
Ask HN: Do all VPNs suck? - mrsmee89
It seems like every VPN&#x27;s relies on me relying on them telling the truth which to me defeats the purpose. Am I missing something?<p>Any security researchers have any recommendations if I am?
======
motohagiography
VPN providers trade a local threat actor who is probably ignoring you for a
foreign one who is probably watching and analyzing everything. Best advice on
this thread was doing a VPN back to your home router.

Typically, you'd use one for default internet browsing on public wifi, with
the expectation that your endpoint ends up on the list of a foreign
intelligence agency who ostensibly doesn't care about you or what you are
interested in.

The other best advice used to be, "don't be a terrorist," but these days, it's
more, "don't be a political actor," given whatever you type will be found and
used as leverage if you achieve any prominence. I'd posit that security tech
is sufficient for business, but not for politics.

See:
[https://en.wikipedia.org/wiki/Kompromat](https://en.wikipedia.org/wiki/Kompromat)

~~~
Skunkleton
Well, your ISP is probably selling your browser history, so there is that.

------
jchw
My personal go-to is Mullvad, but yes, it still relies on trust.

It should be possible and even probably usable to chain multiple Wireguard
connections together, and therefore no VPN provider would have both your
identity and knowledge of your traffic, provided you pay with properly clean
cryptocurrency. But if you are paranoid that all VPN providers are bugged,
you’ll need even more defenses, such as never using your own internet
connection and, on the more nefarious side, using compromised servers as
relays.

That said, a VPN plus DNS over HTTPS plus HTTPS everywhere should be good
enough for dealing with threats when your adversary isn’t a nation-state.

~~~
LeoPanthera
I can second Mullvad.

The only person I trust in the VPN ecosystem is the guy who runs this site:
[https://thatoneprivacysite.net](https://thatoneprivacysite.net)

He writes reviews, and doesn't have anything to sell. It's through that site
that I found out about Mullvad.

~~~
jhabdas
Mullvad is what I use. I started using it after I saw the Manjaro folks
discussing it, and it's all I use for VPN when I'm not using Bitmask. I pay in
Bitcoin Cash.

Those interested in getting started with WireGuard on Manjaro Linux see
detailed instructions here: [https://habd.as/post/encrypted-internet-
wireguard-manjaro-li...](https://habd.as/post/encrypted-internet-wireguard-
manjaro-linux/)

~~~
josu
Why Bitcoin Cash and not Bitcoin?

~~~
LeoPanthera
Not OP, but I use Cash instead of Bitcoin because transactions are cheaper and
faster.

------
wolrah
I think it's worth keeping in mind that there are multiple different reasons
that people use VPNs, and that different solutions are appropriate for those
purposes.

Some want security, they want to be sure that the local network
operator/ISP/government isn't monitoring their traffic. Those people should
run their own VPN at a trusted location.

Some want to evade geoblocking or use P2P services without fear of copyright
letters. This is what commercial VPN providers are for IMO.

Some want anonymity. Normal VPN services can't really provide this, but Tor
and the like can.

\---

Personally my focus is on the security side of things. I have a VPN endpoint
at home for personal use and a similar setup for my company. If I'm going
somewhere particularly untrusted I'll set up a temporary VPS with a trusted
provider just for use while I'm there and trash it afterward.

------
lettergram
You can run your own VPN with a little know how and determination. I have two
servers which cost $20 / month ($10 each). Each running openVPN, then I share
the keys to my laptop and desktop. Haven’t done mobile, but I could probably
figure that out.

The real trick, is VPNs need a lot of bandwidth and compute. Get a bare metal
server with unlimited bandwidth.

I switch between the servers to limit how much data each provider can collect.
Not perfect, but I also have ProtonVPN and use Tor periodically. This means I
have at least 4 ways my traffic goes out. It’s just about the best I can do

~~~
ohaideredevs
Can you recommend some sort of introduction/book to VPNs? I get the idea, I
have read the wikipedia page, but my understanding boils down to "one server
encrypts and sends small packets, the other decrypts". The packets still go
through the public internet / your ISP, but they are encrypted?

~~~
wtmt
You can consider a VPN service as sitting between you and any server or site
you access. The traffic still has to go through your ISP and the public
Internet (for this scenario). The VPN service does encrypt the traffic from
your device to the VPN server (and back). This allows you to hide your
browsing history from your ISP and anyone snooping on your ISP. They’d just
see encrypted packets going to the VPN servers.

But the traffic from the VPN server to the site/server you want to reach may
or may not be encrypted, depending on whether it would or would not be
encrypted if you were to access it directly.

As far as the end site/server is concerned, it gets requests from the VPN
server, and so it cannot (easily) know that the request is really coming from
your device’s IP address. This is how circumventing geographic restrictions
works. If you want to access, say Netflix US, you’d use a VPN server with a US
IP address, while you may be in some other country altogether. There are
content providers who detect VPN usage and try to block them.

P.S.: There’s a lot of simplification in the above descriptions.

Edit: This page [1] has a good explanation on VPNs.

[1]: [https://thebestvpn.com/what-is-vpn-beginners-
guide/](https://thebestvpn.com/what-is-vpn-beginners-guide/)

------
icedchai
I only use VPNs for downloading torrents, basically just to avoid nasty
letters from the cable company.

------
Dylovell
I know private internet access has proven in court that they don't keep logs,
but still, trust.

