
Do you need a VPN? - thesumofall
https://blog.mozilla.org/internetcitizen/2017/08/29/do-you-need-a-vpn
======
terrywang
Grew up in China (moved to Australia since early 2008) where GFW is in place
and getting overwhelmingly powerful, I've been through multiple stages to
cross the `great wall`, SSH Dynamic Forwarding, PPTP, OpenVPN and now IPsec
(strongSwan). The GFW has evolved so much (capable of massive scale MITM
attack, DNS spoofing, traffic sniffing etc. you'll be amazed how capable the
GFW is - of course courtesy of the team behind it) that it makes increasingly
more difficult for people to access the real Internet.

I've ditched PPTP (not safe any more) and shifted to IPsec (IKEv2 + RSA with
X509, IKEv1 + PSK + XAUTH) as it is being used by a lot of MNCs - can't
killall. The GFW has developed technique to detect OpenVPN well and it is
easily blocked so I don't use it at all. Over the past few years many home
brewed protocols emerge - e.g. shadowsocks and variants and many others (I've
never used any of them).

The best thing to do with VPN is that to understand the basics of the VPN
solution of choice, try to install and configure from scratch on VPS and use
that as your main protection (encapsulation) while using public Wi-Fi or
untrusted network. There's been many good discussions on how to do this on HN.

NOTE: I am maintaining around 10 strongSwan powered IPsec VPN and 2 OpenVPN to
help family members and close friends to access the real Internet (have to
keep a low-profile though). Funny though, my networking skills evolved with
GFW.

~~~
stevenjohns
I will be traveling to China in a couple of days and was ignorantly hoping my
OpenVPN-based VPN would work.

Do you recommend that I set up strongSwan?

~~~
jbg_
Another option is roaming on a foreign SIM card - this usually bypasses the
GFW quite effectively; roaming is effectively a VPN back to the home provider,
and there seems to be some whitelist for these roaming tunnels. The providers
probably provide surveillance access to the Chinese govt, but you will not
have trouble accessing Google and other blocked sites, and any VPN you like
should work fine through a roaming SIM.

Whether you can find one with reasonable data rates in China is probably the
main question.

Two that I have used with great success are Kyivstar from Ukraine and China
Unicom HK (note it must be HK, not mainland China). Others may be listed at
[0].

[0] [http://prepaid-data-sim-card.wikia.com/](http://prepaid-data-sim-
card.wikia.com/)

~~~
L_Rahman
I can confirm that the foreign SIM card override works from my experience a
couple of years ago.

My T-Mobile had free international roaming baked in at 2G speeds. Unlike the
US however, most foreign carriers in developed Asian nations (China/Korea)
don't support 2G fallback, so I had free 3G everywhere.

It was pretty much like using the American internet.

------
Sylos
When evaluating a VPN service for trustworthiness, I always look at what their
webpage loads in terms of tracking scripts.

Basically, if you offer me the service to protect my IP address and don't even
have the decency to let me inform myself about your offering without handing
over my IP address to Google et al., then I'm not using your service.

Unfortunately, VPN providers collectively don't seem to be aware of this
presentation layer, so it's neigh impossible to find one which doesn't violate
privacy here.

So far, I've found exactly two: azirevpn.com and airvpn.org

They load in Piwik, which I'm okay with.

These two providers also check a lot of other boxes for me, but yeah, it's
still just two providers after hours of research, so if anyone knows any other
VPN providers with privacy-respecting webpages, please do tell.

~~~
DavideNL
> I always look at what their webpage loads in terms of tracking scripts.

Note that this is also one of the criteria in the Vpn comparison chart:
[https://docs.google.com/spreadsheets/d/1L72gHJ5bTq0Djljz0P-N...](https://docs.google.com/spreadsheets/d/1L72gHJ5bTq0Djljz0P-NCAaURrXwsR1MsLpVmAt3bwg/export?format=xlsx)

by [https://thatoneprivacysite.net/](https://thatoneprivacysite.net/)

~~~
Sylos
Which itself is hosted on Google Docs. Does not compute, does it?

I mean, sorry if I sound rude and thanks for trying to help, but yeah, I'm not
clicking on that link.

------
wakkaflokka
I always ask this on the VPN threads here, and don't feel like I get a solid
answer (I'm not particularly well-versed on the topic so I'm genuinely curious
and would love to be corrected).

If I go to Bob's website on my computer without any VPN, and Bob wants to find
me, all he would need to do is get my IP, call my ISP with a warrant, and then
get my information.

If I go to Bob's website while logged in with a VPN, and Bob wants to find me,
he first sees that he's getting tons of hits from this IP because thousands of
users are sharing this same VPN. So then he uses some kind of fingerprint to
figure out my unique user sessions. Then he calls the VPN company, and asks
them to associate the IP and specific browser sessions with me. In that case
a) the VPN really does store logs even though they advertise they don't, so
they're able to associate me with my activity, or b) they really don't store
logs and have no idea which one of its thousands of users logged into his
website with that IP.

It seems in the latter case, even with a malicious VPN, it's one additional
(maybe trivial step) to associate me. But it's still better than just using
your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their
ISP?

So what is the downside to using a VPN if you're aware that they aren't
foolproof vs not using a VPN at all?

If you roll your own VPN on AWS or the like, don't you lose the benefit of
sharing the VPN with thousands of users? Wouldn't it be easier for Bob to call
AWS with a warrant and get your account info than mess with some offshore VPN
provider?

