I feel pretty double about VPN as a solution for masking my online activities. My reasons for using a VPN break down into these (related) categories:
1. Security. I don't trust this network at all, such as unsecured wifi in coffeeshop.
2. Access. This network has draconian restrictions I need to get around, such as corporate proxy servers or country firewalls.
3. Privacy. It's none of this network's business what I'm doing.
4. Legal. I don't want to get in trouble here. Especially when traveling where I don't know the laws, but increasingly in my own country. Hell, the courts in NL haven't figured out if TPB is legal, how should I know?
VPN can solve many of these problems most of the time... but always using a VPN means that I have a single point of failure for all four of these.
If my VPN provider is compromised, shady, or coerced to turn over my data, I'm sunk. In that way using various internet connections at home/work/coffeeshop/mobile may be better.
Valid point but there's nothing stopping you setting up your own VPN (either on a small VM from someone like Linode or, if you're paranoid enough, a cheap 1U server bought off ebay and placed in a colo facility).
For the single point of failure issue (which is also valid)... just setup two or more VPNs :) And, in an emergency, you can always fall back to the underlying connection.
Setting up your own VPN does not solve the traceability problem, unless you happen to find a colo facility that does business in face-to-face cash transactions only.
If you use Linode to set up a VPN, Linode knows your personal and Linode IP, knows when you access their network, and knows your name and billing info. If compelling by warrant they will turn that over to law enforcement.
Way better than a SSH tunnel (check the readme) and you don't need to have a VPN server on the remote server, just ssh access. Supports both Linux/OSX, been using it for nearly one year without issues.
Just a correction: you need ssh and python, since it launches a daemon on the server (it uses a clever way of doing that, by packing and pushing all the necessary code over the SSH connection to the Python interpreter).
I notice both you and drtse4 like the tool but only mention what it's advertised to do, and not anything specific about your experience using it over 'ssh -D'. How has using it changed how you would have used 'ssh -D' ?
I suppose the most practical purpose for sshuttle is for shell accounts on a box you don't own, if you need to do random transport-level stuff to remote hosts through an intermediary and you want to use a client on your local host. So basically NMap if your shell doesn't support it and you can't copy-and-run 3rd-party binaries. I'd be interested to see how well sshuttle performs under an intense NMap scan.
It's a matter of convenience for me, substituting both (partially) OpenVPN and 'ssh -D'. I use 7 browsers (incl. 4 Firefox profiles) and a number of terminal tools that I often want to be seen coming from a specific server IP address from my /24 block - saves time configuring all of them individually to use SOCKS proxy or setting up OpenVPN on individual servers.
Agreed, the thing i like the most is that it transparently forwards the traffic configuring iptables, no more SOCKS proxy configuration to update every time and no dns issues.
It also has a -x option that let you exclude local subnets from the forwarding, e.g. -x 192.168.0.0/24,
What are the commands you use? I personally think 'ssh -D 8081 host1', 'ssh -D 8082 host2', 'ssh -D 8083 host3' and configuring each browser for each port might be simpler, but maybe it's the learning curve of a new command throwing me off.
It's like a VPN, since it can forward every port on an entire network, not just ports you specify. Conveniently, it lets you use the "real" IP addresses of each host rather than faking port numbers on localhost.
On the other hand, the way it works is more like ssh port forwarding than a VPN. Normally, a VPN forwards your data one packet at a time, and doesn't care about individual connections; ie. it's "stateless" with respect to the traffic. sshuttle is the opposite of stateless; it tracks every single connection.
You could compare sshuttle to something like the old Slirp program, which was a userspace TCP/IP implementation that did something similar. But it operated on a packet-by-packet basis on the client side, reassembling the packets on the server side. That worked okay back in the "real live serial port" days, because serial ports had predictable latency and buffering.
But you can't safely just forward TCP packets over a TCP session (like ssh), because TCP's performance depends fundamentally on packet loss; it must experience packet loss in order to know when to slow down! At the same time, the outer TCP session (ssh, in this case) is a reliable transport, which means that what you forward through the tunnel never experiences packet loss. The ssh session itself experiences packet loss, of course, but TCP fixes it up and ssh (and thus you) never know the difference. But neither does your inner TCP session, and extremely screwy performance ensues.
sshuttle assembles the TCP stream locally, multiplexes it statefully over an ssh session, and disassembles it back into packets at the other end. So it never ends up doing TCP-over-TCP. It's just data-over-TCP, which is safe."
