fate like nearly everybody else?
Because of its 3-hop design, a non global passive adversary (GPA) would need to control both your entry node and the exit node to de-anonymize one of your Tor circuits. In addition, Tor circuits generally last for 10min only. Also using the Tor Browser you get stream isolation meaning that you get different Tor circuits for different websites.
You can also setup your own non-exit node and connect to it to ensure that no single point in your Tor circuit controls both the entry node and the exit node.
> a non global passive adversary (GPA) would need to control both your entry node and the exit node to de-anonymize one of your Tor circuits
That's not a benefit, that's a feature. A benefit involves a use-case. What does a person gain from not having their traffic de-anonymized? The described user is someone who doesn't have any particular activities they need to keep secret or risk jailtime. So, for them, what's an example of something that could happen differently in their real life if they used Tor vs. if they didn't?
(This wasn't a rhetorical question; there are such use-cases. I'm just commenting to prod you into zooming out a bit from "privacy is its own end" to thinking more about what regular people care about and how privacy helps them get it.)
Chrome sends a whole lot of data to Google (and possibly to their data-sharing partners) such as, at the least, what sites you visit and how long you are on each. When combined with Analytics, cookies, profiling and whatever G services you use, and the fact that Chrome is a program (not a site) connecting that all, you have pretty much lost any legitimate hope to privacy before you begin.
Use HTTPS everywhere is a no-brainer, as at least the middle steps won't see the data. IMO, using a commercial VPN is just not that difficult and the speed is close to native, so its a lot easier than TOR.
Basically it comes down to this: What you don't want people to know, you don't tell them. So if you don't want personal data floating around everywhere, don't tell them personal data.
Or just be a nice happy good citizen in the normal world. What you do in other worlds should then not be mixed with the normal word.
As I mentioned in another comment about using VPN for torrents:
> That isn't great privacy wise as it's still privacy by policy. The best way to torrent is to use i2p which - unlike Tor - encourages that activity. (Short tuto: the default Java i2p bundle already comes with I2PSnark, a torrent client. To download a torrent, search through known i2p trackers such as the Postman Tracker: http://tracker2.postman.i2p )
You need to look up what stremio (https://www.strem.io/) is and understand the value proposal for the casual non tech saavy end user. This is the face of torrenting now. Not magnet links. People don't know what a URL is anymore, don't expect them to understand a classic torrent client or i2P.
Since we're talking about it: what's the value proposition in creating an illegal service for non tech savvy end users?
I'm trying to figure out why they made this. They can't really run ads without ending up like the founder of TPB.
Regardless, it doesn't seem unreasonable to expect people to know what a magnet link is. When all you need to do is download transmission and click on a magnet link, people are fine with that.
You mentioned stremio and I respectably pointed out that it's not going to work over i2p for reasons mentioned above. I don't even see why you're mentioning it when we're talking about privacy.
> My whole point is that people use VPN for torrenting so Tor would not help and i2P neither.
My point was that I2P can help them since it's (a) torrent friendly, (b) has a bundled Torrent client (I2PSnark), (c) there are many eepsite torrent trackers such as: http://tracker2.postman.i2p
Either of these options, depending on your preferences (protip: use Algo, unless you're in a place that blocks IPSEC VPNs...It's cheap enough to have both available). This at least covers the basics of what they're talking about being snooped in the post. Then you don't have to worry about trusting the VPN provider (but you do have to worry about trusting your cloud provider).
If your threat model is different, you might want to be in a pool of users, but you can use the same service and solve this problem socially...
> I don't know why anyone advocates using a VPN provider when it's so trivial to set up your own VPN now.
..links to github repos...
You are blessed with technical skills and experience so this is trivial to you (and many people on HN), but there are tons of people out there for whom this is not a trivial task.
> I don't know why anyone advocates using a VPN provider when it's so trivial to set up your own VPN now.