~~~
gvb
_So what is the downside to using a VPN if you 're aware that they aren't
foolproof vs not using a VPN at all?_

The downside in a nutshell: "Researchers recently tested 300 free VPN apps on
Google Play and found that nearly 40 percent installed malware or malvertising
on users’ machines."

"Bob" very likely doesn't know you even exist and doesn't care. The downside
of VPNs is that many VPN hosting companies are even less trustworthy than
"Bob" and _do_ care who you are. An unscrupulous VPN provider can MitM your
connections, harvest anything you give the VPN's app privilege to see
(probably a _lot_ ), etc.

Step one of security is to understand the threat you want to defend against
and make sure your defense against that is (a) adequate, (b) appropriate, and
(c) not compromising you in other ways.

~~~
mirimir
Well, never use free VPNs!

Also, don't choose a VPN based on some online review. Most of those are
basically paid advertising. Either "pay if you want a good review" or "pay
more for highter rank", or stuff by independent affiliates, who get paid for
referrals.

Better, choose VPNs that have been recommended by consensus in relevant
communities. Torrent users. Wilders. Me ;) And by the way, I do consult for
IVPN, but my opinions are otherwise unbiased.

~~~
btown
What is your opinion on PrivateInternetAccess?

~~~
godelski
They've been recommended by a lot because they recently backed up their claims
of no logging (FBI asked them for data, and they couldn't provide it). You'll
see that they are ranked pretty high on this list, where there are some
breakdowns. They are pretty cheap and popular too. Popular helps by making
associations more difficult. That is seeing a VPN server accessed page X and
that you were accessing the VPN server at said time. A college student was
connected to a bomb threat by this method, being he was the only one on campus
to be using TOR at the time the bomb threat was made (from TOR). You'll be
fine with any VPN that is relatively popular and doesn't do any tracking.

~~~
Odin78
A relevant detail to that story is that he admitted his guilt under
questioning. Had he continued to deny any involvement, they would not have
been able to prove that he was sending the bomb threat, as it could have been
from someone who wasn't on campus.

~~~
godelski
Very true. But there have been several instances of cases like this. And this
thing doesn't matter if your VPN logs or not[+]. But what I was trying to
point out is that these types of access collisions are important to
understand. And why I don't think people should roll their own VPN.

[+] I'm not trying advocate crime here or advising how to avoid it. Just
trying to bring to light a vulnerability.

~~~
confounded
> _And why I don 't think people should roll their own VPN._

People who are interested in not being identified probably shouldn't. But
there are good security reasons to potentially do so.

------
bhauer
I wish that we had arrived at a different term for third-party VPN proxy
services. I use VPN connectivity to my home network whenever I am on the road
so that my traffic is encrypted over-the-air (Wifi) regardless of its protocol
or destination. When I read, "Do you need a VPN?" I think "I love having a
personal VPN to my home network that I use from everywhere. You might love it
too!" I am evangelical about creating and using a personal virtual private
network—that is, a "VPN" in the more traditional sense of the term.

And then I realize the question is actually about third-party VPN proxy
services, which seem to be a substantially different use-case.

It's just a shame that the term "VPN" has become so ambiguous.

~~~
heylook
Would you mind sharing your tips for setting this up? I've been considering
doing something similar for a little while now but am unsure how to get
started.

~~~
bhauer
Not to trivialize it, but the basic steps are:

1\. Add a VPN host to your home network, either as another role on your
router/firewall or as role on a host inside your network. For example, if
you're running pfSense as your firewall, you can add an IPSec/L2TP or OpenVPN
role to the pfSense host. Many hardware router/firewall devices have VPN host
capabilities. You can start simple by defining users at the VPN host. Later
you can use your home network's LDAP directory for users, but I personally
didn't bother doing that.

2\. Set up your laptop(s) and phone(s) to connect to that VPN. Disable "split
tunneling" on the devices. If split tunneling is enabled, only traffic that is
intended for your private network would be sent to the VPN. Disabling it
requires that all traffic—even traffic destined for the public Internet—needs
to be routed through the VPN host.

3\. Connect to the VPN whenever you are outside of your home.

4\. You can optionally assign a static private IP to each device so that when
you're connected, all devices use known IP addresses that you can name using a
local DNS server. This would allow you to, for example, reach your laptop by
the name "laptop.yourdomain.org" (or whatever). I give all of my devices
hostnames so that I don't need to remember their IP addresses.

5\. The result is you have a personal "virtual private network" that
facilitates private LAN-like communication between all of your devices. For
example, I use this to access my personal file server from anywhere.

