* It's not actually a virtual private network, at least by the traditional definition. They route HTTP(S) and DNS traffic only; other protocols (presumably) get routed in the clear.
* IPv6 isn't supported at all.
* I might be missing it, but I can't find any cryptographic design documents or a threat model anywhere. A quick repo search doesn't even bring up any cryptographic primitives, which makes me wonder about malicious peers.
It's good to have more competition in this space, so I'd like to be wrong (or eventually wrong, feature-wise) about all of the above. But if I'm right, this is roughly the same as using a SOCKS proxy (and maybe a bit worse, if any other peer can futz with your traffic).
Some other sketchy bits, from a very quick perusal:
* Shelling out[1] to some tool that may be responsible for all of the heavy networking bits[2]
* Falling back on a non-monotonic clock but calling it monotonic[3]
* Another sketchy shellout[4] that calls a bunch of scripts with trivial interpolation/injection bugs[5]. It's not clear if the arguments passed to those scripts are remotely controllable, but it's sketchy.
That’s good to know. That being said: it’s not clear what role it’s playing (to me, it may be extremely obvious to anybody who knows what ZeroTier actually is), and it’s not clear why it’s being shelled out to rather than consumed via some Python API.
What about Zerotier 2.0 btw?
Was supposed to surface before summer, but seems to have stalled.
Might actually be relevant as more people are working from home now.
2.0 is still in the works, but took far longer than we hoped. We have back-ported some of its features to the 1.x branch and have a 1.6.0 beta (tagged 1.5.0) out now. 1.6.0 should be late this month. We are pushing for 2.0 by EOY.
2.0 is a major re-architecting for performance and versatility with a rewrite of the CLI and service layer (not core protocol). If we had 100% of our time to dedicate only to engineering we could have shipped it by now, but biz and other things got in the way.
These days any anonymizing proxy is marketed as "VPN". Probably because there's been enough marketing dollars spent on making the average joe equate "private internet" (whatever that means) with VPN, they'd be losing out on a lot of traffic if they market themselves accurately, and the difference is entirely lost on 99% of the potential market anyway.
I have a project I want to do that would involve a lot of YouTube scraping. But they'll throttle you if they detect it. This led me down the rabbit hole into the world of residential proxy services. Some of them[0] advertise up to 40 million IPs. I can't imagine many of the owners of those IPs know what they're being used for.
It would be cool if there was a reputable open source project that would let people share/buy residential proxy usage, but at the end of the day there's no way to guarantee people aren't doing horrible things with your IP.
This is why these days I roll my own extensions except for a few extremely popular ones developed in the open. Forget small QoL extensions, if I need it I write my own. Malware businesses routinely reach out to any remotely popular extension for acquisitions or “joint ventures”, it’s just too risky to install anything that’s not trust: ultimate, or known to be vetted by tons of people.
Btw, Firefox seems to have made it impossible to run extensions uncrippled from source without uploading to their server for signing. Utter madness.
Auto-update of extensions and apps should be set to off by default. There would be less reason for extensions to be bought by other developers for their installed user base.
Secondly, how come there is no regulation about selling chrome extensions and apps?
If you turn auto-updates off, you're just reinventing early 2000s desktop security and attackers everywhere will thank you. Updates need to be automatic but there needs to be stricter rules about notifications to users about changes in ownership or functionality. A huge fraction of this would go away if corporate liability didn't allow hiding all of this in terms of service.
This is said way too often, but in this case I think it's justified - I really don't understand how this is legal. Doesn't using a non-consenting person's computer and network resources for your own purposes meet the definition of "hacking" in most jurisdictions?
It probably isn't legal. But who is going to pay for the fight to stop it? Mom & pop who have had their home connection used? A class action that no one but the lawyers really win anything from? The fact that most of the projects involved are in jurisdictions that make the legal process more complicated and more expensive, or jurisdictions that simply don't care as long as it is affecting other countries and not them (coughChinacoughRussiacoughcough*)?
What the market will bare doesn't just apply to product pricing.
And someone clicking through a EULA might be an argument for them having invited the use of their resources by a very similar argument to that many used to justify using other people's WiFi back when that was gloriously insecure most of the time ("but the AP broadcast its existence, effectively inviting me to join, and happily gave me an IP address to work with, how could I not believe I was welcome to use it?").