That won't give you any privacy as anyone who wants to de-anonymize its traffic can correlate the fact that you connect to it with your IP (asking the VPS provider for logs) and that you bought it (asking the VPS provider for your banking info).
But that's not really the threat model described when people are talking about their ISP snooping on what they do. A private VPN solves exactly that problem.
Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service). Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).
> But that's not really the threat model described when people are talking about their ISP snooping on what they do. A private VPN solves exactly that problem.
It only solves it against a particular ISP.
> Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service).
I completely agree, that's why I always maintain that only privacy by design solutions should be relied on (Tor and i2p for example).
> Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).
But they know the IP, so that's still identifiable information.
> You can combine Tor and a VPN though, though you'll want to rotate through VPNs to avoid timing attacks.
I don't think that adds any privacy, setting up your own non-exit relay and connecting to it may significantly increase your privacy depending on your threat model (since then you can be sure that no single point in your Tor circuits controls both the entry node and exit node, and hence can't correlate your traffic. You're still vulnerable to a global passive adversary (GPA) of course).
For anyone who uses OSX and DigitalOcean, easily deploy your own personal VPN server with DNS adblocking running on DigitalOcean: https://github.com/dan-v/dosxvpn.
There are a small handful of sites that treat me like a spammer and make me go through extra hoops to sign in, but I have not found what you said to be the case.
A lot of folks are doing their automated testing with AWS systems and blocking those IPs would likely cause a lot of people some headaches.
The DNS blackhole that Algo by-default puts ad providers in causes me more problems than that, in all honesty, because occasionally I have to log into service like Hubspot that are blocked.
There sorely needs to be a corollary to net-neutrality, where websites cannot discriminate users based on the choice of their ISP/vpn/tor/vps/cloud-provider. I find it absurd that websites are even allowed to display a banner with phrasing like, "We detect that you are using a vpn. Disable it to view this site." Netflix, the champion of net neutrality, is the biggest offender in this area.
I sort of agree, but I believe Netflix is legally obligated to do this due to licenses/copyright laws that they have. So they probably have to put in some legally defined amount of effort into combating people "cheating" or working around the regional licenses. Their hands are tied.
They optionally sign contracts which contain geo-fencing clauses. There’s no law that says content must be geo fenced, and that suspicion of proxy use, for any purpose must result in denial of service.
There's no law, but then there's no content, which Netflix needs to serve their users. Netflix is a business, not an entity set up to fight Internet freedom.
Sure. And if they said "no" to rights holders, rights holders would pull the licenses.
Whether the move increases Netflix or not - doesn't matter really. As long as they license someone else's content, they have to play by someone else's rules. If this play also increases Netflix's margins, so be it - all I care about is having access to movies.
You have an awful lot of certainty about the positions of both parties in these contract negotiations. It seems more likely to me that Netflix would simply have to pay more. I’m sure Netflix could pay less in exchange for the IP and email addresses of people watching in real-time, too, but that doesn’t mean it’s either inevitable or desirable.
I imagine that Netflix as a distribution platform may wield more power than you imagine.
I guess we'll agree to disagree. I'm pretty sure we can safely say that neither of us was privy to the contract negotiations between Netflix and studios. :)
Netflix unfortunately is tied to draconian region-specific content distribution agreements with some of the biggest content producing/owning companies in the world.
Don’t think they can ignore the VPNs without significant legal issues and potentially losin much of their content.
What's even more annoying is Netflix treating things like tunnelbroker.net as VPN's. I'm really tired of my ISP's lack of proper IPv6 connectivity, I was using tunnelbroker for a while but got tired of fighting to get Netflix working correctly.
Netflix had to crack down on VPN usage recently as people use them to bypass geographic content restrictions. Any suggestions on alternative options they could pursue? (Aside from somehow getting global broadcasting rights on their whole library)
They didn't have to do anything. Netflix is a paid service. You are paying for a service, which you are entitled to get. What geo-drm-moon-phase recipe they cook up is their problem. As a consumer who pays, you should see either a) content from your billing address, or b) content from the IP address. Or any superset of the two; but NOT a banner asking you to disable your vpn.
