
Ask HN: What is it like to run a VPN as a business? - hazz99
Hello,<p>I&#x27;m going to set up my own VPN on some cloud hosting provider, and I&#x27;m toying with the idea of turning it into a small business.<p>Is there anything I need to know beforehand? Is it really that easy, or are there legal issues I need to handle?<p>Cheers<p>EDIT:<p>I should note that I <i>know</i> this is an extremely saturated market - I&#x27;m not aiming to build a hyper successful business, but moreso to manage a small public VPN as an ideological side-project. Anything above breaking even I&#x27;d consider a bonus.
======
todd3834
The fact that it is easy to set up a VPN does make this more competitive but
that doesn’t mean you can’t build a business. Think about who your customers
will be. Is there an underserved niche that you can reach? It might take a HN
reader 10 minutes to set up a VPN but my mom wouldn’t be able to figure it out
if you gave her 10 months.

My battle plan for assessing whether or not I would pursued this would be the
following:

1\. Who is my target market?

2\. How big is that market?

3\. How will you reach that market?

4\. How can you test whether or not you can reach that market before getting
fully invested?

5\. Test out several ways to reach your market. Try changing the niche and
marketing plan until you can find some positive signals.

6\. Analyze the data and make an educated guess whether this is worth your
time or if you would enjoy doing something else more.

As far as legal issues, I don’t have any good advice but talk to a lawyer.
Look at some terms of use of existing VPNs. Find out where you are liable and
try to mitigate your risks the best you can.

If you ever want to brainstorm some ideas hit me up at my email on my profile.

~~~
mtmail
Adding an example of a niche: Those who wish to crawl
Google/Bing/Amazon/Youtube results for SEO analysis around the world. You'd
write a wrapper or other positive list of domains allowed through the proxy.

~~~
rsync
One very interesting niche that I recently learned about was providing a VPN
with a "residential" IP block that could be used to geo-shift netflix viewing:

[https://www.lowendtalk.com/discussion/138668/vps-for-us-
netf...](https://www.lowendtalk.com/discussion/138668/vps-for-us-netflix/p1)

Apparently there are a lot of people who would like to watch "US Netflix" but
cannot do so from their location.

~~~
robben1234
It's the main usage of VPN (as well as region locked mmos) for those who are
not doing it for security.

~~~
bigger_cheese
The Consumer advocacy group here in Australia, CHOICE, specifically recommends
using a VPN service to avoid geoblocking
([https://www.choice.com.au/electronics-and-
technology/interne...](https://www.choice.com.au/electronics-and-
technology/internet/internet-privacy-and-safety/articles/bypass-geo-
blocking)). So there is definitely a market for this type of service.

------
alliecat
By and large, people are interested in VPNs because they're vulnerable, in
some way or another. By becoming a VPN provider, you become a "pinch point"
for the connections of a number of vulnerable people.

That way, a hypothetical bad actor only needs to compromise one entity (you)
in order to gain access those people who rely on you.

Aggregating vulnerability makes you a target, and puts your customers at risk
- Especially when you're relying on third-party virtualisation providers for
your infrastructure.

~~~
CodeWriter23
I would add, the potential to become a legal target. That is, receiving,
fending off and complying with subpoenas and court orders.

~~~
alliecat
Aye. I care slightly less about this from my perceived threat model (if you go
into the business then you know what's coming to you, whereas your end users
are a lot less likely to understand the risks) but it's still worth thinking
about.

------
preinheimer
We offer VPN as a side thing to help our customers who are testing their
websites from around the world. At the behest of some friends I added VPN as
its own plan.

A choice you need to make really early on when you're offering a VPN is how
much data you want to log. Eventually someone will do something on your
service that pisses someone else off. That could be torrenting, spam,
defrauding the elderly, etc. Ideally you, but more than likely your provider
will receive an angry letter. Whether or not you've logged will choose what
you can do next. If you're not logging, and unable to stop complaints from
coming in your provider might turn you off completely, so you'll want to pick
a provider known to pass letters on without caring.

I blogged about our choice (we log) here: [https://wonderproxy.com/blog/our-
vpn-what-we-log-and-why/](https://wonderproxy.com/blog/our-vpn-what-we-log-
and-why/)

------
bhouston
The successful companies appear to be run at least partially anonymously and
based in tax havens. I figure that is because there is legal responsibility
that they are trying to dodge.

People use vpn for illegal stuff, and the least worst is Netflix then p2p. P2p
if you are a facilitator could land you in jail.

~~~
dzhiurgis
This. Had a lengthy discussion with a friend who has a friend where one works.

My theory was - why bot setup virtual VPN provider that all such companies
could buy. After all it’s simple and rea grunt of work is marketing and legal.

Legally, these companies are setup somewhere in Caymans et al.

Being such a shady business by definition, I have extremely hard time trusting
such services. It’s like the most obvious honeypot / trojan horse ever.

------
Johnny555
I'd be most worried about the legal liability, what happens if someone starts
using your service to download or sell pirated movies or child porn? Whats
your legal exposure?

