
Ask HN: Would you be interested in a transparent and open source VPN service? - flxfxp
I had this idea last night of creating a transparent and completely open source vpn service. It would have all the source code available to review online for the backend, vpn box configuration, audit log of reboots, signed binaries, reproducible builds, etc. It would run as transparently as possible. It also opens up the platform to be steered by customer needs via issue tracking, PRs, etc.<p>How interested would you be in such a service? Would you be willing to pay a slight premium over blackbox VPN services?
======
JohnFen
I have been looking at commercial VPNs for a while, and the problem with them
all is that it's impossible to know which ones (if any) are trustworthy.

If you started such a service that could provide ongoing, real assurances as
to trustworthiness, I would pay a premium for that. I'm not sure what that
would look like, but your list is an excellent start.

I would say, though, that being open source -- while awesome -- doesn't really
help in this regard, since you can't realistically prove that the code you're
running on your servers is the same code that you're publishing. Signed
binaries and reproducible builds don't help with this too much, I think.

But that's no different than any other service that someone else is running,
so that's not a serious problem.

------
jklein11
I think you are on to something with the customers steering the platform.

I want to use a VPN if I am joining a network that I don't necessarily
trust(guest wifi, coffee shop, etc.) I want to use a VPN so my ISP can't sell
my browsing history to advertisers. I don't really care about if the VPN
provider logs my traffic to make sure no one is abusing the service. I don't
even care that much if someone subpoenas my traffic as long as I find out
about it.

I wonder if a coop model would be a good fit? It would weed out all of the
people who want to use it to hide their torrent traffic, etc. It would be very
difficult to acquire the VPN just for the data, as each of the users are the
owners. Everyone would have a right to know about subpoenas because they are
part owners in the organization.

~~~
nesky
Do you have any examples of how a coop model would work for a service based
business like a VPN? My feelings on VPN services like these will churn and
burn in the long run.

As these services acquire extensive customer bases that on the face of it are
trying to mask their activity (not saying this is bad) they're going to be
bought out.

------
__d
No.

Why would I trust some random third-party with this? Especially given that
presumably customers of such a service might have some reason to secure their
traffic, the value of subverting it is relatively high.

I can run a VPN on a $5/month virtual machine, dedicated to my personal use,
without needing to trust the operator of the VPN service OR raising the value
of subversion by concentrating private traffic.

------
elamje
I had a similar thought, but stumbled when thinking about how you could
actually assure users you didn’t log stuff. Once you answer that question, you
might have a product. Right now, there is simply no way to prove to a user
that the server is only running one process, and it’s only using the open
source build(maybe hashing the build, not sure).

------
beatgammit
So, basically host OpenVPN or WireGuard? What advantage do you offer over
doing it myself, e.g. with a VPS @ $5/month? _That_ is the type of customer
that cares about open source and whatnot in a VPN, so you need to provide some
benefit beyond what you get by doing it yourself.

------
fulafel
Are you talking about a shared overlay network with its own services and
working end-to-end connectivity between nodes, or just piping internet traffic
egress/ingress to some other isp rather than my native one?

I think the former one would be cool.

------
Trias11
I think it's impossible to convince users 100% that you arent back-dooring
logging under duress.

~~~
o-__-o
Terms of service canary

