
Show HN: A small bootstrapped independent VPN company in the Netherlands - 01CGAT
https://www.wifimask.com/about
======
zhte415
First, it looks good like you declare who you are. Many VPN providers seem to
want to hide their real identities which is a big red flag.

I couldn't see from the website what your VPN is based on in terms of
protocol? Or home brewed? OpenVPN?

Have you had 3rd party audits?

Have you considered alternative payment forms? Such as Bitcoin or other?

From your Terms of Service 'What we do not allow on or from our network...'
how do you track these? Do you provide a transparency report summarising
legal, copyright etc requests made, action taken?

Also from ToS 'What we need our customers to do: \- Use responsible disclosure
in the event any security vulnerabilities occur in our website, software or
infrastructure.' Do you have a public disclosure policy notifying of
vulnerabilities?

Choosing a VPN involves placing a lot of trust in a 3rd party. Hence
questions.

~~~
01CGAT
Thank you for your questions and feedback!

WifiMask uses OpenVPN for the macOS app and IKEv2/IPSec for iOS. We haven't
had 3rd party audits yet, this is definitely on our wish list, because we
understand it's all about trust. Alternative payments like bitcoin are on the
list as well, we aim for total anonymity for our users, payments are part of
that. To be honest we can't track any illegal activity, because we have a
strict no log policy, all we can do now is say it is not allowed. We have
nothing to hand over to enforcement either, they have to find different ways
of getting the information they want. We should investigate and think about
transparency reports and a public disclosure policy too, thanks!

~~~
KayMW
Then... May I ask why only Apple devices are officially supported right now？

~~~
nvrspyx
I have no affiliation with the service, but I assume that:

1\. They're small

2\. They're new

3\. Their team has more experience developing for Apple devices, thus it was
quicker to release for those devices first before tackling Windows, Android,
and/or Linux.

What they could do in the meantime is create a web-based tool to generate
configurations for OpenVPN and/or Wireguard, like Mullvad does.

------
yellowarchangel
Isn't Netherlands in the nine eyes?

EDIT: "We will never share your personal information with any third party,
except when we need to respond to a legal request from Dutch authorities" \-
[https://www.wifimask.com/terms](https://www.wifimask.com/terms)

As a VPN service that means it is not thoughtful about privacy.

~~~
jacquesm
As a counterpoint: any VPN service that claims that they will ignore the
authorities legal requests is lying. No matter what, as soon as it is a
business, has a registered address and a nominal director it can be put under
pressure.

~~~
01CGAT
I think this is true. We want to be as honest and open as possible, that
includes being honest about the laws we have to comply too. On the other hand,
we have a strict no log policy, we have nothing to hand over to authorities
accept for the registered email address, a hashed password and the last 4
numbers of a creditcard. Authorities will need to find different ways to get
the information they want.

~~~
jacquesm
A 'no log policy' is a hard one, it _may_ be true but you can't really prove a
negative. So it is as good as your word and your reputation, which in this
case may be very good but it may not be enough to reduce skepticism.

FWIW I do tech DD for a living and I've seen several places that had 'no log'
policies on the outside and yet they would occasionally - or even structurally
- log data in order to comply with the law.

The 'WBT' (Retenion duty for Telecommunicationsdata) has been disbanded, which
should work to your advantage, but the GDPR makes explicit room for the
accomodation of legal and regulatory requirements and this in turn may
transcend your 'no log' policy. Please make sure you have appropriate legal
advice on the subject, it is complex and getting it wrong can really bite you.

Best of luck with your company!

~~~
01CGAT
Your comment makes me think of a "Warrant canary" which we could set up to
inform our customers that we have been served with a government subpoena:
[https://en.wikipedia.org/wiki/Warrant_canary](https://en.wikipedia.org/wiki/Warrant_canary)

Thanks!

------
jandeboevrie
I've worked with the founder (Joost H., Remy says Hi). Can vouch for him, all-
round good tech guy. He was a Windows server admin at a big cloud provider
(CloudVPS), I was one of the Linux guys. He knows his way around Windows,
hyper v and clustering. Even some Linux. Quit his job to work full time on the
startup with his brother.

Big plus one here. I'd trust wifimask if I wasn't capable of hosting my own
servers and needed a VPN.