~~~
hazz99
Yeah this is my issue. I'm not too worried about it being a successful
business (more like a small side project), but I don't have the resources to
fight any legal claims.

~~~
emmanuel_1234
\- Do not run it in the US.

\- Do not sell the service in the country you run it.

\- Really, do not run it in the US.

~~~
hazz99
What are good, non-US cloud providers? I only know of AWS/DO/Azure/Google -
what are the go-to providers outside the states?

~~~
gyaru
Hetzner or OVH in Europe.

------
codexon
The most difficult part about VPN as a business is dealing with the people
that use the VPN for illegal activity.

The authorities will come after you first. Most large providers are located in
some small country like Panama so they can't be sued or jailed.

------
chadash
From a technical perspective, you're probably not breaking new ground here.
The main things you'll need are ease-of-use and good marketing. There are
existing companies that do this and make it fairly easy to get up and running,
so you'll need to do the same. Perhaps start with a niche (e.g. easy setup on
Ubuntu) and build from there. Still, your biggest hurdle is going to be that
no one has heard of you, so make sure that you have a well designed landing
page and think about who you'll market the product to.

~~~
dzhiurgis
One service I’d be willing to pay is intercontinental booster.

Living in NZ means you’ve got quite underprovisioned international pipe.
100mbps fibre realistically means 3mbps...

If a VPN could route you via their dedicated pipe...

~~~
neurostimulant
You probably just need to find a vpn provider that provides vpn server located
in NZ (should be plenty if you google it). By connecting to their NZ vpn
server, you'll effectively used their international connection when accessing
international sites instead of your isp's international pipe.

------
naegelin
I ran a venture backed VPN company for many years (Spotflux). These days there
are tons of huge players in the market, some of which have hundreds of
millions of dollars in funding. Your challenges will be as many have stated
the following:

1) Convincing providers to let you have VPN traffic on their networks. 2)
Dealing with tons of DMCA complaints 3) Dealing with GDPR compliance in the EU
4) Maintaining compatibility for dozens of different user configurations and
having apps in the mobile app stores 5) Dealing with credit card and payment
fraud. 6) Dealing with law enforcement once you reach a certain scale (no,
incorporating in whatever random island will not help you) 7) Maintaining
constant uptime of your servers. When a user faces even a minute of downtime,
their internet connection is now effectively broken and you are to blame. 8)
Dealing with lots and lots of customer support issues and an endless mix of
customer configurations which will have you ripping out your hair trying to
resolve. 9) Constantly make sure your systems are secured from the latest
exploits so you can guarantee privacy and safety of your users. 10)
Maintaining a brand and a niche with mature marketing channels that keeps new
users coming and paying for your service.

At the end of the day, its a very difficult company to run and its even harder
to maintain profitability with so much competition.

------
geofft
One possible option is to sell VPN service to friends/family/acquaintances,
for a price that is (clearly to them) cheaper than comparable commercial VPNs,
in exchange for a promise to not do anything that would get you in legal
trouble. You can trust the promise more than you could trust standard terms-
of-service because you know them, and hopefully the lower price means they see
it as you offering them something as a convenience from your side project
instead of a "real" business and the problems of doing business with friends
don't apply as much.

~~~
gscott
Just tell customers everything is logged and the logs are deleted on a rolling
basis every year.

~~~
nickpsecurity
And the logs are stored encrypted offline. They move over a one-way link from
main server somewhere else in case of a compromise. They're never shared
except with law enforcement with a warrant per privacy policy and EULA.

Inspires more confidence if they're kept temporarily _but heavily protected_.

------
trulyrandom
I've also toyed with the idea of doing something like this, and would like to
know more about this as well. Like you said, the technical side seems easy. I
imagine handling legal issues is going to be the bulk of the work. How are you
going to handle abuse reports? How are you going to handle requests from
authorities asking to turn over user data? And most importantly: how much
information about your users are you going to collect to make handling the
legal issues easier?

~~~
CraneWorm
> how much information about your users are you going to collect

Not collecting any data would be the obvious choice.

~~~
Klathmon
Which isn't legal in many parts of the world, especially if you take any kind
of payment for your services.

~~~
chefkoch
If you don't collect data you can't give it to the authorities.

~~~
eli
But you can still be asked for it, and you can still be required to appear in
court over it

------
Topgamer7
You're going into a heavily saturated market. Not to mention anyone
technically savvy can set up their own VPN in 10 minutes on a cheap DO host or
other provider.

