I've come to the sad realization if you want anything approaching no logs, you're going to have to use something slow like tor, or you're going to have to do the illegal thing and make a botnet.
VPNs are only useful for avoiding ISP / local network surveillance like comcast, your workplace, your school, airports, etc and to avoid DCMA scare letters. Making your own with a VPS is worse, since VPSs log on some level and directly forward the DCMA scare letters to you.
Provider#1 only knows all traffic goes to provider#2. Provider#2 knows everywhere your traffic goes. They don’t know your IP, but you need to login, so they know who you are anyways.
I think you need 3 levels. First level gets you to the second level. 2nd gets access to web-based email and bitcoin or single-use credit card payment to get the third level, which accesses data.
Obviously you use assumed identity.
With only two layers you'd need to access emails, say, for account confirmation direct from your own system; with 3 you put a VPN in that gap.
Do VPNs re-pack and modify the timing on packages they pass on to clients? It seems like they're need to if they're too avoid coordination attacks.
I'm recalling how a research paper showed an extraordinary high number of pages visited (80%) over HTTPS could be identified using page size alone. If a TLA is watching all traffic into and out of a VPN's server can they pair upstream traffic to downstream clients at all?
VPNs are only useful for avoiding ISP / local network surveillance like comcast, your workplace, your school, airports, etc and to avoid DCMA scare letters. Making your own with a VPS is worse, since VPSs log on some level and directly forward the DCMA scare letters to you.