6\. You can get even more sophisticated by setting up site-to-site VPN
connectivity between your home network and a machine or network you run at a
data-center. This allows you to, for example, reach not just your home file
server but also manage your personal public-facing Internet services running
at your data-center hosted machine or VM—from any of your devices.

~~~
confounded
> _4\. You can optionally assign a static private IP to each device so that
> when you 're connected, all devices use known IP addresses that you can name
> using a local DNS server._

This is where I’ve always got hung up. I’ve for a long time wanted a static
URI for a machine at home (e.g. SSH, IRC bouncer, music files, etc.)

I assumed I’d have to use some kind of local host tunneling solution (like
pagekite.io), which are either expensive or difficult to trust/rely-on, or
register as a business to get a static IP.

Any tips?

~~~
bhauer
I was speaking of assigning _private_ static IPs to everything on your virtual
private network, and then using a private DNS server. This allows you to reach
your devices/hosts by name rather than their IP.

However, the entire scenario relies on you having at least one static IP
address for your firewall/VPN endpoint. You need to be able to reach that from
anywhere on the public Internet.

------
CiPHPerCoder
Every time this sort of question comes up, I reflexively link people to this
page:
[https://gist.github.com/joepie91/5a9909939e6ce7d09e29](https://gist.github.com/joepie91/5a9909939e6ce7d09e29)

Most of the time what people think they need a VPN for, a VPN won't actually
help them much. They have a narrow use-case in privacy contexts, in which case
you're better off using Tor.

~~~
jakehm
I think the most popular use case is torrenting which a VPN will help.

~~~
dfrey
The content owner could still request your information from the VPN provider
and the VPN provider might provide it (even if they say they won't). I think
the main benefit is that there are so many individuals torrenting copyrighted
material that aren't using VPNs that it means you aren't the "low hanging
fruit" so you're considered not worth the effort by the content owners.

~~~
tensor
Yes, but there is a big difference between "this provider might be lying about
not storing traffic, and they also might give the data to someone" and "this
ISP is 100% storing traffic and routinely gives that data to others."

~~~
jerheinze
Why base your privacy on wishful thinking ("provider is probably not lying")
instead of using privacy by design solutions? (e.g. i2p for torrenting)

~~~
Spivak
Because privacy by policy is good enough for almost everyone.

~~~
jerheinze
> Because privacy by policy is good enough for almost everyone.

Source? And why would it be good enough when it has been shown time and time
again that it's ineffective (example: DNT header)?

------
busterarm
I don't know why anyone advocates using a VPN provider when it's so trivial to
set up your own VPN now.

[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)
[https://github.com/Angristan/OpenVPN-
install](https://github.com/Angristan/OpenVPN-install)

Either of these options, depending on your preferences (protip: use Algo,
unless you're in a place that blocks IPSEC VPNs...It's cheap enough to have
both available). This at least covers the basics of what they're talking about
being snooped in the post. Then you don't have to worry about trusting the VPN
provider (but you do have to worry about trusting your cloud provider).

If your threat model is different, you might want to be in a pool of users,
but you can use the same service and solve this problem socially...

~~~
jordanlev
> _I don 't know why anyone advocates using a VPN provider when it's so
> trivial to set up your own VPN now._

..links to github repos...

You are blessed with technical skills and experience so this is trivial to you
(and many people on HN), but there are tons of people out there for whom this
is _not_ a trivial task.

~~~
soared
Agreed - 99% of people don't know how to understand whats in a github repo.

------
bubblethink
There sorely needs to be a corollary to net-neutrality, where websites cannot
discriminate users based on the choice of their ISP/vpn/tor/vps/cloud-
provider. I find it absurd that websites are even allowed to display a banner
with phrasing like, "We detect that you are using a vpn. Disable it to view
this site." Netflix, the champion of net neutrality, is the biggest offender
in this area.

~~~
stanmancan
Netflix had to crack down on VPN usage recently as people use them to bypass
geographic content restrictions. Any suggestions on alternative options they
could pursue? (Aside from somehow getting global broadcasting rights on their
whole library)

~~~
bubblethink
They didn't have to do anything. Netflix is a paid service. You are paying for
a service, which you are entitled to get. What geo-drm-moon-phase recipe they
cook up is their problem. As a consumer who pays, you should see either a)
content from your billing address, or b) content from the IP address. Or any
superset of the two; but NOT a banner asking you to disable your vpn.

~~~
stanmancan
Netflix would LOVE to provide their whole catalogue to their whole subscriber
base. They'd be crazy not to. The more content they can offer, the better
their service, the more subscribers they'll get.

They block VPN's and other tools because their contracts with content
providers say so.

It even says it right in their terms of use

    
    
        4.3. You may view the Netflix content primarily within the country in which you have established your account and only in geographic locations where we offer our service and have licensed such content. 
    

Netflix is in the tough position of needing to know where you are -now-. VPN's
mess with that.

Don't get me wrong, requiring someone to disable a VPN to use the service is
bullocks. But some services don't have much of an option. From what I
understand Netflix is aggressively trying to obtain world-wide rights for
their whole library, but until the old dog content producers get on board
they'll have a rough time.

------
iroq
Nitpick: Bitcoin, being a system where the history of all transactions is
publicly available, is hardly an "anonymous" system. It is an additional level
of separation from other forms of payment tagged with your credentials, and
you can achieve anonymity if using it carefully, but it can't be treated by an
anonymous option by default.