I would say probably not. SSL based vpn is pretty common, and that's always done over TCP. Cisco does support DTLS, and ipsec happens below TCP, so it just depends on your provider.
An SSL based VPN can be done within a UDP wrapper. The outer layer can't be encrypted or the connection wouldn't work. It's the payload that carries your (TCP/UDP) traffic out at the other end of your VPN.
It uses iptables (on Linux) to route all traffic (or selected traffic) through the client-side component, and then forward it all to the server-side component.
"ssh -D" is closer to a proxy server:
-D [bind_address:]port
Specifies a local "dynamic" application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server. Only root can forward privileged ports.
Dynamic port forwardings can also be specified in the configura-
tion file.
On the other hand, sshuttle is closer to a VPN connection. If you're confused about the difference between a proxy and a VPN, then I suggest you hit up Wikipedia and do some reading.
The --dns option routes all DNS requests over the VPN connection. This means that you can't connect to a work VPN and (e.g.) browser porn on your lunch break. A cool option would be to route specific DNS requests over the connection (e.g. just requests for an internal DNS domain).
It certainly doesn't make you safe, but if the threat is a fishing expedition trying to get a few hundred or thousand Torrenters, the fact that they'd need a court order from a different country/jurisdiction might be enough to get them to leave you alone.
And a seedbox would work just as well for this purpose, and will result in much higher upload/download speeds and, in the case of private trackers, save you the costs of owning/running a PC on 24/7 to seed back your downloads.
I had some dodgy stuff going on over at an amazon free tier, including; socks proxy, ping tunnel, Metasploit, semi hidden tor end-node, ctorrent, and a few other things. I also linked a 25$ visa card from a convenience store, so very limited traceability.
It's all very well saying a VPN services keep your communications secure, encrypted and away from the prying eyes of your ISP - but why would you trust a VPN provider more than an ISP?
These consumer-oriented VPN services marketing to bittorrent users seem kind of sketchy to me.
I trust a VPN provider more than a ISP. The reason is pretty simple, I trust a random company more than a 30-200 year old telecommunication company which has strong ties to government and content delivery networks.
How many VPN's companies has deals with content networks? How many ISP has a content network deal?
How many VPN's has has a past of cooperative with government surveillance? How many ISP has cooperated with police and government secret police?
How many VPN's has lobbyist in government. How many ISP's has lobbyists in government?
An ISP has all the reasons to snoop at the traffic of their users, and they commonly do. Their core product is advertised as an service that provides Internet connectivity. Their core product is thus not effected by much if they get caught snooping on their users. A VPN has few reasons to snoop (QoS is the major exception), and their core product is to provide privacy. If they are caught snooping, their core service of providing privacy suffers.
Thus, yes. I trust more a VPN provider than an ISP.
I think another reason to trust a VPN provider is that it's their reason to exist. If people find out that they're not really protecting their customers' privacy, they'll lose all their customers.
ISPs, on the other hand, provide a different service and privacy is merely an additional consideration. It's not their main reason to exist.
Not even that. Look into CALEA - a law which, summarized briefly, requires that ISP gear have backdoors for law enforcement packet capture.
There's a reason you don't see anonymous ISP's around in the USA; the laws as written explicitly prevent them from existing in any meaningful capacity.
> If people find out that they're not really protecting their customers' privacy, they'll lose all their customers.
Yeah, but given the lack of history, openness, and reputation a lot of the VPN providers have, it seems to me that a provider could just "pick up and move": start a new company with a new name and new IPs and what not, and just do it all over again.
Not to mention that there is also a pretty big incentive to sell out your users. Probably a high percentage of shady business that the entertainment industry normally can't get a hold off legally.
"but why would you trust a VPN provider more than an ISP?"
You probably shouldn't. There are most likely laws against your ISP from listening in on your traffic, not for your VPN. If the government wants to listen in it doesn't matter, your VPN service is forced to cooperate anyway so you haven't gained anything.
