
VPS VPN – GhostiFi - GordonS
https://ghostifi.net
======
Parsnip1
I'm a little unclear why I would trust that there is no logging. With root
access to the VPS, I'd be able to determine that the OpenVPN service on the
VPS is not logging the connection between my device and the VPS, but I
obviously don't have any access to the infrastructure beyond the VPS. My ISP
might not be able to see my traffic, but the ISP of the VPS would, and I'd be
just as identifiable if there are logs matching my dedicated IP to my account.

~~~
freedomben
Yep. I have heard stories of people that setup a Streisand VPN on a digital
ocean droplet, and then got sent DMCA letters for torrenting. Digital Ocean
turned over their identity and banned their account.

If you're just doing it for privacy, then cool. If you're doing it to mask
potentially illegal activity, don't. Use PIA or something like that.

~~~
CameronBanga
I think it depends on threat model. If you’re looking to do anything illegal,
probably no VPN is a good idea.

But if you care about privacy in general, a VPN is always a clear win. No VPN
will ever be perfect. But for a VPN, this is pretty good with regards to
security.

~~~
rajaganesh87
How is it a clear win if no VPN is perfect?

------
Siemens
No VPS ips are clean. They are all data center ips.

How can you claim no-logging if you are running on someone else's servers?

~~~
taesu
came to say this exactly. bye now.

------
t0astbread
Isn't one of the main selling points of VPN that you can't be tracked by IP
adress when multiple people are using the same VPN server as you? GhostiFi
can't provide that as far as I can tell.

~~~
t0astbread
(That is not to say it's bad, it's just a different threat model.)

------
isomorphic
Related:
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

Discussion:
[https://news.ycombinator.com/item?id=17815352](https://news.ycombinator.com/item?id=17815352)

------
czardoz
It would be kinda cool to build something like this on top of
[https://github.com/Nyr/openvpn-install](https://github.com/Nyr/openvpn-
install). It's a single script that generates the .ovpn client side files.

~~~
LeoPanthera
For what it's worth, that project is abandoned, but development continues in
this fork:

[https://github.com/angristan/openvpn-
install](https://github.com/angristan/openvpn-install)

~~~
Nyr
The project is NOT abandoned at all, please do not spread misinformation.

The fork is maintained by someone who lacks a basic understanding of
networking, system administration and security. I'd suggest against using it.

------
dsl
Not in the wayback machine or Google cache. Site is down in less than an hour
after submission.

~~~
reillychase
it's back online now, just my little server on DigitalOcean running this

------
hkt
HN hug of death?

~~~
seppin
yep - [https://medium.com/ghostifi/ghostifi-the-server-create-
funct...](https://medium.com/ghostifi/ghostifi-the-server-create-
function-a8bd1ea4e50a)

------
ohiovr
I wireguard to my lan. At least I kind of understand what lives on my lan as
compared to public wifi.

------
nyolfen
so it’s... a vps

~~~
reillychase
It's not just a VPS with OpenVPN installed, the main reason why I built it was
to be able to click a button and migrate the server to a new location/IP
address on demand. Since then I also added "Invisibility Mode" which tunnels
VPN over HTTPS bypassing restrictive firewalls, and next I am working on
adding pi-hole support to it :)

~~~
nickpsecurity
"which tunnels VPN over HTTPS bypassing restrictive firewalls,"

That's one of the reasons I recommend HTTPS-based approaches over things like
Tor for anonymity. Makes things look like all the bland, harmless traffic out
there. Smart move. :)

~~~
wp381640
Tor supports pluggable transports, one of the most popular of which is meek -
which makes your traffic look like Google or Azure CDN traffic over HTTPS[0]

Also Tor circuits are also just TLS[1]

[0]
[https://trac.torproject.org/projects/tor/wiki/doc/meek](https://trac.torproject.org/projects/tor/wiki/doc/meek)

[1] [https://wiki.wireshark.org/Tor](https://wiki.wireshark.org/Tor)

~~~
nickpsecurity
Thanks for telling me about meek. I'll warn this might not block visibility at
least for domestic TLA's. If they record metadata, they can just work
backwards from exit nodes or known relays to whoever is connecting to them.
That would map out most likely users of Tor. Then, they can apply whatever
passive or active attacks they have. Most probably aren't running OpenBSD,
HardenedBSD, QubesOS, etc. ;)

Still good for the many, many, other threats out there.

