
How to set up a VPN in 10 minutes for free - quincyla
https://medium.freecodecamp.com/how-to-set-up-a-vpn-in-5-minutes-for-free-and-why-you-urgently-need-one-d5cdba361907#.dmfa744uf
======
anw
The title is "How to set up a VPN in 10 minutes for free" although it doesn't
tell you how to "set up" a VPN, just how to configure your browser to use one,
or to buy a service or device (router) to connect to a VPN.

If you actually are looking to set up your own VPN, I recommend this guide on
Digital Ocean[1] If privacy is your main concern for using a VPN, and you are
technically inclined, then it would make sense to be in control of the server
acting as your VPN.

[1] [https://www.digitalocean.com/community/tutorials/how-to-
set-...](https://www.digitalocean.com/community/tutorials/how-to-set-up-an-
openvpn-server-on-ubuntu-16-04)

~~~
drunkcatsdgaf
I actually advise against digital ocean if your privacy is your main concern,
as they mention in their terms[0] they will pretty much hand over anything
requested.

[0][https://www.digitalocean.com/legal/terms/](https://www.digitalocean.com/legal/terms/)

plus, remember when they took out 38,000 websites because the Yes Man made a
parody site?[1]

[1][https://www.techdirt.com/articles/20160629/23462634866/nra-t...](https://www.techdirt.com/articles/20160629/23462634866/nra-
trademark-complaint-over-yes-men-parody-takes-down-38000-websites.shtml)

regardless, DO is known for shooting first and asking questions later, does
this seem like the type of provider you want to use for a VPN?

~~~
pbhjpbhj
>they will pretty much hand over anything requested //

It sounds from
[https://www.digitalocean.com/legal/enforcement/](https://www.digitalocean.com/legal/enforcement/)
like they don't really have much to hand over though. If you bring up an
instance use it for a VPN, delete the instance. They claim to not have
connecting IP addresses, nor the contents of deleted instances (which can be
encrypted), nor indeed much beyond your payment & contact details.

But then they could just be claiming that.

Aside, their terms include this gem - after the para noting that "content"
covers all "data" and "information":

>You represent that all User Content provided by you is accurate, complete,
up-to-date, and in compliance with all applicable laws, rules and regulations.

So, if you give them any data or information you have to give them all the
information, and it has to be accurate and up to date! Cue data dump of all
facts in the known universe!! Hang on, that fact was only up to date when you
sent it, now it's out of date ... can ... not ... comply ... must ... send ...
more ... data ...

~~~
drunkcatsdgaf
Ive actually heard a horror story with DO where someones deleted instance was
recovered[0]

the link is dead though :/

[0][https://news.ycombinator.com/item?id=7498861](https://news.ycombinator.com/item?id=7498861)

EDIT: Webarchive has it:
[https://web.archive.org/web/20140331054458/https://gist.gith...](https://web.archive.org/web/20140331054458/https://gist.github.com/agh/d0e2b115de77b1bcb902)

------
dguido
This is incredibly bad advice. Opera has the worst security track record of
every other major browser, and clicking that ad blocker button routes all your
traffic through a single endpoint at a Chinese-owned company. Hello
surveillance! Even the routers... haven't there been enough remotely
exploitable flaws in those archaic router vendors to recommend against using
them at this point? You might get a VPN in name but you'll get none of the
security that comes with them that way.

You should setup your own personal VPN server if you can. We wrote Algo VPN, a
set of ansible scripts that automates the process as much as possible. It
contains the most secure defaults available, works with common cloud
providers, and does not require client software on most devices.

[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
bubblethink
>Does not install Tor, OpenVPN, or other risky servers

Can you explain how ipsec differs from openvpn ? All the major vpn providers
seem to use openvpn right now.

~~~
dguido
Yes! We cover that in the FAQ in detail:

[https://github.com/trailofbits/algo/blob/master/docs/FAQ.md#...](https://github.com/trailofbits/algo/blob/master/docs/FAQ.md#5-why-
arent-you-using-openvpn)

------
progval
> This is where the EFF’s HTTPS Everywhere extension comes in handy. It will
> make sure traffic to non-HTTPS websites is also encrypted.