If I'd use a VPN I'd make sure to use one that is in another country, probably making it a bit harder to connect the VPN and ISP to you that way - but hardly bulletproof.
The VPN account is directly tied to you by your payment details. Also most VPN services that claim to "not keep any logs whatsoever" are just a 3 page website with not much information. Maybe that's safer since they are low profile, or maybe it isn't? I honestly have no idea and I wish I did.
It feels like your just trusting some random person to not mess with you.
- you can buy them to your name, and then after a few transfers/transactions it would take the collaboration of an army of disparate users worldwide to determine where did the coins come from
- #bitcoin-otc in freenode
Although I do agree that's not easy to grasp for outsiders. It takes some time to get familiar with the best options. There's no way in hell they can connect your id with your coins (or a subset of it you keep for stuff like this) if you are moderately careful. Even satoshi-dice does the trick.
> you can buy them to your name, and then after a few transfers/transactions it would take the collaboration of an army of disparate users worldwide to determine where did the coins come from
Sounds exactly like money laundering to me, even if there isn't malicious intent. I'm genuinely surprised the government hasn't done much to try killing off bitcoin, even with it being (relatively speaking) a tiny fringe movement.
I thought anonimity was a big point of bitcoin, I'm a little stunned. So you're saying if I buy bitcoins off Mt Grox or somewhere else, each coin contains some data linking back to me?
The way you track down someone using Bitcoin is complicated. Let me explain the way the Bitcoin network works.
Conventional banking assigns each new identity that enters through the door an account, to access that account you prove your identity. All transactions are kept confidential and in-house.
Bitcoin works by giving everyone an account and forgoing any identification. If you own the private key to the account you are the account holder. Next, all transactions are publicized. Since no one has ID information tied to their Bitcoin wallet, it doesn't matter if transactions are publicized.
Now here is how you get found out. If you use a service such as Mt. Gox which requires you to tie your identification to your Mt. Gox account, any bitcoins you send from Mt. Gox can be traced. So, when you corrupt bitcoins by using a site that has id on you, you lose your anonymity.
Yes that or cash in the mail might be reasonable options for paying.
I guess my problem is more that you are trusting an overall unknown entity with your real ip, which is only one step away from your real info for someone who is able to compel that information from the VPN provider in the first place.
In e.g. Sweden, VPN's are not covered by the EU Data Retention Directive. ISP's are. Ie. they're not required by law to log more than what they need to bill you accurately. And of course you can pay for a VPN with bitcoin or prepaid credit cards.
Of course, your VPN can still _choose_ to log your IP address (e.g. if they're acting as a honeypot), so at some point you have to trust someone (perhaps by looking at whether there have been news reports of that VPN handing over data to other entities, ie. don't use HideMyAss).
How would that help? Tracker leads back to IP of your VM instance. Although your VM instance doesn't keep VPN logs, the VM provider would happily cough up your Name/Address/PaymentHistory in response to a court order. They wouldn't need to know your home IP address.
[..] all of your internet communication is encrypted and secured from eavesdropping.
The most important thing you need to know about a VPN: It secures your computer's internet connection to guarantee that all of the data you're sending and receiving is encrypted and secured from prying eyes.
Eh.. No?
It secures the data from you to the VPN provider. After that, it's just as open and unencrypted as it would otherwise be.
Sure, it probably helps protect your data from the local network & your ISP, and gives you extra anonymity. But after leaving the provider, the traffic would be in the clear, and if you use the same connection to log-in to your facebook, the anonymity will go out the window.
^ This. VPN is not a magic bullet. It stops your ISP from snooping and adds another hoop to jump through when tracing you. If the sites you visit (nodes you hit) are monitored you are still at risk.
'VPN' is becoming synonymous with 'anonymous online' but it is far from the truth. for eg. if you use the same web browser in non-VPN sessions as with VPN sessions the cookies being sent are the same and each website just linked your real session with your anon session.
It really needs to be VPN, plus separate browser, plus separate browser fingerprint, plus proper failover.
But that is much harder to sell/explain to users than something you just pay $6 a month for and forget about
The What Makes for a Good VPN section lacks one major and important aspect. Ping times (latency).