~~~
ringaroundthetx
It took me years to find a VPN that accepted Monero. But I've been paying for
Bitcoin priced VPNs using Monero through a service like Shapeshift or
Changelly or XMR.to

I've been paying pretty much all bitcoin invoices that way for several years.

Blockchain sleuths would never be able to tell if a bitcoin transaction was
just an exchange shuffling coins or if someone like me was actually on a
different and opaque blockchain.

~~~
sandworm101
>> Blockchain sleuths would never be able to tell if a bitcoin transaction was
just an exchange shuffling coins or if someone like me was actually on a
different and opaque blockchain.

That depends on the nature of the investigation. Say they bust an illegal
website and now have their subscriber records. If your bitcoin transactions
match those of a subscriber to the website, they have more than enough info to
come after you. With the website transaction records in one hand, and the
public blockchain in the other, it would be trivial for an investigator to get
a reasonable idea of who you are and where you live. Unless you spin up new
accounts for each and every transaction, and mine your own coins, the public
blockchain means they can identify patterns and make connections.

(I won't quibble on the technical definitions of reasonable suspicion. Suffice
to say any such match will be enough to get a warrant and turn your life
inside out.)

~~~
ringaroundthetx
yeah, so when you pay with cryptocurrency there is no real information about
you, now this is just the first part, and if we stopped there, you would be
correct. But many sites use the address data necessary for credit card
transactions and append that to your user profile, but sites that accept
cryptocurrency do not because it is not necessary to complete payment or
distinguish users.

so secondly the bitcoin transaction would have been executed by someone else,
from a mixer. The mixer was instructed by my transaction to it from an opaque
blockchain, as explained earlier. Your rebuttal implies you have never seen
the differentiating features of Monero. It is a public blockchain, but
transactions are not linked.

~~~
sandworm101
The transactions are not overtly linked but some simple detective work can
make connections. Seeing the same number of bitcoins exiting one account and,
within reasonable time, appearing in another is suggestive. See that happen
many times, such as some sort of subscription to a service, and you can put 2
and 2 together.

Say they shut down an illegal website that subscribers paid 25$ for every
month. If they see that your account paid out 25$/month, but stopped doing so
when the website shut, then that's strong enough evidence for a warrant
regardless of the exact path of transactions. That can be done via the
blockchain far more easily than trying to gain access to bank records.

~~~
ringaroundthetx
> Seeing the same number of bitcoins exiting one account and, within
> reasonable time, appearing in another is suggestive.

Will you just try using Monero before you say another word?

First, your assumption relies on having a nexus currency of Bitcoin to begin
with, when Monero could easily be the base currency someone maintains a
balance in. Monero has USD markets and has many default countermeasures
towards linkability.

Second, your assumption relies on just not seeming to know how Monero works.

Third, I want to clarify that I'd be open to rebuttals if they actually
acknowledged technology thats been around since 2014, but you are making
rebuttals about rudimentary bitcoin mixers from 2012 when thats not even what
we are talking about.

------
ajr0
Great link from the EFF describing tor and https [0] click on the grey 'tor'
and 'https' links to see what information is collected where and what can be
viewed.

surprised this article does not mention tor? or has tor been abandoned as a
tool for privacy?

[0] [https://www.eff.org/pages/tor-and-https](https://www.eff.org/pages/tor-
and-https)

~~~
shawabawa3
I think tor is simply too slow and complicated to advertise as a tool to
"regular people"

Encouraging people to use a VPN is much more likely to be effective

~~~
ajr0
There are reasons why a VPN is great but not for privacy. A VPN is currently
allowing me to work remotely would be one of them.

CiPHPerCoder provided a great link[0] in this discussion [1] that details a
short list of a few reasons why VPN's are likely not what "regular people" who
are concerned for privacy should be using.

that all being said, tools like tor have become much easier to use with setups
like tails [2] which may have its own security issues but I'll agree that
regular users may not be capable of using Qubes with Whonix.....yet

I think advocating for a VPN is actually harmful to the "regular user" not
only in the fact it will not accomplish what they want, it will deepen their
ignorance on how the internet works because they will think "its encrypted"
"so I am secure."

I do have some concerns that tor is a tool that needs to be improved upon
greatly to truly accomplish its goals but I am not aware of any projects that
are doing so. Re metadata, fingerprinting, developers inserting backdoors etc.