I am an administrator on a forum that was attacked heavily by these "residential proxy services"; most of the time the users have agreed to a hidden EULA somewhere like at installation time of the extension buried deep within.
But almost everyone "a reasonable person" would not recognise or understand the technical words used in the disclaimer, nor even read all the way down where it's buried several links in.
I've never heard such service exists and uses browser extension user's network. It looks horrible. Possibly random browser extension user may arrested by unknown reason.
I periodically see ads on Kijiji (Craigslist for Canada) offering you 50 bucks for your internet connection. If that is the going rate, 50 million I enormously expensive.
The boxes have the ability to try to DHCP-release-renew your IP to get a new one after being banned for spam/fraud/DDoS/etc.
However, this is not how these residential proxies are sold- mass market ones with millions of IPs are generally botnet/hacked/malware/extension malicious author sellout/etc./ There are not actually millions of botnet user, they just try to make themselves look big. Like they say AT&T has a /8? So they get 1 botnet hacked PC on AT&T broadband and say "wow we have a /8 worth of proxies!!"). Criminals not known for their truthfulness.
The ones that ask you $20-50/m and to plug something into your network is generally used for fraud, account hijackings and maintenance (getting a stable IP for stuff like a credit card checkout or paypal account to use for more than a few days for fraud, long term social media abuse, similar) instead of mass market ban evasion.
These are split into either unknowing people with their computers abused like Hola, malware running proxies being sold, or otherwise. Some mobile games and chrome extensions expose proxies also as a monetisation method.
Don't support them.
I've been contacted by several of those "SDK companies" that basically turn phones and browsers into botnet drones for $0.01 an install.
There are no reputable ones; they are (>99,99%+ probably) all based off of unwanted adware or malware/botnet exploit installation. There are some fake ones that also commit wire fraud, fraudulent letters of authorisation and do BGP hijacking, which is arguably significantly worse.
Do you need residential IPs for this? As far as I've experienced, YouTube doesn't block dedicated server providers, as such you may be able to use a commercial VPN provider, some of them have 1000s of IPs and offer easy or automated ways to switch frequently.
SEO companies are big customers of products like this. Scraping Google at scale requires a huge budget for proxies and IP blocks, and I believe they apply ML to detect people abusing their service.
I actually don't think I would need to make a ridiculous amount of requests. The project is a pinning service where people submit a video URL so they can do things like manage lists of the videos they watch (think goodreads for web videos). I need to scrape the video description and tags for each submitted URL. It would be nice to just do it from the user's browser, but the same origin policy won't allow that. A browser extension is the next obvious route, but that has its own issues. I was thinking to first attempt the request via CloudFlare workers, then fall back to a residential proxy service. No idea how usable workers would end up being for this sort of scraping.
Yeah it would probably be the easiest way to get started. Their ToS[0] just seems so convoluted it's hard to know if you're following it or not, so I don't want to tie myself to it with no recourse.
Yes, I was going to mention this. I worked for a small company that had a YouTube product that retrieved video descriptions, duration, thumbnail, etc, using the API.
We started with 100k daily API calls and that got later increased to 1 million after requesting it.
I am at 10m+, keep in mind it isn't 1:1 with requests. Things like GET read only video metadata is one request, but if you are uploading a video, it might count as more out of your quota.
You are expected to be well behaved though. You can also lose your quota or API access for severe abuse, like using API to mass upload spam.
Yeah, and then you recycle the IP back into the pool for the next guy to work with. An operation I know of was getting 6+ million SERPs a day, budget for proxies was hundreds of thousands a year.
IPv6 is just not widely used, so when you do use it, you stick out like a sore thumb. Think like a bayesian: for Google, it's easy to just block whole /32s of IPv6 space.
For people who are even considering this as a nice service: setup a tor exit node and let it run for a week or so (takes time before it will actually route traffic through your new node) and experience the no more Netflix, captchas left and right and possible issues with your ISP & local law enforcement.
If you for a minute think this / your IP address will not be misused to scrape, grief, DDoS, up & download "questionable content", you are very wrong.