Netflix would LOVE to provide their whole catalogue to their whole subscriber base. They'd be crazy not to. The more content they can offer, the better their service, the more subscribers they'll get.
They block VPN's and other tools because their contracts with content providers say so.
It even says it right in their terms of use
4.3. You may view the Netflix content primarily within the country in which you have established your account and only in geographic locations where we offer our service and have licensed such content.
Netflix is in the tough position of needing to know where you are -now-. VPN's mess with that.
Don't get me wrong, requiring someone to disable a VPN to use the service is bullocks. But some services don't have much of an option. From what I understand Netflix is aggressively trying to obtain world-wide rights for their whole library, but until the old dog content producers get on board they'll have a rough time.
Would they not be able to tie the location to the account? If, say, they register as a US user, an ip change from US, to France caused by VPN would leave little issue.
You're right, technically, but incorrect legally, because if you don't VPN and instead hop a plane to France, they just streamed US content to France. No-go.
They could be implementing blocking at the title level instead of on the whole site - so with a VPN I can't watch geofenced content but I can watch House of Cards, for instance.
Nitpick: Bitcoin, being a system where the history of all transactions is publicly available, is hardly an "anonymous" system. It is an additional level of separation from other forms of payment tagged with your credentials, and you can achieve anonymity if using it carefully, but it can't be treated by an anonymous option by default.
It took me years to find a VPN that accepted Monero. But I've been paying for Bitcoin priced VPNs using Monero through a service like Shapeshift or Changelly or XMR.to
I've been paying pretty much all bitcoin invoices that way for several years.
Blockchain sleuths would never be able to tell if a bitcoin transaction was just an exchange shuffling coins or if someone like me was actually on a different and opaque blockchain.
>> Blockchain sleuths would never be able to tell if a bitcoin transaction was just an exchange shuffling coins or if someone like me was actually on a different and opaque blockchain.
That depends on the nature of the investigation. Say they bust an illegal website and now have their subscriber records. If your bitcoin transactions match those of a subscriber to the website, they have more than enough info to come after you. With the website transaction records in one hand, and the public blockchain in the other, it would be trivial for an investigator to get a reasonable idea of who you are and where you live. Unless you spin up new accounts for each and every transaction, and mine your own coins, the public blockchain means they can identify patterns and make connections.
(I won't quibble on the technical definitions of reasonable suspicion. Suffice to say any such match will be enough to get a warrant and turn your life inside out.)
yeah, so when you pay with cryptocurrency there is no real information about you, now this is just the first part, and if we stopped there, you would be correct. But many sites use the address data necessary for credit card transactions and append that to your user profile, but sites that accept cryptocurrency do not because it is not necessary to complete payment or distinguish users.
so secondly the bitcoin transaction would have been executed by someone else, from a mixer. The mixer was instructed by my transaction to it from an opaque blockchain, as explained earlier. Your rebuttal implies you have never seen the differentiating features of Monero. It is a public blockchain, but transactions are not linked.
The transactions are not overtly linked but some simple detective work can make connections. Seeing the same number of bitcoins exiting one account and, within reasonable time, appearing in another is suggestive. See that happen many times, such as some sort of subscription to a service, and you can put 2 and 2 together.
Say they shut down an illegal website that subscribers paid 25$ for every month. If they see that your account paid out 25$/month, but stopped doing so when the website shut, then that's strong enough evidence for a warrant regardless of the exact path of transactions. That can be done via the blockchain far more easily than trying to gain access to bank records.
> Seeing the same number of bitcoins exiting one account and, within reasonable time, appearing in another is suggestive.
Will you just try using Monero before you say another word?