[0]
[https://gist.github.com/joepie91/5a9909939e6ce7d09e29](https://gist.github.com/joepie91/5a9909939e6ce7d09e29)
[1]
[https://news.ycombinator.com/item?id=15585974](https://news.ycombinator.com/item?id=15585974)
[2] [https://tails.boum.org/](https://tails.boum.org/)

[edit:added concerns about tor]

~~~
schoen
> I do have some concerns that tor is a tool that needs to be improved upon
> greatly to truly accomplish its goals but I am not aware of any projects
> that are doing so. Re metadata, fingerprinting, developers inserting
> backdoors etc.

I always try to tell people about Tor's limitations, which are considerable.
(I wrote the content for the EFF graphic that was linked above, and one goal
was to show people things that aren't hidden by Tor — for example you can see
an NSA agent in the graphic performing some kind of correlation attack between
source and destination by monitoring the network at multiple points. Of
course, the source of data for this doesn't have to be fiber optic taps, so
other entities that can get source and destination data can correlate them
too.)

Tor is doing work on all of the things that you mention: metadata,
fingerprinting, and developers inserting backdoors. One could wish for more
work and that it had happened longer ago, but all of those are active areas of
concern and research for the Tor project.

~~~
ajr0
>I wrote the content for the EFF graphic that was linked above

Thank you! I constantly share that link with people, I (and many others)
appreciate your work!

I regret not going into software development, I wish those are projects I
could contribute to, alas my closest work towards development is tinkering
with linux etc .conf files to get home projects to work, which is not
development at all.

~~~
schoen
Since I spend a lot of time these days helping people on

[https://community.letsencrypt.org/](https://community.letsencrypt.org/)

I can testify that the ability to help people tinker with Linux configuration
files is something that continues to be in great demand. :-)

~~~
ajr0
Thanks! I'll begin lurking

------
chisleu
I'm on Verizon so I don't get to choose if I need one. I have to use one on my
phone at least.

They are still useful for lumping your traffic in with others for copyright
infringement. Torrent clients offer the files for sharing while downloading.

They are still useful for some simple geo evasion as well.

They aren't a solution for every security issue at all. Tor is generally
better to run from open wifi from a tails USB rather than from a VPN.

Also, many VPNs actually log things they can provide to the FBI even though
they lie and say they don't. They can get a NSL and end up having to without
being able to tell you that they did. Sometimes a NSL canary is used, but not
always.

~~~
mi_lk
> I'm on Verizon so I don't get to choose if I need one.

Can you expand on that? I’m also on Verizon and feel like having a panic
attack.

~~~
chisleu
They throttle youtube and netflix now, which broke youtube with my VR
headgear. :(

Also, the permacookie nonsense, and they are certainly data mining the crap
out of everything you do.

------
WellDressed
I've set up my own VPN using Streisand
[[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)]
& Google Compute Engine (Micro Instance). When you create an account on
Google's Cloud, you get $300 (or used to at least). This instance type is big
enough to handle the few devices I connect to it, fairly speedily too.

~~~
komali2
Is it not feasible that a warrant to Google instantly reveals your identity?

~~~
WellDressed
Without a doubt! I'm not too concerned because I'm using it within the USA to
access my email, HN, and various other common websites while on public wifi.

------
skywhopper
I'm surprised no one has mentioned Streisand, an open-source project that
takes most (not all) of the effort out of setting up low-cost individual VPNs
for yourself and your friends and family on a number of popular cloud
services:

[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

It takes a little bit of technical know-how (or bravery) to get started, but
the setup process is dead-simple and you end up with a completely personal VPN
with dozens of options that can work around a number of different situations.
Best of all, it's entirely under your control. You can tear it down and start
from scratch, or move to a new location or cloud provider easily. The docs are
clear and easy to understand, and it's constantly being improved. It's a
pretty remarkable project.

~~~
NamTaf
My issue with Streisand is that it spins up a dozen different services, of
which I would like 1-2. Indeed, I then stumbled across Algo [1], which cited
this as one of the motivating reasons for existing. It does 50% of what I'm
after in setting up an IPSec VPN and does it all whilst generating my
mobileconfigs.

Now all I need to do is manually set up a shadowsocks server and I'll be
sorted. But I'd rather tackle that manually than also have the extra stuff
streisand bundles in.

[1]: [https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-
th...](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/)

~~~
subliminalpanda
When running the streisand script it will now prompt you if you want to
customize the install, allowing you to selectively choose which VPN daemons
you want to run.

~~~
NamTaf
Oh thank you, that's wonderful news! I'll definitely look in to that if I have
any frustrations with configuring SS myself. Even if I use Streisand for the
SS side and Algo for the IPSec side, that would be a reasonable solution.

------
pkulak
I spend 40 bucks or so on a Raspberry Pi, then installed these:

[http://www.pivpn.io/](http://www.pivpn.io/) [https://pi-
hole.net/](https://pi-hole.net/)

Insanely easy to get running: plugged it in to my home router, and now I do
all my remote browsing from my home network. I HIGHLY recommend it. I know it
doesn't help with privacy, since you're using your home network, but I'm
currently more concerned with WiFi hacks, pineapples, and the like.

------
siddhant
Duckduckgo recently included "How to Choose a Good VPN" in their privacy
newsletter - [https://spreadprivacy.com/how-to-choose-a-
vpn/](https://spreadprivacy.com/how-to-choose-a-vpn/)

~~~
moonka
Looks like DDG recommends TunnelBear[1]. Any one have an experience with them?
I'm always a bit skittish on free VPNs.