They tried to promote the launch of this service on a bunch of linux-related subreddits 6 months ago, and I wasn't much of a fan of the concept or the way they advertised it, in skipping over the p2p nature of the system.
Their answer to the question of 'what happens when a bad actor has their illegal activity routed through my connection' seemed illogical. They claimed that as more people signed up, the proportion of bad actors would decrease [0], which makes no sense to me.
Also, I'm not entirely sure what methods they have taken to stop a bad actor from collecting packets from other users that are routed through the bad actors exit node.
The worst thing IMO is the way it's being presented and marketed. The impression the website gives is that its just like all other VPNs but free, which is very misleading.
The main page copy seems misleading bordering on malicious:
> No bandwidth caps. No throttling. Stream all day, and download away.
Yes, no caps on the tunneled connection. But it will happily use up your home connection data caps with both your own and other people's traffic.
Then once you run an exit for long enough, your home network will get tor-like treatment from many CAPTCHAs and you'll be blocked from anything on cloudflare.
> FreePN never logs your IP or tracks your activity. (...) FreePN shields your data from prying eyes, giving you peace of mind.
FreePN doesn't log. But anyone running FreePN is welcome to do just that.
It's a perfect tool for that monitoring too. Tor browser at least has lots of extra protections. This one does not, so settig up a tunnel-to-tunnel routing node means you can listen to a lot of interesting things. (Without the liability of being a true exit node)
> Then once you run an exit for long enough, your home network will get tor-like treatment from many CAPTCHAs and you'll be blocked from anything on cloudflare.
That'll take a matter of minutes. It doesn't take much to get on googles shitlist as soon as you do any sort of bot activity against their services. I manage to get on it by just searching humanly!
Our posts a few months back were largely exploratory posts - seeing if there was actually demand for the product (or at least enough to pursue the project!).
Since FreePN is such a technical product, we've been iterating a lot on our messaging. We are still in very early stages, but we do have some mechanisms planned to mitigate the effect of bad actors on the network:
- we plan to build in something similar to HTTPS Everywhere to the product, to automatically upgrade connections (and we only route traffic on ports 80 / 443 (optionally 53)).
- we also plan to build in the ability to allow peers to block certain categories of traffic from going over their connection (using blocklists similar to those used by Fortiguard -- so you could block all torrenting sites, as an example).
> They claimed that as more people signed up, the proportion of bad actors would decrease
I can see the reasoning here: bad actors will be the first to jump on such a service. They actively search for new services that they might be able to use to pipe their traffic through. Awareness amongst the wider population will grow more slowly, as they aren't for the most part actively looking for it, so as that awareness spreads the ratio of good-to-bad will likely improve.
Though the absolute number of bad actors I expect is enough for me to dismiss ever knowingly installing something like this on any device I own (or allowing it on any network I have some responsibility for), no matter what the good/bad ratio is like.
Indeed, there is no plausible deniability in someone viewing child porn using your connection, in the same way you are responsible for securing your wifi connection.
This is no different than that shady p2p VPN product that was shipped as a browser extension.
If its P2P it means it uses other peoples' nodes as your exit node, sort of like Tor but without the onions.
That's risky. What happens to me if someone does something illegal via my connection? How could I prove it wasn't me? Maybe I could win in court by citing my use of something like this, but I really don't want to be dragged into court in the first place even if I end up walking out.
Routing traffic for specific domains with known legal content is questionable practice, but at least it’s safe from the specific concern here (until someone finds an exploit, maybe a bad domain parser or something).
Routing arbitrary traffic is plain risky, it is entirely conceivable to be arrested for it, or at least be searched, whether you can explain it away later or not. “Other providers are doing it too” hardly makes it any less risky.
This seems like a decent tool to use in an oppressed, non-free country.
Except Tor (or Whonix or Tails), WireGuard, or ZeroTier are a better option.
All of these allow better management (and therefore control) of routes.
There is a very good reason Usenet does not require uploading, and P2P protocols like BitTorrent are used with a VPN. It provides a reasonable enough protection against a civil actor such as RIAA and MPAA while a determined actor (with more control over the used networks can dig up the data trail. Ie. police in case of serious crimes such as CP.
