

IPv6 Leakage and DNS Hijacking in Commercial VPN Clients [pdf] - arb99
http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

======
jedisct1
VPN services having their clients use a 3rd party server is completely
irresponsible. "We sell a privacy service. Oh, but that said, we send your DNS
queries to a company that logs and monetizes them".

Fortunately, there are VPN services that take what they pretend to do a bit
more seriously. And who know how to run their own DNS servers.

Some even provide DNSCrypt-enabled DNS servers (public, or for their
customers) in order to mitigate leaks (ovpn.to, ipredator.se, and I think
cryptostorm).

------
benedikt
I founded (and still run) a VPN provider, Lokun.is. Just as this paper
mentions, most of the providers make very bold claims. I've tried to avoid
that, but entering this space without promising (seemingly) nonsensical things
means that you won't gather much traction.

And I'm OK with that. I will rather build good tech and be honest with my
users, rather than giving them a false sense of security. As I mentioned in
another HN comment the other day[0], I have mostly been operating in a niche
market in Iceland, circumventing dual pricing for bandwidth on home
connections.

VPNs are good for some things, but they are not tools made to give you
absolute privacy as some claim. I've been running Tor exit nodes and tried to
be as clear as I can about what a VPN is and what it is not.

I have also tried to keep most of my code on GitHub[1] with AGPL as license,
and I'm not aware of any other provider that does this. Of course, it won't
help with the issues outlined in this paper and I probably should have
published server configs as well. But this project is nearing it's end for me,
so it's probably too late for that. Although I'm not opposed to cleaning up
that repository and publishing on GitHub.

Since starting this project I have watched about a dozen VPN providers start
up, make ridiculous claims (this paper mentions some VPN providers claiming to
provide better privacy protections than Tor) and often disappear just as
quickly as they appeared. This market boomed after Snowden and a lot of the
providers will not shy away from outright lying to their customers. I'd like
to give them the benefit of the doubt because maybe they don't fully
understand themselves what a VPN is. But thats even worse.

This entire market is weird. A recent example that comes to mind is a certain
VPN provider posted on reddit[2] claiming that even themselves cannot see the
IP address of their clients. The reddit thread was deleted shortly after I
responded, but the claim remains on their blog.

Of course not all providers do this. I have on purpose not been naming the
providers I have been talking about. As always, be careful about who you trust
and what you trust them with.

I have shared this paper in the capacity of Lokun.

[0]:
[https://news.ycombinator.com/item?id=9791770](https://news.ycombinator.com/item?id=9791770)

[1]: [https://github.com/benediktkr/lokun-
record](https://github.com/benediktkr/lokun-record)

[2]:
[https://www.reddit.com/r/VPN/comments/3aecvi/how_we_keep_you...](https://www.reddit.com/r/VPN/comments/3aecvi/how_we_keep_your_real_ip_address_hidden_even_from/csbvo1h)

~~~
r3c4ff
Hey, it'd be great if the rest of your site (like the FAQ) had english
translations as well... Will definitely consider your service when my renewal
comes up. Currently using vpn.ac and curious if anyone has any feedback about
them since i note they were not in the paper.