~~~
rococode
Some sources:

[https://torrentfreak.com/private-internet-access-no-
logging-...](https://torrentfreak.com/private-internet-access-no-logging-
claims-proven-true-again-in-court-180606/)

[https://torrentfreak.com/vpn-providers-no-logging-claims-
tes...](https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-
fbi-case-160312/)

Of course, there's still need for some level of trust, but I think when it
comes to VPNs, having public court records of the VPN provider saying they are
unable to provide data in response to a subpoena is probably as good as it
gets.

~~~
luag
Any other VPN you know of that have been proven in court as well? Thanks.

------
scrps
Another vote for hosting your own. I used to roll my own VPN server but
switched to Algo since it is easy to roll out and supports most major VPS
providers.

[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
TimTheTinker
I was doing this for about 2 years on DigitalOcean. But early this year they
stopped accepting prepaid credit cards as a means of payment (I had been
buying prepaid Visas from Wal-Mart with cash).

Since then I haven't been using a VPN... perhaps I'll try again on Linode or
something. Does anyone know of a good VPS provider (or trustworthy/non-
honeypot VPN provider) that accepts anonymous payments?

~~~
thaeli
Mullvad is a VPN, but it has good performance, takes crypto for payment, and
hasn't shown themselves to be untrustworthy yet.

~~~
stordoff
Also actual cash ("5 EUR (or an equivalent amount in any other currency)" for
a month), which may be easier to make anonymous than crypto.

~~~
TimTheTinker
Envelopes would be postmarked with the post code from which they were mailed.
That probably wouldn't give Mullvad any information they don't already have,
since they can see your IP address.

But an intercepting 3rd party could pair your account ID with with your
geographic region; it would be even worse if you accidentally drop a hair
inside the envelope.

~~~
stordoff
Sure, it's not a silver bullet, but I suspect the risk model is better
understood (post it away from me if geographic region matters, be careful of
fingerprints and hair). It also has to be preemptively intercepted, rather
than crypto which is recorded forever (if I pay upfront for a year, a bad
actor has one shot to intercept, whereas with crypto they can _always_ analyse
the transaction history to see if I've slipped up and they can correlate
transactions anywhere).

I don't think either gives you an absolute guarantee[1], but cash doesn't have
as many subtle pitfalls.

[1] At the end of the day, you have to assume Mullvad isn't compromised
_anyway_, so even if they did, it may not help (as you can probably be
identified from your traffic)

------
bubblethink
VPNs are the perfect vehicle for selling something warm and fuzzy to the
masses with minimal deliverables. I place them right up there with military
grade encryption.

~~~
m463
Now that you mention it, "military grade x" sounds like something solid and
unobtainable by civilians.

But looking deeper, "military grade x" where x is not a weapon prohibited to
civilians usually isn't that interesting.

At a nearby surplus store you can buy MRE's and military clothing side by side
with normal work clothes and camping gear. After a short time you realize
civilians can get tastier MREs, boots and clothing that fit and work better...
and they are lower priced.

~~~
blackflame7000
I was a software dev for the military and typically the encryptions used are
generally the same ones available to the public (AES, RSA, TLS). The
difference is that the keys are longer that standard, ie AES-256/512,
RSA-4096, TLS1.3. Additionally military grade security means multiple layers
of protection. So lets say a wifi-link is protected via AES-256, there might
also be channel hopping technology involved to make jamming and eavesdropping
difficult. Military grade is basically overkill for most situations unless
your life literally depends on it.

~~~
tomjen3
Doesn't wifi use frequency hopping too? Or is that bluetooth?

~~~
blackflame7000
That's done to avoid interference and happens as minimally as possible which
makes for easier signal processing. Military communications actively switch
frequencies many times per second in unison according to highly secure crypto-
variables. This makes jamming and eavesdropping very difficult because its
hard to tell active channels from brief background static. Bluetooth, on the
other hand, has about 80 channels about 1mhz apart and it tries to bond as
many as possible for parallel transfers. This is why when you are far away
from a bluetooth device the transfer speeds degrade rapidly.

------
diminoten
Host your own. The only way to be sure.

That said, what exactly is your threat model? Protecting yourself against
literally every possible threat is a pointless effort...

~~~
mrsmee89
Sounds expensive and complicated.