~~~
joshmn
I'd consider myself tech savvy and I happily pay for a VPN (PIA). I don't want
to manage a node, and at $40/year it's about equal to what I'd pay otherwise.

~~~
9712263
I guess it takes an average HN reader 1 hour to setup a VPN. If the purpose is
have a secured gateway for using public wifi, it serves the purpose. However,
if you want to gain anonymity, it does not work since the node has a unique IP
and only you are using this IP. You still need different users to use this VPN
to gain anonymity.

Therefore, we could only choose one of the following: security or anonymity,
but not both, unless you becomes your own VPN provider and serves some
customers for anonymity.

An alternative is Tor, but a compromised exit node still leaks HTTP site.

So, if someone could solve this problem, it would be a big selling point. I am
not sure if it is possible to share an IP between different VPN nodes without
an untrusted gateway in front.

~~~
drdaeman
In my country, VPNs sometimes get blocked. Along with half of the AWS and
other random stuff.

So I've set up _my_ VPN and _also_ pay for another third-party VPN service,
having best (or worst) of both worlds.

My gateway host is private, and I've decided that if it gets detected, I'll
add an obfs4 layer on top of it. (Luckily, that hadn't happened - and I'm
moving to another country in about a week. But that's a different story.)

All my first VPN does, is merely routing the traffic to an upstream VPN
provider. This way I get a private entry point but also enjoy some degree of
anonymity as my "final" IP addresses are shared with lots of other users.
(Well, I share my gateway VPN with a few close friends. Maybe that's
borderline cheating on the upstream VPN, but I don't see a way to pay them for
my network-sharing guests anyway.)

Oh, and I don't need to reconnect to switch regions. I just made myself a tiny
web service that changes the routing table used by my TAP connection, so
whenever something doesn't work from one region I just need to click on a flag
icon.

~~~
octosphere
> In my country, VPNs sometimes get blocked.

This is why I love* Tunnelbear's[0] GhostBear feature and it uses
obfsproxy[1]. Very few VPN providers provide censorship circumvention like
that

[0] [https://www.tunnelbear.com/](https://www.tunnelbear.com/)

[1]
[https://community.openvpn.net/openvpn/wiki/TrafficObfuscatio...](https://community.openvpn.net/openvpn/wiki/TrafficObfuscation)

[*] No affiliation with Tunnelbear, just thought I would point out this
feature

------
teknologist
A great niche to get into would be Internet censorship avoidance in countries
where Internet freedom isn't a thing. As an expat living in China, I can tell
you that there are only a few companies that do this successfully (among them
Astrill and ExpressVPN).

Operating this kind of VPN comes with its own set of unique technical
challenges, such as avoiding DNS poisoning and offering the best protocols to
use. Spinning up a homebrew solution on DO just doesn't cut it as an end user,
so we rely on companies like these to provide targeted solutions.

A VPN provider that can focus on avoiding common blocking techniques would be
very valuable to a lot of people.

------
ecesena
Be focused on a specific audience, because talking to consumers about security
is very hard. First, I'd start with your friends.

The first questions they're going to ask is how can I trust you're not spying
what I do. If you can convince your friends, then you can convince anybody.

Next is how do I use it / how does it work, that brings to make it as simple
as possible. Minimal setup, no configuration, it just works.

Finally it's why should I use it. This can be "easy" because you can just look
around the competition, see their messaging, find out which one you like
better and copy it. Focus on benefits vs technical features and details. When
consumers see something they don't understand, they leave.

I've never built a vpn, but I made a password manager (question 3 is
relatively easy/understood), and now I'm making a security key (all these
questions are proving to be pretty hard). Shameless plug, we're live on
Kickstarter:
[https://solokeys.com/kickstarter](https://solokeys.com/kickstarter)

------
FireBeyond
Your best bet, from an ideological perspective, is NOT a cloud hosting
provider or a dedicated host, but buy rack space, and put your own servers in.

Control access to the machine/s.

This is more expensive, and not foolproof. But other hosting providers have so
much access to track or log things, even if you don't want them to.

------
joshmn
Anecdote: You can do this really cheap on the billing side and use WHMCS for
billing/member management. Better than rolling your own, and it's pretty
extensible.

------
SiqingYu
VPN has a vast potential market in China, which has blocked most providers.
I've used ExpressVPN for two years, and its connection is not always stable.
I've also used the Lantern proxy with a premium account for a year. Somehow it
didn't work most of the time. Maybe you can use more advanced technology and
networking infrastructure to provide better service to such areas.

------
vertex-four
Surely from an ideological perspective, running a Tor relay node or two would
provide about the same amount of fuzzies at much less risk?

------
lalice
most of the job will be technical support and finding the right server
providers. marketing will be the limiting factor. it's pretty quiet legally,
usually it doesn't go further than DMCA cease & desists, but you need to mind
countries and what logs each requires you to store. see packetimpact.net maybe
i can help you

~~~
spurgu
How does this work in practice though? I had a DigitalOcean droplet setup with
OpenVPN and they contacted me pretty quickly (within a week) with a bunch of
DMCA notices (due to torrenting). I can imagine that this would be quite a
frequent occurrence as a VPN operator and not necessarily something I would
like to be dealing with.