On a somewhat related note what was the name of the end of 90s pseudonymous network where you had to buy a 'nym' and could renew it for money?
This actually uses ZeroTier under the hood. It uses ZT as the transport, encryption, and network virtualization layer and then does P2P exit node stuff on top of that.
ZT would be useful for this from an oppressed country because it is used by a ton of businesses. You would just look like you were accessing a corporate ZeroTier DVPN from home, which is pretty common these days.
That's better in some ways than Tor. The problem with Tor is if you use it naked then it can be obvious that you're using Tor. Even in countries like the USA I've always been concerned that using Tor might put you in some kind of database. In a very non-free country I'd be really worried about using Tor naked, meaning without running it over something more mundane looking like ZT or Wireguard.
"Should", yes. (Details obviously depend on jurisdiction) For that, they get a warrant to search your home and for your computers to be confiscated to do the forensic analysis on them. You might get them back after a few years if nothing can be proven. They also might tie you into it for knowingly supporting it by installing such a VPN, some places make you responsible for everything happening through your connection by default. See the "fun" people operating TOR exit nodes have for what can happen.
True, but there is a big difference in operating an exit node and using a VPN. Millions have VPNs installed. These is only a small amount of exit notes, and millions use VPN.
I'd argue that the chance of being accused because someone used your connection in p2p VPN is less than when someone will use your wifi to do something illegal.
The more relevant question is, what does this software offer that would make it worth taking on this risk?
For whatever values of 'this risk' you evaluate running this code to carry.
Arguing semantics with a prosecutor might be your idea of a good time, but that seems to me like the sort of thing I could do without. In any case, they may call this a VPN, but it isn't a VPN in the sense that term is normally used, and it certainly isn't even vaguely similar to that VPN connection you make to the office.
Why can't anyone who join be incorporated as a utilities provider, and shed the responsibility of monitoring the traffic (and the legality of it) to the initiator of said traffic?
I mean, ISPs do this don't they? Telephone networks do this don't they?
ISPs generally are able to pinpoint the originator of the traffic, ie. for a given connection 3-/5-tuple provide information on the originating customer, their physical address, contract data, etc.
This is the tradeoff when registering an ISP in the jurisdictions I'm familiar with: you are immune to legal action concerning the data that is carried over your network (ie. you won't get raided for a customer sending death threats), but in return you must cooperate with the authorities and provide data on your offending customers. You must do whatever is necessary to be able to provide this data upon a subpoena: from assigning static IP addresses / CGNAT port ranges to customers, to logging every NAT translation from your roaming mobile network.
More seriously, I do think it's an interesting start, I think it creates a platform that you can use to test out some interesting ideas. Good luck with it.
It looks like this will help protect your privacy when configured properly, however, it may be more difficult to accomplish one of the key values VPN users seek: navigating around censorship walls. Does anyone know if it's possible to specify the location of your exit node in the network?
This is all very unexpected actually! (No one from FreeVPN made the post here!) We've been doing some early market testing in a few Linux communities on Reddit, but full disclosure, the product is currently in an early-alpha stage (it’s only available on Ubuntu and Gentoo Linux currently, and very much under construction). We have big ambitions for the project, but it is still very early days.
Love hearing the feedback from everyone here — some very valid criticisms from a lot of folks — and on a lot of points that have been brought up here, we actually have plans to address. A few bullet points on where we are as an organization / project:
— the marketing copy isn’t set in stone — I’ve been working on the site a bunch recently & it’s very much in flux (we’ve been posting in a few Linux communities to see what the response looks like)
— when we posted a few months ago about the project, in all honesty, it was a demand test to see if this would be something worth pursuing — but we’ve been trying to take the feedback from those posts to heart in our development process
— we market ourselves as a VPN, but to be clear we _are_ a dVPN (distributed VPN). The peer-to-peer VPN wording on our site is mostly for the sake of simplicity. I’d point most folks to our project README on GitHub for more in-depth technical details.
— right now FreePN is structured as a 1-to-1 peer connection, but we eventually plan to build in multi-tenant peer support as well as optional multi-hop routing (similar to Tor) and selective whitelisting of domains so that as a peer you can elect to categorically block certain types of sites — say torrenting. These blocklists would draw from open-source category site-lists like Fortiguard.