Is it just me, or this paragraph is completely wrong? HTTPS Everywhere's job
is to HTTPS when available but not explicitely used.

~~~
claytonjy
It's wrong, and wrong beyond a simple mistake in phrasing. The author has no
idea how HTTPS operates or what this extension does, despite plugging Let's
Encrypt in the preceding paragraph.

~~~
claytonjy
the author must be watching; already changed the content to more closely match
what HTTPS Everywhere actually does

------
kafkaesq
"How to cut-and-paste your way into a VPN setup for free without having any
idea WTF you're doing, let alone how to adapt these instructions when the
underlying technologies inevitably roll over in the next 24-48 months" would
have been a more descriptive title.

------
koolba
> Hijack your searches and share them with third parties

What does it mean to "hijack" a search? If the ISP is modifying your data in
flight then that'd qualify though I don't think this bill gives them that
power.

Also, most (all?) searches go over SSL which would not be susceptible to MITM
fiddling.

At most it gives them access to log the number of bytes sent per customer to
each destination and the DNS lookups you've performed. I'd be concerned if
they are selling that information but there's no need to make up fake lingo to
sell this. It's crap enough as it stands.

~~~
quincyla
The EFF explains how this was done here:

Back in 2011, several ISPs were caught red-handed working with a company
called Paxfire to hijack their customers’ search queries to Bing, Yahoo!, and
Google. Here’s how it worked.

When you entered a search term in your browser’s search box or URL bar, your
ISP directed that query to Paxfire instead of to an actual search engine.
Paxfire then checked what you were searching for to see if it matched a list
of companies that had paid them for more traffic. If your query matched one of
these brands (e.g. you had typed in “apple”, “dell”, or “wsj”, to name a few)
then Paxfire would send you directly to that company’s website instead of
sending you to a search engine and showing you all the search results (which
is what you’d normally expect). The company would then presumably give Paxfire
some money, and Paxfire would presumably give your ISP some money.

In other words, ISPs were hijacking their customers’ search queries and
redirecting them to a place customers hadn’t asked for, all while pocketing a
little cash on the side. Oh, and the ISPs in question hadn’t bothered to tell
their customers they’d be sending their search traffic to a third party that
might record some of it.

Source: [https://www.eff.org/deeplinks/2017/03/five-creepy-things-
you...](https://www.eff.org/deeplinks/2017/03/five-creepy-things-your-isp-
could-do-if-congress-repeals-fccs-privacy-protections)

~~~
koolba
Okay that sounds completely illegal and the exact definition of digital
hijacking. Any type of modification of the packets themselves outside of
dropping them for network control is a clear violation in my book.

I don't see that working for connections over SSL. I wonder how the companies
that operate these questionable "services" deal with the rapid rise of SSL the
past few years.

~~~
yebyen
I think this type of attack being described was (is) actually done by
hijacking requests that should have returned DNS NXDOMAIN. You tried to visit
a URL that did not exist, but your DNS server failed to make that clear in the
standard way to your browser, and now your traffic is sent somewhere else,
instead of sending you to the familiar (or ugly, they might argue) NXDOMAIN
browser error page.

So there aren't really any packets being modified, since you already get your
DNS from your ISP. They're just returning bad information to requests that
your browser naturally had directed at them.

~~~
koolba
The NXDOMAIN hijack isn't as bad as this. It involves replacing the response
from the resource you requested with the ISPs preferred response.

It can happen either through DNS hijacking (nslookup for google.com goes to
isp-fake-google.com) or they can just sniff all the traffic and MITM HTTP
traffic for "GET /q=?" with a "Host: google.com". In either case they send you
to whatever they'd like rather than the original request (and of course sell
the data that User X searched for Y).

------
newsat13
Isn't opera owned by chinese (nothing against them just that they are the same
level as US)? The traffic is only as secure as where the VPN terminates and
there is no mention of what servers opera uses.

~~~
hellofunk
That is mentioned in the article.

------
stanmancan
Don't mean to hijack the thread; but speaking of Tor...If some entity ran
enough nodes wouldn't they be able to get a pretty good idea of the traffic
sources and destinations?

~~~
koolba
The "O" in TOR stands for "Onion". The name comes from having many layers with
traffic routing between them. Each node only knows enough to go to the next
node. You'd have to control the entire chain to track a packet from source
(TOR client on end user's machine) to target (i.e. TOR-exit).