What's a valid "threat model"?

~~~
jchw
Hosting wireguard on a VPS is neither expensive nor complicated. However, you
then must trust a VPS provider, and the other tenants. If you use a dedi host
you still have to trust the machine, network to not be tampered or bugged. If
you use a colo you still have to trust the network and the staff.

If you start your own data center, lay your own fiber, and peer with ISPs and
hosts, well, everyone knows who you are again.

There’s no escaping trust issues 100%. The idea of a threat model is all about
the trade offs, what things you will decide to trust or how you will defend
yourself in depth.

~~~
reilly3000
Once I started really paying attention to security I thought I was being quite
paranoid; you're right, there are threats that exist at every level, and
tradeoffs to be made. Once I started learning about things like this I
realized that tradeoffs are a must:

[https://thehackernews.com/2018/04/hacking-airgap-
computers.h...](https://thehackernews.com/2018/04/hacking-airgap-
computers.html)

------
swixmix
I consider my threats to be my wifi connection and my ISP. I have a VPS, which
I trust as my "starting point", that caps only bandwidth so there's no
overages. I use OpenSSH as SOCKS5 proxy because I already use ssh and DNS goes
over the proxy. I think ssh may limit the number of open connections because I
sometimes need to close tabs to continue surfing.

My set up looks like this:

    
    
        ssh -fCND 1080 proxy-server
        socks5://127.0.0.1:1080
        export SOCKS_SERVER=127.0.0.1:1080
    

When I'm connected to a device that doesn't give me a routable address, I'll
use a ssh jump.

    
    
        ssh -fCND 1080 -J jump-server proxy-server
    

This isn't a VPN but it's equivalent for my usage. I'm waiting for Wireguard
to mature in Chromebook / Android. I want to try it out.

------
despera
Yes they do suck even if they totally truly respect your privacy and spill
blood maintaining their systems, it's simply not possible to know if that's
true or false and thus using a VPN service is NOT a sound method to increase
your security.

Now, there are few cases that could be useful like evading those pesky private
CYBER detectives that companies hire to track torrents. Also it could be used
to bypass region restrictions. That's just that, i would never trust a single
byte of private info to go through a VPN.

There are few services who do not try to evade the (big) question of trust and
they tell you that you could use Tor through their VPN, but at that point we
have already taken a first class sit to the "security theater".

------
cmod
With Wireguard [0], setting up your own VPN [1] somewhere like DigitalOcean is
an afternoon project, and is often cheaper than most VPN subscriptions.

[0] [https://www.wireguard.com/](https://www.wireguard.com/) [1]
[https://www.digitalocean.com/community/tutorials/how-to-
crea...](https://www.digitalocean.com/community/tutorials/how-to-create-a-
point-to-point-vpn-with-wireguard-on-ubuntu-16-04)

------
atmosx
Using your own VPN vs using a VPN provider is not a 1:1 comparison. VPN
providers give you access to multiple servers running on different countries.
You cannot setup 250 servers all over the world just to emulate a VPN's
offering. There are shared and private IP addresses etc.

If all you want to do is hide your traffic from a state level actor, then tor
is a much better solution.

------
neilv
For _casual_ privacy purposes, such as hiding Web traffic from your ISP or
cafe WiFi APs, you can use Tor.

------
vasili111
Here is a good list of VPN services:
[https://www.privacytools.io/providers/vpn/](https://www.privacytools.io/providers/vpn/)

------
Dotnaught
I'm surprised no one has suggested Outline:
[https://www.getoutline.org/en/home](https://www.getoutline.org/en/home)

------
Whatarethese
I would honestly just host my own.

~~~
closeparen
You presumably have to tell the truth about your identity to your cloud/VPS
provider or, if using your own hardware, the ISP.

------
vikingcaffiene
You’d be hard pressed to find a better recommendation than Troy Hunt. [0]

TLDR; Freedome VPN is really good and located in a country with strong privacy
laws.

[0][https://www.troyhunt.com/the-importance-of-trust-and-
integri...](https://www.troyhunt.com/the-importance-of-trust-and-integrity-in-
a-vpn-provider-and-how-mysafevpn-blew-it/)

~~~
LeoPanthera
It _really_ depends what you want. Freedome (openly) logs your connecting IP
address and they block some P2P ports. In addition they incentivize social
media spam and make the traditional false claim of being 100% effective.

I have yet to find a "perfect" provider but this site helps learn about a lot
of them at once:
[https://thatoneprivacysite.net](https://thatoneprivacysite.net)

------
techslave
tor doesn’t depend on it. although it’s quite difficult to safely use tor.
anonymity is easy (enough) to expose. some of the same flaws apply to vpn as
well.

------
the_resistence
It's a war-- the VPN companies against the tyrannical evil do'ers. Be thankful
folks are trying to keep free speech, democracy, a spotlight on heinous,
corrupt, morally absent regimes, and the truth alive.