[https://www.tunnelbear.com/b/privacy-
partners/](https://www.tunnelbear.com/b/privacy-partners/)

~~~
SmirkingRevenge
Its a nice user-friendly app, works well on all my stuff. Using it on linux
took a bit of manual setup, but their instructions worked. I'm a customer, and
I would recommend it. I outsourced my trust in them to DDG. Hopefully they
didn't steer me wrong there.

Downside is that it basically only works per device. It doesn't run on any
routers that I know, to get full coverage over your network traffic.

------
abtinf
I wish a trustworthy organization with a history of privacy advocacy, like EFF
or Mozilla, would create a subscription VPN service. I'd sign up immediately
and their reputation would command a significant price premium.

------
hguhghuff
I'd hand cash to Mozilla if THEY provided a VPN service.

Or if Amazon provides one I'd use that for sure.

~~~
canttestthis
Definitely Mozilla but why Amazon? They operate with vastly different values
systems.

------
jimejim
I don't look to it as a foolproof solution, but I do see it as a way to make
things a little bit harder for someone that's trying to track me.

The arguments here often sound similar to "experts" that complain about 2
factor auth: Sure, it's not perfect and there are better solutions in some
cases, but it's still better than nothing for a lot of people.

------
wenc
I typically don't trust VPN providers, so I set up my own on AWS with this
CloudFormation script. [0] It is almost effortless, takes 10 minutes and I can
spin it up or spin it down without paying for a subscription, only AWS metered
costs.

EDIT: another poster mentioned Algo [1]. This method requires a high degree of
savvy and entails a higher level of difficulty, but looks much more
configurable.

[0] [https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-
pr...](https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-private-
secure-free-vpn-on-the-amazon-aws-cloud-in-10-minutes)

[1] [https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
LeifCarrotson
How often do you find that your AWS IP is blocked, or that you need to bypass
a captcha? I would think that AWS would be a major source of scrapers and
other traffic that a site might not want and might choose to block. I know
that Cloudflare offers to block "suspicious" traffic, which would seem likely
to include traffic coming from an AWS server rather than an ISP.

~~~
wenc
Surprisingly not often at all for the sites of interest to me. YMMV of course.

------
forapurpose
Another issue to look for in selecting a VPN is leaks, where network packets
travel through the 'hostile' interface and not the VPN. Leaks can happen many
ways, if I understand correctly (I did some reading on it recently but not my
own research):

* Many VPNs use "split-tunneling': To save bandwidth, they route https traffic through the hostile network interface

* Some don't route other protocols via the VPN, for example, IPv6 and even DNS are sometimes excluded.

* If the VPN connection drops

* When the VPN connection is out of sync with the device's network connection (e.g., after the computer boots and before the VPN starts, or after the VPN is disconnected and before the computer shuts down).

------
zx2c4
This is a plug for my stuff, but a relevant plug nonetheless:

If you think you need a VPN, you probably need a good VPN protocol to go with
it. Rather than using outdated legacy cruft like OpenVPN or IPsec, you might
like WireGuard:

[https://www.wireguard.com/](https://www.wireguard.com/)

It's still in the early days, but the protocol is formally verified, the
overall design has received academic review, the Linux implementation is
maturing quite rapidly, and we'll soon have Mac and Windows clients available.
Part of the WireGuard Protocol uses the Noise Protocol Framework from Trevor
Perrin, of Signal Protocol fame.

~~~
mads
I used Wireguard to connect multi datacenter nodes in a Kubernetes cluster
recently and I recommend it. It works very well and is very simple compared to
other VPN technologies. Thanks for your work. :)

~~~
zx2c4
Nice to hear! I'm mailing out stickers --
[https://lists.zx2c4.com/pipermail/wireguard/2017-May/001338....](https://lists.zx2c4.com/pipermail/wireguard/2017-May/001338.html)
\-- if you'd like to slap some on your server hardware...

~~~
mads
Thanks. Sent you an email.

------
f_allwein
useful resource on selecting a VPN provider:
[https://thatoneprivacysite.net/vpn-
section/](https://thatoneprivacysite.net/vpn-section/)

~~~
jimejim
I recently setup on ZorroVPN after going through that list. It's a little on
the pricier side (BlackVPN is another one I was considering with similar
pricing), but the performance has been pretty good so far. They don't have
their own client so you don't have to worry much about them installing junk on
your machine. You can use one of the open source clients out there.

------
brightball
I always wonder about ProtonVPN (the ProtonMail people).

It's Swiss based so I assume there would be a decent amount of round trip
latency, but for sheer privacy it seems like a solid company that goes the
extra mile by locating itself for legal purposes.

[https://protonvpn.com/](https://protonvpn.com/)

~~~
bkovacev
I am debating whether I should go with them or not, as well. They do seem
solid, but I have not heard any people mentioning them.