First, your assumption relies on having a nexus currency of Bitcoin to begin with, when Monero could easily be the base currency someone maintains a balance in. Monero has USD markets and has many default countermeasures towards linkability.
Second, your assumption relies on just not seeming to know how Monero works.
Third, I want to clarify that I'd be open to rebuttals if they actually acknowledged technology thats been around since 2014, but you are making rebuttals about rudimentary bitcoin mixers from 2012 when thats not even what we are talking about.
I'm not sure what you mean. Monero is completely anonymous, and sending through XMR.to can't be traced back to anything. Law enforcement officials just know that that user account got a payment, the Bitcoin blockchain has nothing more for them.
Great link from the EFF describing tor and https [0] click on the grey 'tor' and 'https' links to see what information is collected where and what can be viewed.
surprised this article does not mention tor? or has tor been abandoned as a tool for privacy?
There are reasons why a VPN is great but not for privacy. A VPN is currently allowing me to work remotely would be one of them.
CiPHPerCoder provided a great link[0] in this discussion [1] that details a short list of a few reasons why VPN's are likely not what "regular people" who are concerned for privacy should be using.
that all being said, tools like tor have become much easier to use with setups like tails [2] which may have its own security issues but I'll agree that regular users may not be capable of using Qubes with Whonix.....yet
I think advocating for a VPN is actually harmful to the "regular user" not only in the fact it will not accomplish what they want, it will deepen their ignorance on how the internet works because they will think "its encrypted" "so I am secure."
I do have some concerns that tor is a tool that needs to be improved upon greatly to truly accomplish its goals but I am not aware of any projects that are doing so. Re metadata, fingerprinting, developers inserting backdoors etc.
> I do have some concerns that tor is a tool that needs to be improved upon greatly to truly accomplish its goals but I am not aware of any projects that are doing so. Re metadata, fingerprinting, developers inserting backdoors etc.
I always try to tell people about Tor's limitations, which are considerable. (I wrote the content for the EFF graphic that was linked above, and one goal was to show people things that aren't hidden by Tor — for example you can see an NSA agent in the graphic performing some kind of correlation attack between source and destination by monitoring the network at multiple points. Of course, the source of data for this doesn't have to be fiber optic taps, so other entities that can get source and destination data can correlate them too.)
Tor is doing work on all of the things that you mention: metadata, fingerprinting, and developers inserting backdoors. One could wish for more work and that it had happened longer ago, but all of those are active areas of concern and research for the Tor project.
>I wrote the content for the EFF graphic that was linked above
Thank you! I constantly share that link with people, I (and many others) appreciate your work!
I regret not going into software development, I wish those are projects I could contribute to, alas my closest work towards development is tinkering with linux etc .conf files to get home projects to work, which is not development at all.
> I think tor is simply too slow and complicated to advertise as a tool to "regular people"
I know many people who use Tor daily for regular browsing - myself included. Yes, it's slower than not using Tor but that's expected from the 3-hop design.
I'm on Verizon so I don't get to choose if I need one. I have to use one on my phone at least.
They are still useful for lumping your traffic in with others for copyright infringement. Torrent clients offer the files for sharing while downloading.
They are still useful for some simple geo evasion as well.
They aren't a solution for every security issue at all. Tor is generally better to run from open wifi from a tails USB rather than from a VPN.
Also, many VPNs actually log things they can provide to the FBI even though they lie and say they don't. They can get a NSL and end up having to without being able to tell you that they did. Sometimes a NSL canary is used, but not always.
I'm not sure what you mean by "I don't get to choose if I need one". Both Android and iOS natively support VPNs, and most corporate phones are set up to connect to the corporate network securely via VPN - on many US carriers.
I think chisleu meant that they consider Verizon to be so untrustworthy that not getting a VPN is really not a viable choice to make. So chisleu doesn't get to choose whether to use a VPN or not.
