Hacker News new | past | comments | ask | show | jobs | submit login
VPN Comparison Chart (docs.google.com)
510 points by prawn on Mar 16, 2016 | hide | past | web | favorite | 194 comments

PIA changed their business model at the turn of the year to not support the circumvention of geo restrictions [1]. Given this was a core selling point prior to this point, I'd say it's pretty clear they have succumbed to the legal problems associated with it and can no longer be trusted. BBC iPlayer has now been broken for months.

[1] https://support.privateinternetaccess.com/Knowledgebase/Arti...

The wording in that article is pretty telling, but why do you imply they can no longer be trusted? A business that was profitable before became unprofitable due to legal pressure, so they exited it. It doesn't look like they've betrayed anybody's trust in the process.

They have betrayed my trust.

They actively marketed their product up until recently as being able to circumvent geo-restrictions, and actively helped users who had problems. That for me was the big sell.

Whilst I understand that it's a cat and mouse game now between content providers and VPN providers, they have built up a large customer base - based upon this premise.

How is it betrayal when I am certain they would prefer to not be your geo circumvent VPN. Betrayal would be they actively made the bait and switch when they certainly know their business model is falling all around them for legal reasons beyond their control?

Except they sold it as this. They did make the bait, I have been a customer for two years, and at least twice that I remember they have circumvented services that have blocked their IP ranges.

And now they switch that they have customers and don't want to play this expensive game anymore.

Just to be clear here. It's bait-and-switch because they sold you a subscription product 2 years ago, and they are now changing the terms of the product (and presumably are not going to penalize you for discontinuing your subscription)?

Do you feel that they are obligated to never change the terms or discontinue certain policies once implemented for the lifetime of the company? What company would ever want to operate in such an environment where they had to make all decisions up-front and those decisions were set in stone until the end of time? Is the price also set in stone until the end of time?

Most PIA users pay yearly, so it's completely understandable to feel ripped off I think. However, this is really just a matter of a few big providers implementing stricter geofiltering, blocking datacenter IPs, etc. Nothing PIA could do about it though, it's a risk you take if you understand how these things work.

Many of these same providers have just blocked VPN IPs and you can still use a cheap VPS to circumvent though. Some nice docker openvpn containers around...

> it's a cat and mouse game now between content providers and VPN providers

It's not the content providers but the movie studios, music labels and rights holders and so forth. Netflix doesn't really care about users circumventing geo restrictions, otherwise it wouldn't be so easy

Since January or so, Netflix has started to crack down on these services[0].

0 - http://www.cbc.ca/beta/news/business/netflix-crackdown-unblo...

True, but the point is that this is almost certainly due to contractual obligations with and/or pressure from studios and other rightsholders. Netflix has negative interest in limiting their catalog on a regional basis -- it's against their customers' interests and harmful to Netflix's business.

Although I agree with you, it's Netflix's problem, even if it's not their fault. They, and their customers are the ones suffering

They have to comply with the new laws -- it's not betrayal when they don't have a choice in the matter.

Not complying means they would face severe enough penalties to sink the business (notwithstanding the risk of jail-time.)

PIA no longer trusted?

FBI would like to get more information about it.


The post says they are unable to offer assistance. That just makes sense to me - if I am running a service like this, I certainly wouldn't want to be responsible for being at one end of a cat and mouse game with content providers, as it's a never ending battle.

That is a hard problem for VPN services, generally.

At least for IPv4, without constantly buying and selling IP addresses and/or also acting as a larger internet service entity (e.g., also as a local ISP), I'm not sure how they would prevent getting quickly blocked from region-specific services. Perhaps setting up your own VPN on VPS or using random VPNs at VPN Gate would work better?

That post says they won't support you, but if you use a VPN endpoint that's in another country, (and make sure to use WebRTC blockers and prevent DNS leaks), then I see no reason why you cannot still watch region locked content.

In addition to its excellent scorecard here, I can report that I've been extremely happy with IVPN. Very easy to deal with, even for detailed, technical support requests. I got an immediate response from an engineer which addressed my complaint in detail (poor port forwarding setup), and even gave me a timeline for when they were going to fix it. And they did fix it! The port forwarding is great, now.