If you play games online, you want a VPN that is either close to you, or close to the game servers, or which traffic is highly prioritized. If you are lucky, you might increase your latency going through a vpn than if you went without. It sound illogical, but routing is not equal for all, and traffic might be boosted if your VPN's network has higher priority than your ISP.
Going from europe to US, I found that different AS had latency up to 200-300 MS in difference, and this does not take into account the stability of it. One net had a average of 80ms which only differentiated with 50m over time (the Swedish national university ISP). The Swedish ISP's that offer services to the public almost all uses a other backbone network than the university ISP, and that has an average of 250 ms to US, and which latency goes up and down between 150-800ms.
It's sad to see the reasoning for using VPN's being so deeply mixed with
bittorrent and similar things "worth hiding" according to some. There
are actually many good reasons to use various forms of secure tunneling.
Many ISP's serve requested pages from massive caches. Although provider
caching can improve performance in some cases as well as reduce
bandwidth costs for the ISP, it can often result in stale information
being passed to the client (you!).
Another common speed/cost improvement for ISP's is serving degraded
images from their cache -- by recompressing images (jpg) at a higher
compression ratio, the file size is reduced at the expense of degrading
the image quality. This is extremely common on mobile networks, but it
is becoming more common with land-based providers. In most cases, you'll
never notice, since you'll just assume it's a crappy image from the
original server. On the other hand, if you do any work with images, then
you could be stuffed by the modified images being delivered to you.
Having a consistent endpoint provided by a VPN provider can also be a
real advantage. For example, if you're doing checking, testing or
trouble shooting, against a system on the `net, then knowing what traffic
is yours in the logs can be real helpful. With dynamic IP addressing,
your endpoint (public IP) always changes. When you're using a VPN and
helping out a friend with something as trivial as reporting bugs, you
can tell them that the funky traffic from xxx.example.com is just you
running some tests. Even if the site owner isn't your best friend or
anyone you really know, it's great when reporting bugs to say, "Hey pg,
my traffic is always coming from la.tunnelr.com" so it's easier for them
to find it in their logs.
If you need to do your own pen testing across the `net and your ISP does
deep packet inspection (DPI) and egress filtering, then once again,
you're stuffed without a VPN or unfiltered remote host. Of course, you
need to be on good terms with your VPN provider and let them know in
advance that you'll be sending some dodgy traffic over their network,
but that's not a big deal most of the time.
If you participated in the recent Stripe.com Capture The Flag contest
without using a VPN or staged connection (ssh), then you really didn't
put very much thought into what could happen if some malicious person
rooted the game server and attacked the game participants. Sure, the
Stripe folks are fantastic, and they keep an eye on things, but no
person has sub-microsecond response times. ;)
Also, some ISP's have bandwidth caps and automated thresholds for
reducing connection performance, but they usually have a stipulation in
their contract excluding VPN bandwidth from the cap/limit accounting.
The reason is simple; business customers would use another ISP if the
caps/limits interfered with doing work, and most (sane) businesses
provide a company VPN to their employees for remote work.
I use http://www.tunnelr.com almost all of the time simply because it
makes my mobile (EVDO VerizonWireless) connection a lot more consistent
and reliable on UNIX (OpenBSD). A lot of mobile ISP's don't support UNIX
at all, and they expect you to run inane and unaudited software
("VZAccess" which is actually just rebranded stuff from SmithMicro).
Having a SSH connection present prevents some of the (intentional)
oddities of mobile connections (e.g. "pausing" the link/connection).
There are plenty of good reasons to use a VPN that don't involve
bittorrent or similar. The best reason of all is if your ISP does
not provide all of the exact details of their filtering and caching
methods --of course, none do.
> Another common speed/cost improvement for ISP's is serving degraded images from their cache -- by recompressing images (jpg) at a higher compression ratio, the file size is reduced at the expense of degrading the image quality. This is extremely common on mobile networks, but it is becoming more common with land-based providers. In most cases, you'll never notice, since you'll just assume it's a crappy image from the original server. On the other hand, if you do any work with images, then you could be stuffed by the modified images being delivered to you.