I have a paid account with Netflix/Hulu/HBO and I'd like to watch it when I'm
travelling or when I'm working remotely from third world countries. That would
be my sole use case. Can they stream without huge latency?

~~~
jsalinas
Regarding speed, I've been using ProtonVPN for around 4 months and It's much
faster than other VPN providers I've used (TorGuard and PIA). It doesn't work
with Netflix as Netflix blocks most VPNs.

------
fortythirteen
All the "you don't get privacy from a VPN" talk misses the variable of _who
you want privacy from_. If you don't care about e2e privacy, but want a simple
way, without using Tor, to keep websites from knowing your real IP, then VPNs
are great.

------
jasonrhaas
Does anyone have a preference on what server the VPN connects to? For example,
I'm using AirVPN, and you can select specific countries that you would like to
allow the VPN to use. From there it just goes out and connects to the
"recommended" server.

If I don't make any preference, it will connect me to a server in Canada. It's
very fast, but a bit annoying because now I get all the Canadian search
results in Google.

Is there any downside to using a VPN server in the same state or country that
you are in?

BTW, I have been using AirVPN for a few days and really like it. Super minimal
UI (which I like) and gets the job done. Also, I like that they accept BitCoin
as payment if you so choose.

------
wjn0
I started using BlackVPN about a month ago because the highly personalized ads
all around the web got extremely unnerving. Having accounts with FB/AMZN type
services means they'll never go away completely, but it's better than nothing.

I'm curious if anyone has any commentary on other providers worth looking
into. BVPN is based in Hong Kong which has a strong history of pro-privacy
AFAIK, and they claim to not even have the technical ability to keep logs of
relevant info. Either way, I think I'd rather have some random Hong Kong
company have my semi-anonymized info rather than my ISP.

------
mwilliaams
I recommend nordvpn. I have been using it for a while now with great success.
It's easy, fast, and private. They don't log and their hq is in Panama, so
it's much harder to to get info out of them.

------
erikb
This is a sales page, not a objective discussion.

(a) There's not much you can do with VPN that you can't do with SSH (actually
I can't think of anything). And SSH is much more configurable.

(b) To avoid tracking of your browsing it is not a smart idea to pipe all your
browsing through the servers of one VPN provider. A smart way would be to
split up browsing streams, not to combine them.

I'm very sceptical about Mozilla writing such an ad page and trying to sell it
as a reasonable technical blog post.

~~~
forapurpose
> There's not much you can do with VPN that you can't do with SSH

For most end-users, there is nothing they can reasonably do with ssh.

~~~
erikb
Every end user that can't use ssh can't use VPN either. It's only a lucky
coincidence if it works for a few for a limited period of time. It's just that
many VPN Clients come with a very limited set of configuration and debugging
output which makes the average grandma more confident because she doesn't know
all the shit that happens underneath.

Everybody who is able to repair a bike though is also able to use SSH.

------
jumpkickhit
I guess the future is a ten-pack of cheap netbooks, a linux live CD, and free
public wi-fi.

Access the internet, then smash the entire thing and throw it away and repeat.

~~~
zeep
Randomizing your MAC Address and using a live CD would not be enough for most
cases?

~~~
jumpkickhit
I wouldn't think so with fingerprinting, intel ME and individual processor IDs
and such.

I was just giving an extreme example for true anonymity now, something we just
sort of had on the internet in the 90's.

------
jijji
When I travel to asia (manila), I notice not so much that there is a GFW type
firewall preventing the connections, but rather that alot of web sites are
just firewalling all of APNIC netblocks. So many web sites, in fact, that the
quickest solution for me is to setup squid proxy on an IP in the US and
generally everything works flawless after that.

------
darkhorn
I didn't read the article but I want to say that the solution is not VPNs. We
can end up being like North Korea where VPNs are forbidden. The solution is to
have educated voters who do not vote to showmens like Erdoğan or Trump.
[https://youtu.be/fLJBzhcSWTk](https://youtu.be/fLJBzhcSWTk)

------
waytogo
Learned recently: Opera includes a VPN for free.

~~~
deltaprotocol
Edit: Opera includes a "gratis" VPN, but definitely not for free. Just read
the Privacy Terms. And they keep logs.

------
kolanos
Has anyone else had success with SoftEther? [0] I've used it for a VPS-based
VPN but would like to know if it is GFW capable. Have been impressed with the
code of that project.

[0]: [https://www.softether.org](https://www.softether.org)

------
the_common_man
For those looking to self-host,
[https://cloudron.io/store/io.cloudron.openvpn.html](https://cloudron.io/store/io.cloudron.openvpn.html)
works great. I have used algo in the past and that works well too.