~~~
01CGAT
Hi Remy! Thanks for your support! :-)

~~~
01CGAT
Oh, and if anyone wants to know, WifiMask doesn't run on Windows, it's all
Linux. ;-)

~~~
bradknowles
What can you tell us about the rest of your stack?

What language(s) do you use?

What libraries do you use?

What static and dynamic security analysis tools do you use?

What style guides and code best practices do you use?

Where do you host your code?

Where are your backups?

Where are your POPs located?

Have you had any pen tests run?

~~~
01CGAT
These are a very interesting questions and invite to write more about in
detail, which makes me think to write blog articles about it. Stay tuned! ;-)

------
gigatexal
I don't care about your stack or disclosing who you are just please don't lie
to us about logging. Either you log everything or you log nothing or you
encrypt everything and throw away the key or something. Dissidents and
journalists everywhere will thank you.

~~~
01CGAT
What can I say, part of the OpenVPN config:

status /dev/null

log /dev/null

verb 0

Part of the IPSec config:

charondebug="asn -1, cfg -1, chd -1, dmn -1, enc -1, esp -1, ike -1, imc -1,
imv -1, job -1, knl -1, lib -1, mgr -1, net -1, pts -1, tls -1, tnc -1"

(-1 means absolutely silent)

There are no client connect/disconnect scripts active.

Authorization, Accounting and Authentication log queries in FreeRadius are
disabled.

All name server logging is disabled.

iOS subscription receipt validation logging is disabled.

Communication in between servers (for example vpnserver -> dbserver) is
encrypted with OpenVPN.

------
ignoramous
Nice. Wifimask looks promising, esp with ad-blocking built-in. A few
questions:

Where do you purchase your servers from?

How trustworthy are the underlying VPS providers across different countries
that you've got presence in?

It was recently pointed out that PIA was $30 million in debt... Looks like VPN
is a brutal business, but your pricing is (low?) at $4 for unlimited devices
_and_ you're bootstrapped. How do you manage to pull it off?

What are the upcoming features that you plan? Consequently, what are the most
requested features?

Thanks.

~~~
01CGAT
All servers are purchased from Digital Ocean only at the moment. I think it is
very important to buy servers from a thrustworthy party especially in the VPN
business, even if that means we pay a little bit extra.

VPN is a brutal business. But because we are bootstrapped and thus no
screaming investors/banks behind our backs and we are a small team, costs are
low and there's no one who can pull the plug but ourselves. I don't know how
many people are working for PIA, but in my opinion you don't need ten's or
hundred's of people to build and run a VPN company. I'm not very surprised
they are supposedly in that much debt.

The most requested feature is an Android app. ;-) And unblocking Netflix
ofcourse, but they seem to get even better at blocking VPN's than the Great
Firewall of China. What would your feature request be? :-)

~~~
krn
> All servers are purchased from Digital Ocean only at the moment.

Are there any legal or technical reasons to prefer DigitalOcean over OVH and
Hetzner? They seem to be both, much more cost-efficient, and much more
privacy-oriented.

> What would your feature request be?

WireGuard.

~~~
01CGAT
I have tested both OVH and Hetzner, Digital Ocean's speed is much faster and
stable worldwide.

I'm definitely keeping an eye on WireGuard, it is very promising.

------
Coxa
As I see it, many main stream users use such a service to avoid geo blocking.
Which is a feature you call teleporting. How do you plan to resolve the
problem of Netflix/Amazon Prime blacklisting your VPN servers' IPs? Obviously
this is part of your product as you list it as a feature. Hence, people might
argue that your product is faulty and ask you to return their money.

~~~
01CGAT
We have now sort of "hidden" the information that Netflix is not unblockable
under the FAQ part of this page:
[https://wifimask.com/contact](https://wifimask.com/contact) Maybe we should
say we cannot unblock Netflix on the frontpage, because I also realize that's
why a lot of people are looking for a VPN who does. Nevertheless, besides
Netflix, there is still a lot of content to be unblocked. And ofcourse, if
unblocking Netflix was the main reason the get WifiMask and it doesn't work,
you'll get your money back.