T-Mobile in the UK does this. They also re-write the HTML. This line is added after the first <html> - <script src="http://1.2.3.8/bmi-int-js/bmi.js language="javascript">
And they add an alt message to tell you how to update the images to the original images. Which is annoying if the alt originally contained useful information. (The original alt comes back if you update the images.)
I'm in the UK. Having images served from 1.2.3.x is suboptimal.
Dan, are you being cautious and making up those IP addresses, or
those actual IP addresses?
I ask since 1.0.0.0/8 is APNIC and 1.2.3.0/24 is the APNIC
"Debogon" project. For notes, a "bogon" is an supposedly
unroutable address, or more accurately, an address that you
shouldn't see in use.
I'm not making them up! It's what I see on the Chrome "status bar" (or whatever it's called now) and in the html.
1.2.3.8, 1.2.3.13, etc. I'm in a coffee shop at the moment, but when I get back I'll try and get a list of the IPs that are used. (The last digit is always quite small though.)
I wasn't entirely clear in my description of a "bogon" since the
definition is a bit hazy. Some define it as unallocated address, and
others define it as an address you shouldn't see in use. For example, if
you get a packet supposedly from 192.168.1.1 (in private address space)
on your public interface (i.e. has a public IP address), then some
consider it a bogon.
Address space that hasn't been allocated by any of the RIR's (Regional
Internet Registries like APNIC, RIPE, ...) are sometimes used without
permission, and usually for nefarious purposes. These are also
considered bogons since you should never see those addresses in use.
When you see a bogon, something is definitely wrong. It could be your
service provider is misusing address space that hasn't been allocated to
it, or it could be something far worse (malware, compromised network
routers, ...).
The "Debogon Projects" and "Bogon Monitoring" are run by the various
RIR's to find those who are squatting on misued address space, and also
to get firewall sysadmins to no longer block the unused ranges. Usually,
following the allocation lists of the RIR's is sufficient, but some folks
don't update their firewall rules as often as they should.
I did a bit of searching and it seems a few different mobile carriers
are doing this with the 1.2.3.0/24 range, but the important thing is
they should not be doing it at all. It would break the Internet if
everyone just used whatever address they felt like using.
Well if they are doing a mixed private/public net then it wouldn't be like the addresses are routable outside of their network. I've seen a number of clients which were essentially 'natted' behind the ISPs infrastructure. At its core the ISP gets all packets landing at their router and if they want to advertise an 'inside' route to 1.2.3.4 (or 10.0.0.1) that is something they could do successfully.
Yep, you're right; a net with mixed public/private addresses can
certainly work well when done correctly. Unfortunately, it can also
seem to work for some period of time when done incorrectly. The
trouble is, most people don't grasp the ramifications of doing it wrong.
I'm sure you understand the ramifications at least as well as I do, and
probably a whole lot better, but for the sake of everyone else in the
room...
When a network/ISP misuses unallocated address space by routing
the traffic to something internal, this prevents the inside of the
network/ISP from reaching those addresses normally. Unallocated address
space can be allocated by the RIR's at any time, so misuse of
unallocated address space results in parts of the Internet unreachable.
If some huge networks/ISP's (Comcast, Verizon, Sprint, ...) decided to
misuse the address block allocated to you for some internal purpose,
you'd be rightfully upset since it would prevent all users of those
ISP's from reaching your service/servers. Now let's assume you're a new
company and just got a new allocation of addresses from the RIR only to
find out the users of major ISP's can't reach your service because the
ISP's have already misused your address block for something internal
on their networks. Yep, you'd be livid, and livid with good reason.
If you put a lot of work into your misuse of unallocated address space,
all that effort could turn out to be wasted a few hours later when the
block you misused gets allocated. To reach the newly allocated block,
you'd need to redo all that work over again, correctly.
Yeah, I'd prefer they weren't doing content aware stuff (if they cared it would probably be optional, so I'm not surprised that they are doing it poorly).
I was mostly trying to confirm that it was the carriers and not malware or whatever.
This is T-Mobile mangling stuff. They do some other things which are annoying, but not Internet breaking. It's a sub-optimal Internet experience, but pretty handy for what I want to do.
