
The impossible task of creating a “best VPNs” list - arm
http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-the-state-of-vpns-in-2016/
======
extr
So who is this article aimed at? If you intend to torrent, you're not going to
roll your own on a VPS that is going to forward DMCA notices right back to
you. DO and AWS are not cool with operating as high-transfer seedboxes and
will be fairly expensive. If you're trying to remain hidden from a nation-
state level actor you're obviously not going to use a VPS, but you also have
bigger problems than HideMyAss accidentally leaking your ipv6 address. If
you're like most people and don't want to pay $$$ a month for a VPS but want
to torrent a bit, you just want a straight up regular VPN recommendation which
they never provide. "Choosing a VPN is hard", yeah no shit, that's why I was
hoping you would provide some value by doing the work for me.

I was in the market recently and ended up going with iVPN for $100/year. Their
"18 questions to ask your vpn provider" [1] page is basically a more practical
version of this article. Not that I am going to use it, but they also have
guides showing you how to created nested and branched chains of tor/pfsense vm
clients across countries, if you really did want to hide traffic from a nation
state. If putting your trust into a VPN is the issue it's much easier to trust
someone that links directly to security forums and openvpn documentation.

[1] [https://www.ivpn.net/privacy-guides/18-questions-to-ask-
your...](https://www.ivpn.net/privacy-guides/18-questions-to-ask-your-vpn-
service-provider)

~~~
ryanlol
>you're not going to roll your own on a VPS that is going to forward DMCA
notices right back to you

Why not?

>DO and AWS are not cool with operating as high-transfer seedboxes and will be
fairly expensive

DO and AWS are certainly the last providers you'd want to use for anything
high-transfer. Why would you even consider them over, say, OVH?

------
bitL
So what's the best way to browse anonymously these days? Is it running a
hypervised OS (some hardened GNU Linux/BSD Unix variant?) with a randomly
changed LAN MAC upon every boot, connected to a VPN operating outside US with
OpenVPN & 4k PK (e.g. in Romania), browsing using TorBrowser with NoScript and
WebGL turned off? Or even two VPNs at the same time, one in the base OS, the
other in the hypervised one?

~~~
exstudent2
You can browse with Tor but most sites (including this one and Twitter) won't
let you sign up/post with Tor. Very dubious practice by the site operators
IMO.

~~~
walrus01
Not dubious, tor is used by all sorts of abusive spam bots and people who just
want to shitpost for the lulz.

~~~
exstudent2
User based voting solves both those problems without having to nuke the
ability to post anonymously.

~~~
MaulingMonkey
How do you differentiate between legitimate new users with no record, and a
returning shitposter's 10000th spam account with no record?

How do you differentiate between legitimate new users with a bunch of existing
users vouching for them, and a returning shitposter's 10000th spam account
with a bunch of existing stealth-mode accounts vouching for them?

I think you're using an extremely weak definition of "solve".

~~~
exstudent2
Although Reddit is not perfect, it doesn't seem to be a big problem there. Tor
works and you can start posting as soon as you sign up.

~~~
walrus01
reddit rate-limits new posters to something like 1 post every 15 minutes until
they've accumulated some positive karma.

~~~
exstudent2
Yes, but they allow new posters to be anonymous by simply not blocking usage
through Tor.

------
h4waii
One big advantage of using a popular VPN is shared endpoints. Your traffic is
mixed in with hundreds of thousands (if not millions) of other users.

Using your own VPS means you are easier targeted, tracked (on layer 3) and
located -- since your VPS likely has a dedicated IP and you probably have a
non-anonymized account with the provider. You're still relying on your VPS
provider to not monitor outbound connections as you are on the VPN provider.

~~~
3pt14159
Maybe if you're a black hat firing up a brand new computer from a cafe while
you left your phone at home. For the rest of us that just want to, say, watch
the US Presidential debates from another country going through our own VPS is
far better than relying on some possibly skeezy third party VPN. Personally I
use HideMyAss when I'm travelling to countries I don't trust or when I'm on
wifi networks that I fear may be monitored, but I'd rather spin up a Digital
Ocean box if setting up my own VPN were as easy.

~~~
Cyph0n
> but I'd rather spin up a Digital Ocean box if setting up my own VPN were as
> easy.

