I have had the opposite experience to OP. I have the macOS app installed on several Macs (laptops and desktops). They have all worked so well to the point that I even forget Wireguard is running. On top of that I upgrade macOS almost as soon as Apple releases a new version.
It is true that for updating WG you need to first disable the on-demand setting (probably only on Big Sur). But to me that is such a trivial hiccup considering it is free and generally bug free! On the rare occasions that I have had a non-trivial issue looking at the log file has provided clues.
My VPN cost is only about $5/month as I run my own instance of WG server in the cloud. Worth every penny! It is possible it could be lower if I use one of those #3.50/month AWS lightsail instances but I never tried.
Just as a thing to keep in mind, if you're using Algo (or any other vpn software) with a commercial cloud provider, you'll hit more captchas and blocks than usual. For example, going to walmart.com will give a captcha page before being allowed on their website. Some websites will return HTTP 403, and some will just timeout.
I use a Debian OpenVZ based VPS for this and uninstall or disable any services except the one I want (surprisingly this isn't the default :(, check what is listening with "ss -l46n"). The advantage of OpenVZ is that kernel patching is the job of the provider, so if you only have one service listening remotely then you should be ok as long as that service is ok.
I use SSH so far since WireGuard isn't supported yet. I also configure SSH to only allow the type of connection I want to use: public key authentication only, ports 80 and 443, plus (on both local and remote sides):
Install unattended-upgrades and edit /etc/apt/apt.conf.d/50unattended-upgrades as desired. For SSH proxy, locally set "ALL_PROXY=socks5://127.0.0.1:2000" (with DynamicForward localhost:2000 locally). Or change socks5 to socks5h if you want DNS to be handled on the remote system, however this will prevent uMatrix and other blockers from getting DNS info needed to avoid considering some 3rd party content as 1st party so it is better to set up encrypted DNS locally (I use stubby but with just the provider I want). Many applications check ALL_PROXY these days but not all and I think Firefox needs explicit settings to use the proxy.
I use ramnode.com's $15/year OpenVZ and it works great like this for getting an encrypted connection past your local ISP and/or wifi (I think they ask for everyone's ID when you start). There are issues with some websites due to the IP address, but it is not nearly as many as using an annonymous VPN from what I've heard.
How else can you get good at security? I guess you could read, but at some point you'll have to practice. And I never said you need to practice with sensitive information.
“No activity logs” is impossible to verify, and “hides your device’s activity” is basically untrue unless you do some gymnastics with the definitions of words.
a. I don't trust any VPN provider's claims. Plus I wanted more control including ability to turn on/off logs if needed. As an experiment I started with an AWS lightsail instance. It worked so well that I now I don't feel I need anything with more resources (up to about 10 clients). That doesn't mean I trust AWS entirely but for now I will live with it. I like using a CLI and AWS's browser based CLI is pretty good (but be wary of copy-paste snafus).
b. The other reason I went with a cloud provider like AWS is that their static IP seems to be whitelisted fairly well especially with their own service - Amazon Prime. So I have had not problem watching videos while traveling. Also in the past macOS and iOS updates were problematic via VPN. But that seems to have gone away. Maybe because they bypass VPN? I don't know for sure.
c. Many of my friends have been asking for help. I figured if I went with one of the big 3 cloud providers it would be easy for me to basically create an instance image preloaded with all the scripts and WG etc. that they can then run from their own accounts.
d. The big 3 cloud providers uptimes are far better than many of the VPN providers.
Why are you using a VPN? I think the main reason (now that Netflix et al block all VPN IPs) is generally that you gain privacy from your traffic being mixed in with hundreds/thousands of other people's originating from a single IP. With running your own VPN server, your IP is trivially tracable back to you as an individual. So now what do you get - encrypting vs. your ISP and/or country hopping (with no streaming except amazon)?
Not OP, but as the name suggests, a VPN is a virtual private network: you can use it to create a private subnet from where you can securely access your other computers/resources, even from a remote location.
For instance, at work we are mostly remote, and use a VPN (OpenVPN here) to access the local network at the office with our on-premise build servers, and it also allows developers to work together sometimes (one running a debugging server on their dev laptop, another debugging the client from their own laptop as if they were sharing a local network, when actually they are hundreds of miles apart)
Thanks, but I don't need the wikipedia summary of a VPN.
It didn't sound ad all like the OP was using his VPN to dial into work. He was dialing into a purpose-build VM which wasn't stated to do anything else - just tunneling his traffic for some unknown reason.
Op mentioned they use it while traveling. I use a VPN for, what are likely, similar reasons: I don’t trust the hotel networks or I want to access US region locked services while abroad.
> VPN providers are far more likely than AWS to do the kind of shady things that might matter to your relatives, like selling their personal data.
How do you know that AWS isn't spying on your systems? Are they transparent? Do AWS release detailed transparency reports on their servers? You are identified when you pay for AWS no?
I'd rather trust a specialist privacy VPN provider like Mullvad, than me rolling my own VPN on a provider that isn't even transparent and that is hard to use for consumers other than myself.
There's an internet provider (usually unknown / changing) behind every VPN provider. Whichever VPN provider you use, you may be implicitly trusting any of the good provider at any point in time.
There's a huge difference between being mixed into a shared pool of IPs where the internet pipe doesn't know who is who, and having your own server with a unique static IP that shows up both as your VPN server and the source of the outgoing connections.
> It is true that for updating WG you need to first disable the on-demand setting (probably only on Big Sur).
Which means shutting down the VPN, and exposing your hardware serial (the MAS app transmits this to Apple, along with your Apple ID) and true IP (which is equivalent to your city-level location) to Apple.
Transmitting your hardware serial to Apple along with your direct IP permits Apple and anyone with access to Apple's databases/logs a record of your travel history, because IPs are city-level geolocation.
Macs and iPhones also maintain a persistent connection to the Apple push notification service with a TLS client certificate obtained via registering with the hardware serial.
Just because you personally are okay with Apple and, by extension, the US military having your travel history doesn't mean that there's no problem with it.
It is true that for updating WG you need to first disable the on-demand setting (probably only on Big Sur). But to me that is such a trivial hiccup considering it is free and generally bug free! On the rare occasions that I have had a non-trivial issue looking at the log file has provided clues.
My VPN cost is only about $5/month as I run my own instance of WG server in the cloud. Worth every penny! It is possible it could be lower if I use one of those #3.50/month AWS lightsail instances but I never tried.
Go WG!