> If you participated in the recent Stripe.com Capture The Flag contest without using a VPN or staged connection (ssh), then you really didn't put very much thought into what could happen if some malicious person rooted the game server and attacked the game participants.
What damage could an attacker cause? (And how would a VPN help?)
I may be wrong but it was my understanding that a VPN will slow down your internet connection. Is this not true anymore? For those that use a VPN do you keep it connected on your own secured wifi connection the entire day while working with no added lag?
I remember using hotspotshield and torproject.org in the past but they always made things so slow it wasn't worth using. Maybe those were just the free/cheap services.
It all depends on the service being used. tor is especially slow because your traffic is routed through many points online. Hotspotshield is slow because of the bandwidth limits for the free service. If you pay for a legitimate vpn service, you will get what you pay for, a fast connection
I bet that works. Based on advice in an older HN thread about VPSes, I looked on lowendbox.com and found a Chicago VPS provider for $20/year for a 128M/5G VPS with 200GB/mo. of bandwidth. It seems to run OpenVPN just fine for when I've wanted to use it; I'm just using it when I'm on untrusted wifi, or to route around a network block.
I installed TunnelBlick on my mac to be the VPN client; it was a nice interface to setup for the client side, and handles things like DNS flushing automatically.
I'm also going to setup ssh servers on 80 and 443 for times when access to ports is restricted by the wifi provider.
The local community college blocks all sorts of websites with nannyware on the gateway. I tried changing DNS to googles: no change. I tried a few other things as well, no change. Looked for open proxies: "PROXY search prohibited".
What they didnt stop was looking for VPSes. I found one for 20$ a year as well. Loaded up immediately upon payment into a ubuntu 12.04 (rh, slackware, ubuntu, or debian: i dont care). I got a socks proxy running on its localhost, and then ssh tunnelled to the proxy. And there I went.
I do exactly this. Great for traveling to China and other countries where you might be outright blocked or worried about people snooping. Of course it doubles over on coffee shops and any other shared network you don't trust the provider or neighbors.
I run SSD Nodes (http://www.ssdnodes.com), which you can use to set up an OpenVPN/PPTP/SSH-Tunnel server for secure, private access. I've seen users in other countries using our cloud servers for VPN purposes because they got better, lower latency routes to most other providers (due to the optimized transit/peering connections at SoftLayer Infomart in Dallas, TX). [/plug]
One of the companies on our platform actually built an entire business around selling proxies for people in other countries to have better latency to gaming servers in the US. At one point they had all their proxy/VPN endpoints on our platform. Unfortunately they aren't in business any more.
I always use a VPN when on an un-trusted network, even if it's secured (someone could always be listening on the wired portion of the network).
Personally, I find "Cloak" (https://www.getcloak.com/) to be a fantastic app that works on my Mac and iOS devices. It's super-simple to get setup and running, and very cheap, too.
Anyone else missed the "why" part and only read about "what" and "how"? I read most of the article, but the only thing it says on the matter is that it encrypts your internet connection. This might be true, but what use is that? Why would I want to do that? That question is not answered. Or whynot use Tor instead?
Shameless plug: I've just spent the last few days figuring out how to correctly configure OpenVPN and pptpd on my Ubuntu servers + Android & OS X clients (it's a real pain in the ass). I'd be happy to install and configure those on your own server(s) for 5 BTC per install (I'm kind of short on money right now :().
True but it's much easier to set up on server side as well as client side. I mainly use VPN to get around firewall of China so security isn't really an issue for me.
Wouldn't getting around China's firewall mean that security is more, not less, important? I know that if I was in a country where the government could imprison me for what I read or write, I'd make double-certain my security is up to par.
I did L2TP/IPsec for mine since they are supported by default on iphone and android devices. Getting OpenVPN working on the iPhone requires jailbreaking, and android requires your phone to be rooted.
Plus, windows and OSX have native L2TP/IPsec support.
As a side note: If you have an android device running ICS (I assume JB works as well but I don't have any currently to test), you can run OpenVPN for Android
This presents a nice frontend to OpenVPN and doesn't need root.
Key points from the description are "Uses the new VPNService API that requires neither Jailbreak nor root on your Telephone." & "Only tun mode support (Sorry no tap, with Android 4.0 only tun can be supported)."