— we do currently only route web traffic (+ DNS) — so only traffic on ports 80 and 443 is being routed (optionally port 53)
— we don’t currently support IPv6 (though we have plans to add support in the future)
— we don’t log traffic (you can see in the repo), and while peers logging traffic is a potential concern, that’s only true if you’re using non-HTTPS connections (we have plans to bake in something similar to HTTPS Everywhere, automatically upgrading connections).
As far as our vision for the product — our goal for FreePN is to eventually become a ‘privacy all-in-one’. We started FreePN because we care deeply about internet privacy — but trying to protect yourself online practically is a very technical and time-consuming endeavor (basically — it’s really hard to protect your privacy online, and we’re trying to make it easy). In terms of features, we’re working on building in ad-blocking as our next major milestone.
I’ll do my best to respond to everyone’s questions and concerns here this evening / in the morning & tomorrow as I’m able!
"Every user is exit node" concept in addition to legal question raises more practical questions. What are you going to do if majority for your users (and when you call something "free" the chance increases) will be from countries like China, Russia, Iran and other where government controls and blocks a lot of the websites and services? And I'm talking not about surveillance but about actual block of the IP subnets like Russia did to AWS, DO and GC when they tried to block Telegram.
Also on the website you declare
> No bandwidth caps. No throttling. Stream all day, and download away. Unlike other VPNs, FreePN will never bottleneck your connection.
Sorry but this is simple lie. If we will take Turkmenistan (their internet censorship is better than China's one if you wonder why I take this unknown country) max bandwidth you can get as average citizen is about 2mbps. And there will be users (exit nodes) from TM for sure so for external users there will be bottleneck.
While the distinction between these two concepts is purely semantic to tech folks, the choice by this company to exploit that purely semantic difference by tacitly implying a falsehood in marketing to non-tech-tolks is significant.
- Right now we're still undecided / exploring different ways of monetizing the product! (something similar to Adblock-Plus though is our leading idea).
- We're working on a way to disallow users from acting as exits for certain kinds of traffic - so you'll be able to categorically block certain kinds of sites through the UI in the near future.
- Even with DoH on by default in the browser, we can still override / specify a DNS server.
Let me know if you still have questions / any of the above is unclear!
> We're working on a way to disallow users from acting as exits for certain kinds of traffic - so you'll be able to categorically block certain kinds of sites through the UI in the near future
To block something you should know that it exists. Do you have full and actual list of CP resources? I doubt. So what is the point of ability to block something if you even don't know that it exists before it is too late. The only way to deal with it are whitelists but who will use "VPN" if only certain websites will be accessible?
> We're working on a way to disallow users from acting as exits for certain kinds of traffic - so you'll be able to categorically block certain kinds of sites through the UI in the near future.
How does this stop someone posting ISIS propaganda to Twitter? Or uploading CP to Google Drive?
> Even with DoH on by default in the browser, we can still override / specify a DNS server.
Can you? Browsers don’t respect the system’s DNS settings even with plain old DNS over UDP so I don’t think that’s the case. I might be missing something though!
Posted a bit about how we plan to approach this above, so just re-pasting:
> - we plan to build in something similar to HTTPS Everywhere to the product, to automatically upgrade connections (and we only route traffic on ports 80 / 443 (optionally 53)). - we also plan to build in the ability to allow peers to block certain categories of traffic from going over their connection (using blocklists similar to those used by Fortiguard -- so you could block all torrenting sites, as an example).
You do realize you can get people in trouble for proxying traffic even to legit websites? Like, get someone a visit from the cops because someone else used their connection committed wire fraud on an auction site.
We're still exploring different methods of monetization, but leaning towards an Adblock-Plus style model at the moment (but would want to keep any ads we served entirely local / we'd never send any data off device & would want to be as transparent about everything as possible). Personally, I think it keeps our interests best aligned with those of our users & helps keep the focus on preserving user privacy!
So, if I understand correctly, this means that in the long-term you are going to nerf your (future) adblock feature and actually go a similar route the the Brave browser is going with their ad system?
The privacy community did not react positively _at all_ to this. This also has gotten them quite a lot of negative media coverage.