I've set up my own VPN using Streisand [https://github.com/StreisandEffect/streisand] & Google Compute Engine (Micro Instance). When you create an account on Google's Cloud, you get $300 (or used to at least). This instance type is big enough to handle the few devices I connect to it, fairly speedily too.
Without a doubt! I'm not too concerned because I'm using it within the USA to access my email, HN, and various other common websites while on public wifi.
I'm surprised no one has mentioned Streisand, an open-source project that takes most (not all) of the effort out of setting up low-cost individual VPNs for yourself and your friends and family on a number of popular cloud services:
It takes a little bit of technical know-how (or bravery) to get started, but the setup process is dead-simple and you end up with a completely personal VPN with dozens of options that can work around a number of different situations. Best of all, it's entirely under your control. You can tear it down and start from scratch, or move to a new location or cloud provider easily. The docs are clear and easy to understand, and it's constantly being improved. It's a pretty remarkable project.
My issue with Streisand is that it spins up a dozen different services, of which I would like 1-2. Indeed, I then stumbled across Algo [1], which cited this as one of the motivating reasons for existing. It does 50% of what I'm after in setting up an IPSec VPN and does it all whilst generating my mobileconfigs.
Now all I need to do is manually set up a shadowsocks server and I'll be sorted. But I'd rather tackle that manually than also have the extra stuff streisand bundles in.
When running the streisand script it will now prompt you if you want to customize the install, allowing you to selectively choose which VPN daemons you want to run.
Oh thank you, that's wonderful news! I'll definitely look in to that if I have any frustrations with configuring SS myself. Even if I use Streisand for the SS side and Algo for the IPSec side, that would be a reasonable solution.
Insanely easy to get running: plugged it in to my home router, and now I do all my remote browsing from my home network. I HIGHLY recommend it. I know it doesn't help with privacy, since you're using your home network, but I'm currently more concerned with WiFi hacks, pineapples, and the like.
Its a nice user-friendly app, works well on all my stuff. Using it on linux took a bit of manual setup, but their instructions worked. I'm a customer, and I would recommend it. I outsourced my trust in them to DDG. Hopefully they didn't steer me wrong there.
Downside is that it basically only works per device. It doesn't run on any routers that I know, to get full coverage over your network traffic.
I wish a trustworthy organization with a history of privacy advocacy, like EFF or Mozilla, would create a subscription VPN service. I'd sign up immediately and their reputation would command a significant price premium.
I don't look to it as a foolproof solution, but I do see it as a way to make things a little bit harder for someone that's trying to track me.
The arguments here often sound similar to "experts" that complain about 2 factor auth: Sure, it's not perfect and there are better solutions in some cases, but it's still better than nothing for a lot of people.
I typically don't trust VPN providers, so I set up my own on AWS with this CloudFormation script. [0] It is almost effortless, takes 10 minutes and I can spin it up or spin it down without paying for a subscription, only AWS metered costs.
EDIT: another poster mentioned Algo [1]. This method requires a high degree of savvy and entails a higher level of difficulty, but looks much more configurable.
How often do you find that your AWS IP is blocked, or that you need to bypass a captcha? I would think that AWS would be a major source of scrapers and other traffic that a site might not want and might choose to block. I know that Cloudflare offers to block "suspicious" traffic, which would seem likely to include traffic coming from an AWS server rather than an ISP.
Which, the first or the second option? The first one entails a one-time 10 minute setup and you can leave the AWS instance running if you don't mind incurring a small ongoing EC2 fee.
Another issue to look for in selecting a VPN is leaks, where network packets travel through the 'hostile' interface and not the VPN. Leaks can happen many ways, if I understand correctly (I did some reading on it recently but not my own research):
* Many VPNs use "split-tunneling': To save bandwidth, they route https traffic through the hostile network interface
* Some don't route other protocols via the VPN, for example, IPv6 and even DNS are sometimes excluded.