Also, since this does matter a lot: I have a 100 Mbps connection, and I get between 50-80 Mbps through almost all of their servers, barring understandably slow countries like Hong Kong.

Oh, also, they have multihop, and you select your own entry and exit server from among their pool.

I have no relationship with them, just a satisfied customer, relieved to have found a reliable, consumer VPN after many attempts.

I'm on IVPN now as my primary mostly due to this chart and my only gripes are:

It's expensive compared to the others, at $100 a year. I've never seen it go cheaper than this in any sales of any kind.

Some sites like Google will mark you as a bot and force captchas for searches, probably due to its userbase and their shared IPs.

Comparatively fewer servers compared to popular VPNs like PIA and TorGuard. This leads to me getting the same IP address for each server I connect to. Not sure if this is a pro or a con.

Otherwise, speed has been good, connection has been stable (a few disconnects here and there but it seems to have smoothed out for now), and I hope the chart is accurate in terms of security and privacy on their part.

I've tested many others including AirVPN and NordVPN as well but haven't seen a definitive reason yet for the higher price tag on IVPN. Not that I'm not happy with IVPN, which I am, I'm just also an incredible cheapskate.

In terms of security and speed, the two 'premium' VPNs are IVPN and VikingVPN. Viking also offers fantastic customer support, but my only gripe is that they don't run their own DNS servers (they use Cisco's OpenDNS). They also don't offer any exit nodes in Canada, but the company head (Derek) says it's because Viking is worried about Canada's data retention laws.

Likewise, I'm not affiliated with IVPN nor VikingVPN in any way. I think both are great choices.

Viking seems much more limited—and is US-based, which creates its own problems.

IVPN does look interesting, so I’ll have to re-review them… I’m still on Freedome’s trial, and it’s been working stellar including comparable speeds. Exit nodes in certain countries are also an important factor in my consideration, admittedly.

Multihop. Not many offer that. Insorg does, and it's even more expensive. Also CryptoStorm, but they're new, and come off as rather crazed. Others?

From what I've tested, NordVPN has "Double VPN" servers: https://nordvpn.com/servers/

And AirVPN has Routing servers used for double-hops: https://airvpn.org/status/

Right. Thanks :)

Not that I'm promoting any of them, I have my specific gripes with each of them as well.

NordVPN for instance has a ton of servers yet doesn't label the regional locations for them in the OpenVPN filenames. They're just labeled US-1 to US-339 and I ended up having to add random configs and hope it's one near my area. Their server map isn't accurate either and doesn't show all of them.

AirVPN I'm concerned with their user logging as they have this hub area for the community that reveals your username and when you're online as well as how much data you use and have a rankings for users or servers that use the most data each day/month. There's a log in anonymously checkbox but it's still a bit worrying to me.

I trust AirVPN. It's pretty typical for forum software to show when users are logged in. That has nothing to do with the VPN service. They do show VPN throughput for top users. That's a marketing thing, I think. And I'm pretty sure that users need to authorize having their names appear.

I also find NordVPN's labeling to be very confusing.

this is the biggest problem for NordVPN for me as well. Loading their configs in Linux is a bit of a pain.


I was checking various sites benchmarking VPNs and I remember them reporting IVPN speeds being around 3Mbps. Good to know that's not the case.

Couple of things that are missing. I use IPSec/L2TP. Does not seem to have columns tracking these. I did a bunch of sorting and filtering and the following seem to be the only providers that check all the marks for no logging and good business practices.

* AzireVPN


* SecureVPN.to

* Trust.Zone

How can you know whether providers are lying about not logging? How do you know whether their hosting and uplink providers are logging?

One thing you can objectively determine is how long they've been in business. Use https://archive.org/web/ for that. Then filter for bad news. HMA giving up users to LEA. Anonymizer being owned by the CIA. Any VPN service that's been in business for at least five years, and has no bad news, is probably OK.