------
NiekvdMaas
Why focus on Apple devices only? It seems like a strange business decision to
limit a general service to a minority of the market only.

~~~
brightball
I'd assume the answer is "bootstrapped" so they're extremely focused on one
thing.

~~~
Skunkleton
Looks like it’s based on open vpn. They provide open vpn configs to use on
other platforms.

Edit: a word

~~~
penagwin
It does appear to be openvpn based, but if they were focused on launching
their product and only had apple products on hand then that's likely why it's
mac/ios only.

I'd expect that they'll have other platforms soon.

~~~
01CGAT
All true. You have to start somewhere, and the first focus was on Apple
devices, apps for other platforms will soon follow. Meanwhile examples of
OpenVPN config files are available too, so you can use the WifiMask service on
any OpenVPN capable device:
[https://www.wifimask.com/contact#androidwindows](https://www.wifimask.com/contact#androidwindows)

------
dylz
Some feedback/q's:

\- Your last two bullet points for 'what we do not allow' is missing newlines
([https://www.wifimask.com/terms](https://www.wifimask.com/terms))

\- You load a number of JS files from third party CDNs including Cloudflare
and Google without subresource integrity

\- What does this offer me? It seems a lot more restrictive than other
companies at lower price points, inability to use it on own libre devices,
requiring proprietary software? How is this significantly different than
renting a VM or two?

\- Based on your cipher list in features, this is an openvpn wrapper?

\- "WifiMask will also use your Personal Data to provide you with news,
special offers and general information about other goods, services and events
which we offer that are similar to those that you have already purchased or
enquired about." \- This sounds like there is no opt out, no "if you choose
to", just that special offers are mandatory to receive

~~~
01CGAT
Many thanks for your feedback! Much appreciated. The missing newlines and
subresource integrity are now fixed. The Privacy Policy is now updated with
information on how to opt-out.

WifiMask uses OpenVPN for the macOS app and IKEv2/IPSec for iOS. Examples of
OpenVPN config files can be found at
[https://www.wifimask.com/contact#androidwindows](https://www.wifimask.com/contact#androidwindows)
which allows you to use the WifiMask service on every OpenVPN capable device.
Meanwhile an Android and Windows app are in development, so stay tuned. ;-)

~~~
dylz
No 2FA other than mandatory phone number? This is a really, really bad thing.
(+ forcing proprietary app?)

Can't find list of hostnames to use with OVPN, seemingly

~~~
01CGAT
The optional 2FA used is Authy, you activate Authy with your phonenumber only
once, after that you use Authy to login to your account. So 2FA is not done
through SMS text messages for example, where hijacking could be a problem.

Good one with the list of hostnames, I will prepare one, for now you can take
a look at this JSON file:

[https://vpnserver.wifimask.net/vpnservers.json](https://vpnserver.wifimask.net/vpnservers.json)

~~~
commoner
Authy is absolutely not acceptable for privacy applications like VPNs. Authy
stores user information on third-party servers, when there are plenty of 2FA
apps that work locally on the user's device.

The fact that Authy refused to delete user accounts (before they were acquired
by Twilio), even when they promised to do so in their terms of service, is
also very concerning:

[https://news.ycombinator.com/item?id=9103606](https://news.ycombinator.com/item?id=9103606)

[https://web.archive.org/web/20141011062757/authy.com/terms](https://web.archive.org/web/20141011062757/authy.com/terms)

------
01CGAT
Everybody here gets a 25% discount for 12 months with de couponcode HACKERNEWS
;-)

~~~
deca6cda37d0
Coupon code doesn’t work

~~~
01CGAT
I will check this and get back at you soon.

~~~
01CGAT
It's fixed now, you can use the coupon code now if you have a subscription.

------
itcrowd
As a minor nitpick, I dislike the term "Holland" when referring to the
Netherlands. Additionally, you're based in Den Bosch, which is not even _in_
Holland.

(you say "made in Holland" in your logo)

~~~
jacquesm
You can blame the Dutch Tourism board for that, they unilaterally declared
'The Netherlands' to be too complicated for marketing purposes and decided on
Holland.