I use OpenVPN Server (with my WRT54GL router) and my Android Device(a Nexus One with CyanogenMod Nightly) connects correctly.
The initial configuration was very hard for me (specially the certs) but i'm satisfied.
I have tried PPTP Server (simpler than Open VPN) but i avoid it because vulnerabilities.
I'm starting to consider this pretty seriously due to a flurry of incoming snooping laws in the UK. I normally do a bit of SSH tunneling out to a VPS if I need a proxy; is SSH my best option/most secure option? What do others recommend?
1. Don't do anything the state considers naughty. I suggest you kill yourslf now if you consider this viable.
2. Steal someone else's WiFi and deal with the moral consequences. You can do this by finding a "VendorA7E4B4" lookalike SSID (default configuration) and using the password calculator here: http://www.nickkusters.com/Services/SpeedTouch/Lookup - I only know of this as I had to lock my router down due to unauthorised access.
3. Use a VPN and risk being logged or falling foul of RIPA.
Best/most secure option for tunnelling traffic through to your VPS? SSH is definitely secure enough for that, provided you have a strong password or even better key-based authentication.
To make something like that more user friendly though you could just install VPN software like OpenVPN on your VPS. This also ensures things like DNS queries are sent over the VPN so they can't be intercepted on their way to the server.
Of course this assumes you trust your VPS provider, at least more than your ISP.
as long as you're sure you tunnel all the traffic through, so nothing "leaks" out to your local network. If you just do port-forwarding, you'll miss DNS, for example.
So on that note, are there any VPN providers that HN would recommend? Something preferably not based in the USA or any countries exceedingly friendly with the USA (so the UK, Sweden, etc are out)
Well, Mullvad is based in Sweden, which the asker didn't seem to like[1]. However, they do have exit nodes in the Netherlands too, if you prefer, and allow payment with bitcoin.
[1] Although I can't think of any suitable alternative countries – I mean, most countries are either fairly friendly with the US, or fairly corrupt, or both (or even fairly corrupt and fairly unfriendly with the US and currently surrounded by big US military bases on all sides). Perhaps the Principality of Sealand?
A VPN will help keep you semi-private for surfing the web. However, when it comes to something like Torrents, someone with a decent amount of knowledge and paycheck would probably not be stopped from finding out who you are.
For using bit torrent or other file sharing in a private, anonymous session, I would use I2P. In fact, they welcome it.
I'm not sure why a lot people put VPN's up on a pedestal. VPN's are useful for other things but I wouldn't rely on them for 100% or even 90% privacy against a foe that _really_ wants to know who you are.
VPN providers simply give you the VPN endpoint to use with e.g. OpenVPN configuration. They don't give you login information for a server (unlike VPS).
You could maybe run a server behind the VPN, but many don't give you a dedicated IP but use NAT. It could be that you're allowed to open ports and redirect them to you, but whether this is possible differs per provider. It's not usually part of the normal package.
Is http://www.tunnelr.com/ the same as any of these external VPN's? I'm not clear on the differences between OpenVPN type stuff and OpenSSH. Is this going to mask my identity online?
VPN is much more complete, and generally easy to use. 'ssh -L' sets up a single mapping. 'ssh -D' sets up a proxy on a port, and client software must be configured to use that proxy.
With a VPN, you simply connect, and you can access any services on any ports. Additionally, I think UDP is supported, which is a bit tricky with ssh tunneling.
I feel pretty double about VPN as a solution for masking my online activities. My reasons for using a VPN break down into these (related) categories:
1. Security. I don't trust this network at all, such as unsecured wifi in coffeeshop.
2. Access. This network has draconian restrictions I need to get around, such as corporate proxy servers or country firewalls.
3. Privacy. It's none of this network's business what I'm doing.
4. Legal. I don't want to get in trouble here. Especially when traveling where I don't know the laws, but increasingly in my own country. Hell, the courts in NL haven't figured out if TPB is legal, how should I know?
VPN can solve many of these problems most of the time... but always using a VPN means that I have a single point of failure for all four of these.
If my VPN provider is compromised, shady, or coerced to turn over my data, I'm sunk. In that way using various internet connections at home/work/coffeeshop/mobile may be better.