I thought the same thing, until I found openvpn-installer [1]. You just need
to run 1 command - the entire OpenVPN setup process takes 5 minutes. I used it
on both Debian and CentOS and it works flawlessly.

At the end, you just grab the config file using rsync or SFTP, and load it
into your OpenVPN client. Now I have a dedicated droplet for VPN use. Once a
month I destroy it and create a new one, because I'm slightly paranoid :P

[1]: [https://github.com/Nyr/openvpn-install](https://github.com/Nyr/openvpn-
install)

~~~
Nyr
openvpn-install creator here :)

Thanks for the mention!

~~~
Cyph0n
Man, I can't even imagine how much time your script has saved us! Thanks for
the awesome work!

------
hackuser
> Tor makes people more susceptible due to its reliance on an outdated version
> of Firefox.

Tor uses a current version of Firefox and automatically updates it.

------
mazsa
Cf. [https://thatoneprivacysite.net/](https://thatoneprivacysite.net/)

~~~
LeoPanthera
I cannot rate this site highly enough. The guy running it is doing a tireless
service to weed out scam reviews and fake service descriptions.

He also has a subreddit:

[https://www.reddit.com/r/vpnreviews/](https://www.reddit.com/r/vpnreviews/)

------
7ewis
The article recommends 'Streisand' [1]. According to their GitHub page their
VPN is resistant to DPI.

>Distinct services and multiple daemons provide an enormous amount of
flexibility. If one connection method gets blocked there are numerous options
available, most of which are resistant to Deep Packet Inspection.

I don't know too much about networking, but didn't realise it was possible?
How can they do that? What protocol/service can bypass this? The network
security team at work challenged me to see if I could bypass their WSA, so
would like to give it a try.

[1]: [https://github.com/jlund/streisand](https://github.com/jlund/streisand)

------
sandworm101
Something I consider but most articles do not: jurisdiction. I want and use a
VPN in Sweden for a reason. I wouldn't go anywhere near any VPN with even a
tiny US footprint. Similarly, I wouldn't use a VPN in my home country.
Location location location.

~~~
2bitencryption
US has no mandatory data retention laws, part of the reason I pick PIA
specifically over VPNs outside the US.

~~~
sandworm101
No written laws specific to that point. But just look at the NSLs Yahoo
released a couple days ago. They can do whatever they want whenever they want.
While such things may be possible in Sweden, if they do happen they are
extremely rare. The US is the surveillance state.

~~~
ryanlol
You do that Sweden wiretaps _all_ traffic that crosses their borders, right?

They're doing more aggressive surveillance than the NSA.

------
homero
Isn't the best simply running your own for $5 on DO?

~~~
falcolas
Not all wifi points allow VPN traffic. At various coffee shops, I've had both
OpenVPN and Cisco Any Connect traffic outright blocked.

Getting around such blocks (such as with a SSL tunnel) is possible, but
requires more than just a default install.

Also, setting up anything other than OpenVPN is a real pain in the arse. Even
OpenVPN required a fair bit of Googling to make it fully functional.

~~~
h4waii
I've found the most success with getting passed captive portals on non-free
"Free WiFi" is simply OpenVPN over dns/53\. It works a lot of the time and
sometimes conveniently bypasses throttling/QoS.

------
wzdd
I didn't find this article very convincing.

1\. "You must trust the VPN." This is true, but you must trust something (your
cafe, your ISP, your computer). In fact the entire article really hinges on
this point -- the VPN provider could, if it were malicious (or compelled to by
a government) log every aspect of your traffic, or even insert malware.
However, so could your home ISP or your coffee shop.

In particular I found this statement very bizarre: "VPN services require that
you trust them, which is a property that anonymity systems do not have." This
is true in a vacuum. In the real world, unless you're running your own
hardware with software you have written yourself from scratch (on a system
which you monitor continuously), you are trusting a huge amount of stuff even
with the best anonymity system. The point is knowing what you are trusting,
rather than trusting it implicitly.

Essentially the point of the article seems to be to point out that VPN
providers may be (there are a lot of hedge words) untrustworthy. The only
actual example given of an untrustworthy VPN provider is a free one which re-
sold its users' bandwidth (point 8).

Real-world examples are important, because reputation is important -- at some
point it is very likely that you will end up trusting someone, even if you are
being very careful.