Also, how are you funded short-term? Like, right now?
We are still evaluating the best way to go about this, but yes, we've been looking at the way Brave approaches it as well (though of course, we'd like to do it in such a way that everyone's incentives align / we don't compromise user privacy in any way whatsoever).
Short term, I'm self-funding the company (day job + previous exit of an entirely unrelated company).
Self-funding! This is great, did not expect something like this coming from VC-land SF.
We at https://safing.io/ are also self-funded, but also receive a lot of public funding.
Interestingly our visions are very similar, but our technical views seem to differ a lot.
I think monetizing a privacy product without having the user pay is extremely hard. There will need to be an extremely high amount of transparency everywhere.
Thanks! Yeah it's definitely been a challenge, but I think it's worth the effort to try to make sure we're keeping incentives properly aligned and really get things right before we try to scale up!
> I think monetizing a privacy product without having the user pay is extremely hard. There will need to be an extremely high amount of transparency everywhere.
I would agree with this wholeheartedly -- we're still very early stages, but trying to keep things as open as possible in terms of our tech & intentions with everything.
> but also receive a lot of public funding.
Curious what sources you receive public funding from?
Anyone else getting "NetworkError when attempting to fetch resource. Please refresh and try again." when trying to sign up for email notifications for MacOS?
So, wait... Let me get this straight-- This is a p2p VPN, so, it basically routes other people's potentially illegal activities through your own IP address, so you can do the same over other people's IP addresses? And they don't even mention that fact on the front page? Talk about disingenuous...
Like, goddamn, VPNs aren't THAT expensive. Not compared to, IDK, a lawyer, or missing a day of work because you're in a jail cell, trying to explain to some cop that you installed a program on your computer that let other people you don't know do random stuff on the internet over your internet connection without your own knowledge or involvement, and you aren't complicit in any way...
Exactly. There is no "hiding in the masses", there is no "plausible deniability" going on here. If someone downloads CP or terrorist manuals using your connection, try explaining that to the dumb cops that you were using a p2p distributed VPN and that it "honestly wasn't me officer".
Oh thanks, that makes sense. I was trying to figure out what the upside was for this, but I forgot about the 1-on-1 potential with the feds. It's pretty hard to get in touch with them otherwise.
It's actually not that difficult. Our business had a massive illegal purchase attempted by a shady character. Googled FBI location closest to me. Actually got a human to answer and discussed how we should proceed. Surprised me much.
The reasoning behind a p2p model is largely so that we don't have the massive overhead of traditional VPN companies & are able to offer the service entirely for free. Not having the overhead allows us to explore different potential methods of monetization that might not be feasible otherwise.
Its not just that though. There are lots of privacy attacks on this kind of system that you have to be careful to avoid.
How easy is it in this system to force a specific user to use you as their exit node during a targeted attack? Given the state of their website, i am going to guess pretty easy.
You are trying to cater to a privacy-minded audience yet you provide literally no information on how the whole thing works. I don't think you fully understand how crucial a very detailed technical spec is for the adoption of a tool like this.
The first question with any P2P project is if I have any control over other people's traffic that passes through my system. No mention of this anywhere, leave alone a detailed discussion. I saw your replies here on this subject and they are ultimately... inane if you pardon the bluntness. I realize that you mean well, but you are exceptionally naive in terms of how quickly a system like this will be abused to a very severe degree.
But this isn't a VPN, it's just a glorified p2p "residential proxy" service (only forwards HTTP/S traffic and optionally DNS). And when you run this you become an exit node for other people. Scary stuff.
Some observations:
* It's not actually a virtual private network, at least by the traditional definition. They route HTTP(S) and DNS traffic only; other protocols (presumably) get routed in the clear.
* IPv6 isn't supported at all.
* I might be missing it, but I can't find any cryptographic design documents or a threat model anywhere. A quick repo search doesn't even bring up any cryptographic primitives, which makes me wonder about malicious peers.
It's good to have more competition in this space, so I'd like to be wrong (or eventually wrong, feature-wise) about all of the above. But if I'm right, this is roughly the same as using a SOCKS proxy (and maybe a bit worse, if any other peer can futz with your traffic).