[https://www.nbtc.nl/](https://www.nbtc.nl/)

So, from on high: Den Bosch is now _also_ in Holland, as are Maastricht,
Enschede, Middelburg and Groningen, to great chagrin of those living there.
It's been a major point of contention between the NBTC and almost all of the
rest of the country but 'Made in Holland' has displaced 'Made in The
Netherlands' for quite a while now.

~~~
Someone
_" they unilaterally declared 'The Netherlands' to be too complicated for
marketing purposes”_

That is history :-). [https://www.government.nl/latest/news/2019/11/08/new-
interna...](https://www.government.nl/latest/news/2019/11/08/new-
international-logo-nl-with-stylised-orange-tulip) (3 weeks ago):

 _" From now on the Netherlands and the Kingdom of the Netherlands can be
recognised internationally by a new logo. The logo is characterised by two
symbols: NL and a stylised orange tulip. The logo replaces the much used
‘Holland tulip’ of the Netherlands Board of Tourism & Conventions’ (NBTC)”_

I think it will be ‘a while’ before ‘Holland’ is gone, if only because
’Nederland’ doesn’t work well in cheering on sports teams.

~~~
jacquesm
That's great news. I was in the midst of that when it was first announced and
the NBTC still shows the old logo. Excellent - and very timely - news. I never
did like the 'Holland' bit, it seemed like a dumbed down version, marketeers
taking over tradition.

------
AtomicOrbital
I just roll my own vpn using a vps box from ovh or hetzner using repo
[https://github.com/hwdsl2/setup-ipsec-
vpn/blob/master/docs/c...](https://github.com/hwdsl2/setup-ipsec-
vpn/blob/master/docs/clients.md) ... server setup is simple and client
connections are solid ... and nobody has the logs but me

~~~
01CGAT
May I suggest to turn off logging for your own server too? :-) Anyone with
physical access to the server can access the logs, maybe even when the disks
are encrypted, I can imagine someone with the right knowledge can extract the
key from RAM on a running server:

[https://blog.appsecco.com/breaking-full-disk-encryption-
from...](https://blog.appsecco.com/breaking-full-disk-encryption-from-a-
memory-dump-5a868c4fc81e)

------
a012
Downloaded the app on MacOS but it isn't compatible with password manager,
unable to copy/paste to the input fields. So it's no go

~~~
01CGAT
I have seen this throughout macOS lately with other apps too, a rightclick
will show you the paste option btw. Meanwhile I will investigate this, thanks!

------
pcwrt
Since this is OpenVPN & IKEv2/Ipsec, our router should be able to work with it
- making it available to devices other than Apple's.
[https://www.pcwrt.com/2019/02/how-to-set-up-a-vpn-client-
con...](https://www.pcwrt.com/2019/02/how-to-set-up-a-vpn-client-connection-
on-the-pcwrt-router/)

------
wolco
I'm not sure I agree with pushing responsibilities on customers. If you miss
some security item or if you make my account a super admin on signup I
shouldn't have some responsibility to help you fix it.

    
    
      What we need our customers to do:
      - Use responsible disclosure in the event any security vulnerabilities occur in our website, software or infrastructure.

~~~
01CGAT
I will rephrase it, the intention is not to push responsibilities, we are
merely asking our customers to let us know if they ever find a vulnerability.
Thanks for the feedback!

------
e-moe
Talking about mobile only VPN: you can also check "Warp+"
([https://1.1.1.1/](https://1.1.1.1/)) from Cloudflare - unlimited traffic
starting from $1/month (depens on your region)

------
arty587
Hi, thanks for the post. I'm also trying to develop a VPN for personal use,
between me and my friends, do you have any tips on how to generate the
credentials for each user automatically ?

~~~
01CGAT
Using a database for user authentication, you could write a script to fill the
database with some usernames and passwords. Or create a webfrontend for users
to register their own usernames and passwords.

~~~
arty587
Yes thanks thats a good idea, I was also wondering how OpenVPN behaves with
different connections, if it can handle multiple users simultaneously or not

~~~
arty587
More specifically, if I have to manually generate keys for each user or if
there is a way to automatically generate them

~~~
01CGAT
OpenVPN has the duplicate-cn option available, two connections with the same
common name are then allowed.