2\. "Some VPNs don't permit peer-to-peer sharing and/or log such sharing". You
must rely on reputation, which is not a great option. However, no alternatives
are presented for someone who wants to torrent copyrighted or illegal works
(TOR is heavily FUDded in the article). You certainly wouldn't roll your own
VPN for this -- see below.

3\. "VPNs don't protect very much against ad tracking". This is true, but I
mean VPNs don't make your teeth much whiter either.

4\. "A dodgy VPN could log all your data". This is the same as point 1.

5\. Preshared keys. OpenVPN with server certificate checking would seem to
address this.

6\. "Your VPN provider might log your data". This is the same as point 1.

7\. "Leakage". It's useful to inform people about this. However, once
informed, it is quite simple to use one of many online services to verify that
no information is leaked.

8\. "Snake oil" and in particular a free VPN which sold its users' bandwidth.
Fairly obviously, be aware that if you are using a free product the company
will attempt to monetise you in some way.

The suggestion to set up your own VPN seems to be presented as a way to
improve privacy. This is very strange particularly since no threat model is
presented, and the common one (mass surveillance) gets much worse with a
personal VPN.

Firstly, shared hosting providers such as DigitalOcean, AWS, OVH and so on are
presented. There is no particular reason to suspect that these are more or
less trustworthy than any given VPN provider. In particular, shared hosting in
the US will certainly be subject to the monitoring whims of the US government.

Secondly, using such a DIY solution will associate all your traffic, and only
your traffic, with a single outgoing IP address, easily traceable to you
(since you're paying for it). Compare this with any shared-endpoint VPN, where
your traffic is combined with that coming from many other users, and the owner
of the IP address is a VPN company. In the former situation nobody would even
need to inform the hosting company -- they could just monitor its traffic
(though as discussed in point 1 they certainly _could_ contact the hosting
company if necessary). In the latter situation, the VPN company would need to
be involved. At this point a certain amount of process is required. If your
threat model is mass surveillance rather than targeted monitoring, then the
shared VPN provider certainly seems like an improvement over a roll-your-own
solution. "The best place to hide an incriminating letter is in a letter
rack!" \-- Edgar Allen Poe.

Thirdly, with a DIY solution you are implicitly claiming that you are better
at hardening a system and staying on top of security patches than is the VPN
provider you were considering going with. This isn't necessarily true.

If you are just concerned about opportunistic data collection from your coffee
shop, then a personal VPN would help. But it's quite limited, and
significantly simpler solutions like HTTPS Everywhere would get you 90-100% of
the way there.

If you are specifically concerned about an entity with the resources of a
government monitoring specifically you, none of the options presented will be
any use.

------
kobayashi
ffs... Just read this

[https://thatoneprivacysite.net](https://thatoneprivacysite.net)

------
ck2
Reminder that Opera has a free built-in VPN

not private but free and always available

~~~
alwillis
It’s a proxy—not a VPN:
[https://gist.github.com/spaze/558b7c4cd81afa7c857381254ae7bd...](https://gist.github.com/spaze/558b7c4cd81afa7c857381254ae7bd10)

~~~
Dylan16807
What's the practical difference? And don't say it's because it only affects
Opera traffic: you can configure a system-wide proxy, and you can VPN a single
program.

~~~
rahimnathwani
What happens to outbound UDP packets when the 'VPN' is active? Can they be
inspected or modified by your ISP?

~~~
Dylan16807
I don't think Opera would be sending UDP packets. If if did, they would be
encrypted through the tunnel.

~~~
rahimnathwani
This is incorrect, at least it was in April this year:

The head engineer of Opera for computers Krystian Kolondra: “Currently WebRTC
and plugins are still not routed that way”[0]

The _technical_ difference between a VPN and a proxy is typically that the
proxy works at the application layer (layer 7) of the network stack, whereas a
VPN creates a new network interface and operates at the network layer (layer
3).

The _practical_ implications (which you asked about) are:

i) With a proxy, there's no new system network interface, so no way for other
apps to use it

ii) A proxy is application-specific (in this case HTTP and HTTPS) so other
protocols (even those that opera supports, like WebRTC) can't go through it.

[0][https://www.helpnetsecurity.com/2016/04/22/opera-browser-
vpn...](https://www.helpnetsecurity.com/2016/04/22/opera-browser-vpn-proxy/)