It's definitely possible but with an increased number of hops it becomes
harder and harder.

~~~
chatmasta
It's Tor* not TOR.

[https://www.torproject.org/docs/faq.html.en#WhyCalledTor](https://www.torproject.org/docs/faq.html.en#WhyCalledTor)

------
ljoshua
I've used
[https://www.tinfoilsecurity.com/vpn/new](https://www.tinfoilsecurity.com/vpn/new)
several times to quickly set up a new VPN on a DigitalOcean droplet. Takes ~5
minutes.

Lately I had it set one up for me and have just let it run constantly since
then. I effectively have my own personal VPN for $5 month.

------
cmurf
So 50 Republican senators, and not a single Democratic senator, voted for CRA,
but also won't permit the FTC to regulate ISPs when it comes to preserving
user privacy. Is this coincidence or is it a "market opportunity" for ISP's to
bring back privacy as a product? Disallow VPN at the standard pricing level;
and only permit it if you upgrade?

------
tbirrell
I don't know much about VPNs, so please forgive my ignorance. But doesn't
using a VPN basically throttle you to whatever internet speed the VPN server
has? I pay for 100mb at home, I don't really want to artificially throttle
that down to 10mb or pay some exorbitant price for giving the endpoint 100mb.

------
tc313
> If you want to take things next level, you can try Tor, which is extremely
> private, and extremely hard to de-anonymize

I don't think Tor would eliminate the need for a VPN; wouldn't your ISP still
be able to see the requested URL?

Edit: I was thinking of DNS leaks, but that's really not an issue if you use
Tor Browser.

~~~
level
The entire HTTP request, including the destination, is bundled into the TOR
packet, AFAIK. Only the exit node on the tor network can know where the
destination is. But even then, when using HTTPS, the exit node only knows the
host of the HTTP request, not the entire URL.

------
cmurf
A friend recently setup openvpn to run in his router (I'm going to guess it
was MIPS based), and his download bandwidth went from ~100Mbps to about
10Mbps; so a 10x drop. Why? Is a MIPS CPU in a consumer off the shelf router
($200) itself just too underpowered for this task?

------
technojunkie
Opera doesn't provide a true VPN in its browser, it's just a proxy.

Learn more about VPNs and all privacy related things here:
[https://www.reddit.com/r/privacytoolsIO/](https://www.reddit.com/r/privacytoolsIO/)

------
webdigi3
Here is a link to setup VPN Server on AWS.

[https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-
pr...](https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-private-
secure-free-vpn-on-the-amazon-aws-cloud-in-10-minutes/)

------
matunixe
There is no privacy without open source software. This article with the
recommandations to buy Netgear stuff or commercials VPN services is just a
farce.

The author don't know shit, writing this type of false articles will lead to
another privacy disaster.

~~~
geofft
Whether the server is free / open source software is irrelevant to the matter
of privacy with a VPN. It's running on someone else's computer, so you have no
way of proving what is running, or more importantly, what _isn 't_ running -
the service provider can run OpenVPN and also tcpdump, both of which are free
software. You need to trust the provider not to monitor your traffic, and
perhaps not to be easily compelled to monitor your traffic on someone else's
behalf.

(The same is true of Tor exit nodes, incidentally, and it's very easy for an
intelligence agency to run Tor and tcpdump.)

If you actually want a VPN, one of your best options is to use a commercial
service that has a reputation to uphold. Some fly-by-night "non-profit" is
probably a front for a miscreant running tcpdump. (And there is no conflict
with a commercial service running open source code, as I'm sure you know!)

------
reiichiroh
I could have sworn the link changed from its original submission.

~~~
claytonjy
I don't know about the link, but the content has clearly changed to address
concerns brought up in this HN thread.

------
hellofunk
Any commercial vpn recommendations from this crowd?

~~~
webdigi3
Setup your own in 10 mins. Here is a link to setup VPN Server on AWS. Free
tiers also apply for new accounts in 1st year.

[https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-
pr...](https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-private-
secure-free-vpn-on-the-amazon-aws-cloud-in-10-minutes/)

------
reiichiroh
how is this "free" when you have to pay for the cloud instance?