~~~
arty587
I see, thay may prove helpful but it doesnt really answer my question, can you
be more explicit about your answer ?

~~~
01CGAT
You could generate a certificate for each user, but without the duplicate-cn
option a user is only allowed 1 connection to the same server. You can also
use username/password authentication instead of certificates, also in this
case you'll need to set the duplicate-cn option to allow multiple connections
from the same user to the same server, because in this case you use the option
username-as-common-name and the CN (common name) will then be the username.

~~~
arty587
Thanks for the tips, I'll see what I can do. Good luck

------
smush
I own zero Apple products so am not the customer for this, but I do like being
able to support people, not a faceless corporation.

That said, I swapped to Mullvad VPN recently due to the Private Internet
Access controversy.

------
thinkling
Feedback: Installing a dedicated app is a blocker for me, and I imagine it is
for people more paranoid about security. I would prefer to use Tunnelblick + a
config file.

~~~
commoner
Dedicated VPN apps would be more acceptable if they were open source. A few
other VPN services (e.g. Mullvad) open source their apps for transparency, and
it would be great to see WifiMask do the same. Open source apps would be a
distinguishing feature in what many users see as a commodity service.

------
edf13
Already posted in 2016?

[https://news.ycombinator.com/item?id=11366537](https://news.ycombinator.com/item?id=11366537)

So not just launched as I’d expected

~~~
01CGAT
We preferably launch once in a while. ;-) This is not really a launch btw,
although it's getting a launch with upvotes on HN this time. But I just wanted
to show the current state of WifiMask, it took some time to work on it more
and there is still a lot of work to do, like Android and Windows apps.

------
sysbin
Suggestion for the macOS menubar icon. Make the icon change colour to red when
disconnected or the VPN is not in use. Maybe even a notification should be
displayed.

~~~
01CGAT
Nice one! I think an optional notification is the best option, it's hard to
notice even a red icon I believe.

------
ratsmack
A Virtual Private Network is only private when you, the user, controls both
ends of the connection. It is not private otherwise.

------
Causality1
Considering just how aggressive BREIN is, I would not use any VPN service
headquartered in the Netherlands.

~~~
01CGAT
BREIN doesn't care if you use a VPN to protect your privacy and security when
you're not doing anything illegal. Especially not when you're connected to a
VPN server somewhere on the other side of the planet. ;-)

------
deca6cda37d0
In the macOS app I cannot copy paste my password into the textfield to login.

~~~
01CGAT
I have seen this throughout macOS lately with other apps too, a rightclick
will show you the paste option btw. Meanwhile I will investigate this, thanks!

------
tenant
very reasonably priced, if I had a mac I'd be trying it out. what I want is a
vpn that the BBC that fools the bbc into thinking I'm in the UK. They're wise
to my current one, pia.

~~~
01CGAT
Unfortunately BBC iPlayer is also not unblocked with WifiMask since a few
weeks. It looks like they bought some anti-VPN algorithms from Netflix.

------
torgian
I wonder how useful this is behind Chinas firewalll

~~~
01CGAT
Customers are confirming it still works, but I cannot say if it will keep
working in the future.

------
ropiwqefjnpoa
Bummer, iOS and MacOS only.

~~~
01CGAT
Android and Windows will follow soon, meanwhile we have OpenVPN config files
for every OpenVPN capable device too ;-)

[https://wifimask.com/contact#androidwindows](https://wifimask.com/contact#androidwindows)

------
bitcoinmoney
Can you share more about financial side? And customer acquisition strategy
including costs?

~~~
01CGAT
Every euro we put in advertising we get back 2 times. ;-)

~~~
himlion
Can you scale that to 10x the spend?

~~~
01CGAT
I hope so! We just started, we will try anything possible to reach that
number. All tips are welcome! ;-)

------
steveharman
No Android option?

~~~
01CGAT
Unfortunately not yet, but we are working on it. Meanwhile we have example
OpenVPN config files available, which you can use for OpenVPN on Android too:
[https://www.wifimask.com/contact#androidwindows](https://www.wifimask.com/contact#androidwindows)

------
noja
Why a .com?

~~~
01CGAT
We have .net, .de, .nl, etc for you too. ;-)

------
kd3
I enjoyed the humor on the website. Good luck with the business.

~~~
01CGAT
Haha, thanks!