* If the VPN connection drops
* When the VPN connection is out of sync with the device's network connection (e.g., after the computer boots and before the VPN starts, or after the VPN is disconnected and before the computer shuts down).
This is a plug for my stuff, but a relevant plug nonetheless:
If you think you need a VPN, you probably need a good VPN protocol to go with it. Rather than using outdated legacy cruft like OpenVPN or IPsec, you might like WireGuard:
It's still in the early days, but the protocol is formally verified, the overall design has received academic review, the Linux implementation is maturing quite rapidly, and we'll soon have Mac and Windows clients available. Part of the WireGuard Protocol uses the Noise Protocol Framework from Trevor Perrin, of Signal Protocol fame.
I used Wireguard to connect multi datacenter nodes in a Kubernetes cluster recently and I recommend it. It works very well and is very simple compared to other VPN technologies. Thanks for your work. :)
I recently setup on ZorroVPN after going through that list. It's a little on the pricier side (BlackVPN is another one I was considering with similar pricing), but the performance has been pretty good so far. They don't have their own client so you don't have to worry much about them installing junk on your machine. You can use one of the open source clients out there.
I always wonder about ProtonVPN (the ProtonMail people).
It's Swiss based so I assume there would be a decent amount of round trip latency, but for sheer privacy it seems like a solid company that goes the extra mile by locating itself for legal purposes.
I am debating whether I should go with them or not, as well. They do seem solid, but I have not heard any people mentioning them.
I have a paid account with Netflix/Hulu/HBO and I'd like to watch it when I'm travelling or when I'm working remotely from third world countries. That would be my sole use case. Can they stream without huge latency?
Regarding speed, I've been using ProtonVPN for around 4 months and It's much faster than other VPN providers I've used (TorGuard and PIA).
It doesn't work with Netflix as Netflix blocks most VPNs.
ProtonVPN is my first and only VPN - occasionally there are connection issues. Speed is not superb as far as I can tell but sufficient for most use cases. I tend to stick with them. No idea if they are better or worse. I chose them b/c with regards to privacy they seem trustworthy.
All the "you don't get privacy from a VPN" talk misses the variable of who you want privacy from. If you don't care about e2e privacy, but want a simple way, without using Tor, to keep websites from knowing your real IP, then VPNs are great.
Does anyone have a preference on what server the VPN connects to? For example, I'm using AirVPN, and you can select specific countries that you would like to allow the VPN to use. From there it just goes out and connects to the "recommended" server.
If I don't make any preference, it will connect me to a server in Canada. It's very fast, but a bit annoying because now I get all the Canadian search results in Google.
Is there any downside to using a VPN server in the same state or country that you are in?
BTW, I have been using AirVPN for a few days and really like it. Super minimal UI (which I like) and gets the job done. Also, I like that they accept BitCoin as payment if you so choose.
I started using BlackVPN about a month ago because the highly personalized ads all around the web got extremely unnerving. Having accounts with FB/AMZN type services means they'll never go away completely, but it's better than nothing.
I'm curious if anyone has any commentary on other providers worth looking into. BVPN is based in Hong Kong which has a strong history of pro-privacy AFAIK, and they claim to not even have the technical ability to keep logs of relevant info. Either way, I think I'd rather have some random Hong Kong company have my semi-anonymized info rather than my ISP.
I recommend nordvpn. I have been using it for a while now with great success. It's easy, fast, and private. They don't log and their hq is in Panama, so it's much harder to to get info out of them.
(a) There's not much you can do with VPN that you can't do with SSH (actually I can't think of anything). And SSH is much more configurable.
(b) To avoid tracking of your browsing it is not a smart idea to pipe all your browsing through the servers of one VPN provider. A smart way would be to split up browsing streams, not to combine them.
I'm very sceptical about Mozilla writing such an ad page and trying to sell it as a reasonable technical blog post.