------
cube00
The problem is that just like you're able to quickly run up a VPN on a cloud
provider, I can do the same. There are plenty of drop in containers for this
now and the barrier for entry is low. I think you're just opening yourself up
for a world of legal pain and costs given what most people will use VPN
services for.

~~~
qrbLPHiKpiux
Your saying that if you use a VPN you are up to something nefarious?

~~~
icebraining
No, that's not what cube00 said. The HN guidelines ask you to assume good
faith and eschew flamebait, please do so.

------
extremum134
Apart from above suggestions, try provide wireguard support, if possible a
shadowsock proxy as well.

------
ddesposito
I've had a similar idea. I am thinking of creating a service that would
install OpenVPN for you on your own server, and send you an email with all the
configuration details. Would that be useful, worthwhile doing?

------
simple_man
You get consistent revenue from the NSA.

------
jonny_eh
Try it and report back, I'm curious

------
Ax021
how.. make fast money?

------
wild_preference
One of my "favorite" evil business models is Hola VPN
([https://hola.org](https://hola.org)), a free browser VPN extension. Hola VPN
users unknowingly become exit nodes for residential IP address proxies for
sale at [https://luminati.io](https://luminati.io).

~~~
farresito
Thank you for mentioning it. Just removed it. Do you know of any good, non-
expensive (VPN?) alternatives? I was using it to access Netflix in other
languages for language learning purposes.

~~~
Kaveren
ProtonVPN has a free plan, I recommend it quite strongly. Netflix works on the
server I use, though I'm not sure if it works for all servers. P2P traffic is
not allowed on free servers.

Support is okay, not the fastest. Downtime is rare but not unheard of, they've
been targeted with big DDoS attacks. Server options expanding but not in tons
of countries. Most trustworthy and reputable service because it has a CEO you
can actually put a name and a face to, and the history of Protonmail.

~~~
computerfriend
This is ironic given the connection between ProtonVPN and Hola/Luminati.

~~~
Kaveren
What are you referring to? The situation I found bits and pieces about didn't
seem to amount to much of anthing. ProtonVPN was able to explain what happened
to what I thought was a satisfactory degree [1].

I definitely don't trust NordVPN in particular, they advertise their "military
grade encryption", and I have no clue who runs it.

[1]
[https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...](https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn_and_tesonet/e21tfqw/)

What other VPN would you trust? Mullvad, absolutely no clue who runs it.
Private Internet Access had claims about logs proven in federal court at some
point in the past, but I really still don't trust it.

Running your own VPN is one of the best options but you almost completely lose
the relatively reasonable degree of anonymity that VPN providers serve to you.
Depends on your objectives.

~~~
krn
> ProtonVPN was able to explain what happened to what I thought was a
> satisfactory degree

ProtonVPN's explanation was extremely hardly believable[1].

> Mullvad, absolutely no clue who runs it.

It's clearly stated on Mullvad's homepage[2]:

> The legal entity operating Mullvad is Amagicom AB. [...] Amagicom is 100%
> owned by founders Fredrik Strömberg and Daniel Berntsson who are actively
> involved in the company. The rest of the team includes Robin Lövgren, Simon
> Andersson, Linus, Richard Mitra, Sanny Mitra, David Marby, Odd, Andrej
> Mihajlov, Janito Ferreira Filho, Elad Yarom and Jan Jonsson.

[1]
[https://news.ycombinator.com/item?id=17775554](https://news.ycombinator.com/item?id=17775554)

[2] [https://mullvad.net/en/](https://mullvad.net/en/)

~~~
Kaveren
I thought the Reddit reply was thorough, though I can't speak to the claim by
krn.

At the end of the day, I can't name many (if any) VPN providers that operate
their own data center, which is extremely important since they all (including
ProtonVPN) lease from the same companies. ProtonVPN does provide Secure Core
though (routing traffic through certain countries to attempt to mitigate exit
node threats), too.

I wasn't aware about Mullvad, thank you for pointing that out. I still have
little clue who those people are, while Andy Yen has given a TED talk, so he
has some public presence. I'm personally more inclined to trust them.

~~~
protonmail
Actually, ProtonVPN does own the physical hardware and network for our secure
core servers, which we fully operate and run ourselves. This is rather
expensive to do, but it's the only way to be sure things are behaving as they
should.

