
Opera VPN behind the curtains is just a proxy - tdurden
https://gist.github.com/spaze/558b7c4cd81afa7c857381254ae7bd10
======
deelowe
K. To be honest, this was pretty obvious to me. Did people really think it was
a full VPN?

~~~
lvs
I agree.

There's no good reason why a web browser would make its own network layer
connection to support non-HTTP sessions. Session layer proxies have forever
been how this is done.

~~~
pbreit
Baking OpenVPN into the browser doesn't seem like a horrible idea.

~~~
brokemanchild
There's no way it can stay free can it? It seems like a crazily expensive
feature for them to bake in..

~~~
Vexs
I mean they can insert a client that allows people to use their server of
choice.

~~~
newjersey
I can install the browser without root privileges. This is an absolute must
have for me. Installing a browser for a user shoukd not require root.

How would you get a non-privileged executable to take control of full network?

~~~
4ad
It doesn't.

While that's the most common way to run a VPN, it's not the only way. You use
TUN/TAP devices because you want arbitrary programs to use them. In this case,
you only want Opera to use the VPN connection. You don't need a TUN device for
that.

~~~
newjersey
So it is possible to set up a proper vpn connection without root privileges. I
didn't know this was possible.

This sounds perfect to me. A custom corporate wrapper for a web browser that
lives in its own silo. Workers who are working from home for the day can use
that app for work while keeping everything else like Spotify or YouTube or
Netflix from going on a long roundabout trip through the VPN. Sounds perfect
if you ask me.

------
SomeCallMeTim
So the problem is that, e.g., DNS isn't also queried over a VPN, so the sites
you're looking at will still be 100% visible to anyone watching your network
stream?

Or is the problem just that they're using the wrong terminology?

~~~
betaby
Yes, it's an https proxy. And DNS queries are not leaked. Again since it's a
HTTPS proxy your traffic is hard to inspect/intercept/MITM. Earlier discussion
[https://news.ycombinator.com/item?id=11540389](https://news.ycombinator.com/item?id=11540389)

~~~
tyingq
It does leak via WebRTC unless you install a 3rd party plugin and configure it
a specific way.

~~~
betaby
I don't know how reliably to test WebRCT thus can't comment on that particular
case. For http/https DNS queries are not leaked.

~~~
tyingq
There's a pretty good demo, with links to source code, here:
[https://diafygi.github.io/webrtc-ips/](https://diafygi.github.io/webrtc-ips/)

------
quotemstr
_All_ VPNs are proxies. It's just a matter of at what layer of the stack you
do the proxying. This post is a non-story.

~~~
lvs
Yes, it's sort of a persnickety issue, but the point is that it's not
"proxying" at the network layer, so it's not accurate to market it as a
virtual private network.

------
feduzi
This has a small benefit of protecting information routed to Opera's proxy (on
your LAN, ISP or whatever there is till the Opera's proxy), even when trying
to reach HTTP-only website. Though it is still not secure as HTTP-only website
will have data delivered to it in non-encrypted form.

"Browser VPN" is another misleading made-up term.

------
berdario
I think they added a bit of polish/magic compared to what you'd get in a plain
https proxy that you could setup yourself, since when visiting an HTTPS page
it'll show the certificate information from the site that you're visiting, and
not the one from the actual machine you're connecting to (the proxy).

Similarly (unlike poorly setup proxies like Lenovo's Superfish) it also
prevents connection to sites with invalid certificates.

(I wrote the same comment in the gist)

~~~
mistaken
I'm pretty sure that they just don't inspect the HTTPS traffic. Otherwise I'd
be worried that they have patched Opera to accept their fake certificate and
replace the cert information with details from the original.

------
chris_wot
I'm currently trying to setup an OpenVPN based VPN server on OS X. That's
because several iPad apps I use seem to bypass my regular DNS servers and go
to Google's DNS servers and OpenDNS, which I don't want them to do.

I could stick a gateway on my network, but frankly I just don't want to spend
any more money and OS X should do fine for what I want.

There is surprisingly little documentation on how to setup OpenVPN on OS X.
However, in my travails through OS X I've had to learn a whole bunch of tools
I've never used before, the main ones are how to create launcher files, how to
setup OpenVPN and how to use pf - in the way OS X wants me to.

I'm think of uploading the setup onto GitHub - would anyone be interested?

~~~
Razengan
Sure, that might be helpful to some.

------
NetStrikeForce
Isn't this very similar to what they used to do with Opera Mini?

The purpose was of course different. Opera Mini added value by optimising the
pages for your device (tiny screens, underpowered CPUs, insufficient RAM,
small batteries), while the added value of the current proposal is actually
defeated when it's offered only for free (meaning they get something out of it
- not just marketing for a paid offering).

"" Opera Mini requests web pages through Opera Software's servers, which
process and compress them before sending them to the mobile phone, speeding up
transfer by two to three times and dramatically reducing the amount of data
transferred, chargeable on many mobile phone data plans. The pre-processing
increases compatibility with web pages not designed for mobile phones.
However, interactive sites which depend upon the device processing JavaScript
do not work properly. ""
[https://en.wikipedia.org/wiki/Opera_Mini](https://en.wikipedia.org/wiki/Opera_Mini)

------
Mpamios
I am wondering.. how about logging? I don't see anything about logging.. VPN
is useless if the VPN service provider hands out all logs to anyone who ask
for it.. anonymity goes bye-bye

------
spaze
Based on my research (I'm the author of the linked content), I've built a
simple Python Script which will do all the API calls and fetch the credentials
and list available proxies: [https://github.com/spaze/oprah-
proxy](https://github.com/spaze/oprah-proxy)

------
metastart
Better to use Epic Privacy Browser with a built-in ENCRYPTED proxy that's fast
over SPDY (not a simple unencrypted http proxy).

------
arca_vorago
Yet my post on the story about that said basically "do not want until open
sourced" got downvoted into oblivion with no response...

~~~
cpach
Some people want all their applications open source. Which is fine, do that if
that’s what you want. But it’s quite tedious if we need have to have that
discussion for every thread related to a proprietary application/service.