Every end user that can't use ssh can't use VPN either. It's only a lucky coincidence if it works for a few for a limited period of time. It's just that many VPN Clients come with a very limited set of configuration and debugging output which makes the average grandma more confident because she doesn't know all the shit that happens underneath.
Everybody who is able to repair a bike though is also able to use SSH.
When I travel to asia (manila), I notice not so much that there is a GFW type firewall preventing the connections, but rather that alot of web sites are just firewalling all of APNIC netblocks. So many web sites, in fact, that the quickest solution for me is to setup squid proxy on an IP in the US and generally everything works flawless after that.
I didn't read the article but I want to say that the solution is not VPNs. We can end up being like North Korea where VPNs are forbidden. The solution is to have educated voters who do not vote to showmens like Erdoğan or Trump. https://youtu.be/fLJBzhcSWTk
Has anyone else had success with SoftEther? [0] I've used it for a VPS-based VPN but would like to know if it is GFW capable. Have been impressed with the code of that project.
I urge people to fight this politically as well. We know from China that most technologies can be blocked or legislated against. If you want a future with more freedom and privacy, fight this politically.
If you work for a company, organization, agency or nation state which drives people to use VPNs, please think for a minute about what you do and what you could do for users in the future.
Are we going back into time where we can draw parallels between internet access through an online portal like AOL and now when we are accessing our internet through a VPN?
Anyone knows a good OpenVPN client for Android? I have used both OpenVPN Connect and OpenVPN for Android but both get disconnected at random times, leaving me exposed.
I use OpenVPN Client. It works really well and supports autoconnect (including at boot) so that you don't need to worry about disconnects. The pro version even supports TAP without root. You can find the free version here: https://play.google.com/store/apps/details?id=it.colucciweb....
Does it worth it to create your own VPN with OpenVPN? I mean, if I do that, would be better than a good VPN service? Considering security, features, etc...?
You know what should be easier? Being able to just run a docker image on a VPS like DO and instantly have a DIY VPN server that you can spin up on demand.
Be careful, Mozilla. When you blog about VPN's as Mozilla, you write from a position of authority. VPN's are a notoriously minefield of shady providers and false promises. You do not want to recommend CyberGhost to your followers, the find out in six months when they show up in a court order that, oops, CyberGhost actually logs a ton of stuff that can be subpoenaed.
> Are VPNs truly private?
Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?
Look, if you see such an article from a authority the authority is well aware of what they do to their name. They've built this authority with hard labor over years. So the chance is far over >67% that they are trying to cash out.
Im in china at the moment using expressvpn (been using it for a year by now) and since about two weeks only three server locations work well (Hong Kong, Tokyo, Los Angeles). Some others work off an on. Before that most locations worked and some of them, Taiwan for example, used to be very fast. Its still usable for streaming and surfing but I'm afraid the end is near. I think sometime in the future one will have to go with shadow socks and or similar protocols/solutions but until then expressvpn is quite convenient (mobile client, router with expressvpn client).
I wish people would stop throwing this question at every headline that happens to have a question mark at the end of it. The headline here isn't clickbait, it's an attempt to answer a question that is pertinent to many.
I've ditched PPTP (not safe any more) and shifted to IPsec (IKEv2 + RSA with X509, IKEv1 + PSK + XAUTH) as it is being used by a lot of MNCs - can't killall. The GFW has developed technique to detect OpenVPN well and it is easily blocked so I don't use it at all. Over the past few years many home brewed protocols emerge - e.g. shadowsocks and variants and many others (I've never used any of them).
The best thing to do with VPN is that to understand the basics of the VPN solution of choice, try to install and configure from scratch on VPS and use that as your main protection (encapsulation) while using public Wi-Fi or untrusted network. There's been many good discussions on how to do this on HN.
NOTE: I am maintaining around 10 strongSwan powered IPsec VPN and 2 OpenVPN to help family members and close friends to access the real Internet (have to keep a low-profile though). Funny though, my networking skills evolved with GFW.