------
weej
Some citations and good feedback on exact details with potential caveats in
using various providers.

[https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa](https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa)

~~~
weej
Also there's a very good VPN comparision matrix from "That One Privacy Site"
[https://thatoneprivacysite.net/vpn-comparison-
chart/](https://thatoneprivacysite.net/vpn-comparison-chart/)

------
jen_h
Yes. It's not a panacea, but why not if you can DIY in less than five minutes
for $5/month?
[https://github.com/jenh/sevenminutevpn](https://github.com/jenh/sevenminutevpn)

------
ryanmarsh
Yes you need a VPN, no you shouldn’t trust anyone with it. Run your own. It’s
easy and less expensive.

[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

------
minicoolva
If you are in China, please read this article.
[https://eikochow.gitbooks.io/vpn/content/](https://eikochow.gitbooks.io/vpn/content/)

------
strictfp
I urge people to fight this politically as well. We know from China that most
technologies can be blocked or legislated against. If you want a future with
more freedom and privacy, fight this politically.

------
navyguy
If you’re after ultimate privacy and security, look for a service that accepts
payment from anonymous services like Bitcoin.

Bitcoin can be tracked, use zcash? . Can't believe mozilla got this wrong.

------
chinathrow
If you work for a company, organization, agency or nation state which drives
people to use VPNs, please think for a minute about what you do and what you
could do for users in the future.

Thank you.

------
sudo-i
Are we going back into time where we can draw parallels between internet
access through an online portal like AOL and now when we are accessing our
internet through a VPN?

~~~
mxuribe
Actually i think the lay users access the "internet" via facebook (aka the
"modern equivalent of AOL")...while non-lay users use VPNs. ;-)

------
sanbor
Anyone knows a good OpenVPN client for Android? I have used both OpenVPN
Connect and OpenVPN for Android but both get disconnected at random times,
leaving me exposed.

~~~
IPTN
I use OpenVPN Client. It works really well and supports autoconnect (including
at boot) so that you don't need to worry about disconnects. The pro version
even supports TAP without root. You can find the free version here:
[https://play.google.com/store/apps/details?id=it.colucciweb....](https://play.google.com/store/apps/details?id=it.colucciweb.free.openvpn)

------
paulobraga
Does it worth it to create your own VPN with OpenVPN? I mean, if I do that,
would be better than a good VPN service? Considering security, features,
etc...?

------
nchuhoai
You know what should be easier? Being able to just run a docker image on a VPS
like DO and instantly have a DIY VPN server that you can spin up on demand.

------
abandonliberty
How about WPA2/KRACK?

While the standard VPN pro/cons apply, if you have unpatched or unpatchable
hardware it seems like a fairly compelling reason right now.

------
raarts
Ad Networks use multiple mechanisms to identify you: cookies, browser
fingerprinting. Hiding behind a VPN will not make you invisible.

------
jD91mZM2
[https://privateinternetaccess.com/](https://privateinternetaccess.com/)

------
AdmiralAsshat
Be careful, Mozilla. When you blog about VPN's _as Mozilla_ , you write from a
position of authority. VPN's are a notoriously minefield of shady providers
and false promises. You do not want to recommend CyberGhost to your followers,
the find out in six months when they show up in a court order that, oops,
CyberGhost actually logs a ton of stuff that can be subpoenaed.

Exercise caution. Do your research.

~~~
wutwutwutwut
> There are many, many VPN providers, and Mozilla can’t recommend any specific
> service.

Was it somehow unclear? Pretty clear to me at least.

~~~
shmageggy
But then they go on to mention several providers by name, with links.

------
TomMckenny
What happens when ISPs decide you need a "business" subscription plan to use a
VPN?

------
forapurpose
Is there any way in which a VPN is superior to Tor, except possibly speed?

~~~
quickthrower2
You might suspect that your Tor nodes are being run by FBI, but trust your VPN
more.

------
richdougherty
It would be great if Mozilla ran a VPN service. :)

------
1187503962
Yes, I need it my email:1187503962@qq.com

------
ggg9990
Thank god this isn't one of websites that just says NO in 144pt font.

------
victor106
Does anyone know of a way to scrape the web anonymously?

------
1187503962
Yes, I need it

------
han336
Im in china at the moment using expressvpn (been using it for a year by now)
and since about two weeks only three server locations work well (Hong Kong,
Tokyo, Los Angeles). Some others work off an on. Before that most locations
worked and some of them, Taiwan for example, used to be very fast. Its still
usable for streaming and surfing but I'm afraid the end is near. I think
sometime in the future one will have to go with shadow socks and or similar
protocols/solutions but until then expressvpn is quite convenient (mobile
client, router with expressvpn client).

------
mnw21cam
Is this another candidate for Betteridge's law [0]?

[0]
[https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headline...](https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headlines)

~~~
detritus
No.

I wish people would stop throwing this question at every headline that happens
to have a question mark at the end of it. The headline here isn't clickbait,
it's an attempt to answer a question that is pertinent to many.