You can learn something when different operators are involved in court cases and either provide, or are unable to provide certain information. Currently PrivateInternetAccess is risking contempt of court charges if they've lied about their logging policies, in their response to a federal subpoena.[0]


That's good news! PIA tends to get dumped on for being US-based and ultra-low-cost.

I can't.

I was just going off of what was presented on the spreadsheet. However based on my filtering, IVPN certainly seems worth checking out.

I'm not sure why Gibraltar (where IVPN is located) is considered to be outside the "fourteen eyes". It's a British Overseas Territory, and as such falls within the jurisdiction of the UK.

IVPN rebuts that argument at some length:

> What is the relationship between Gibraltar and UK?

> The main relationship between Gibraltar and UK stems from the fact that the British monarch is the head of state of both Gibraltar and UK. However, such a relationship is not enough to make Gibraltar a part of UK. For example, no one argues that Andorra is a part of France although the President of France is the head of Andorra (together with the Spanish/Roman Catholic Bishop of Urgell).


I find that to be a weak argument. The "main relationship" does not "stem" simply from a shared head of state. Nor does anybody claim that Gibraltar is "part of the UK", but rather that their status as a BOT means that they are subject to UK sovereignty and jurisdiction. It's quite true that Gibraltar is mostly self-governing, except in matters of defence and foreign affairs, which are managed centrally from London. However, that doesn't mean that ultimately they are not subject to UK jurisdiction. It's quite reasonable not to care, but it's still good to know.

> It's quite reasonable not to care, but it's still good to know.

I agree entirely.

They claim to be outside of UK jurisdiction for a number of bills, although I'm not qualified to judge the veracity of these claims - again from https://www.ivpn.net/blog/should-gibraltar-be-classified-as-...

> Gibraltarian VPN service providers are not obliged to comply with the comprehensive UK laws regulating the information society

> RIPA does not apply to Gibraltar.

> The GRA [Gibraltar Regulatory Authority] supervises the enforcement of the Data Protection Act 2004, a Gibraltarian law implementing the European data protection laws.

I also use IVPN, and I'm extremely happy with them. I used to use Viscosity to access them, but recently I've switched over to IVPN's own software. It makes choosing multi-hops easier, and comes with a option to block non-VPN traffic.

iVPN's Windows and OSX clients have the best leak protection that I've seen. I have not managed to make them leak.

Edit: I do freelance for them, by the way.

So you don't use Tunnelblick, eh? Not at all concerned about that? Is IVPN's client's source code publicly reviewable and/or audited?

Edit: Not being sarcastic/rhetorical. Actually asking.

I don't actually use OSX ;) Just for testing. See https://www.ivpn.net/privacy-guides/how-to-perform-a-vpn-lea... for what I did.

I get the open-source concern. I prefer using stock OpenVPN. But if you're going to do that, you need to manage your DNS servers, and firewall leaks. I'm not aware that iVPN provides source code. You could ask them.

You wrote that guide for IVPN? That's really great work. It gets a lot of burn on /r/VPN

Thanks :)

I'm working on a better testing setup ...

Another satisfied customer here. I've been using them without issue for just over a year and it has been excellent. As my other comment in this thread would suggest, I just wanted a simple solution with a low barrier to entry.

Have you tried gaming through the VPN perchance?

One interesting thing that I did learn today is that multiple games use p2p for in-game voice chat thereby leaking IP addresses.


Often I forget to disconnect from IVPN while playing low latency games like FPS. I mostly don't notice.

Looks like so much of work put into list, but I still wonder why on Earth anyone would use 3rd party service especially one based in weird jurisdiction for anything other than torrents download?

Likely every service with questionable legal status (e.g all that state there is no logging going) does analyse all bandwidth for it's own needs and clearly going to steal everything they can. Even TOR exit nodes are more secure since you at least know they can't be trusted by default.

What advantage is there over own servers that is unlikely monitored by default and still dirt cheap?

First of all, there's no such thing as own server. The trust you are putting into the ISP your "own server" is connected to is exactly the same as the trust you are putting into a VPN provider.

Second, for a lot of people in this world it's a given that their ISP/government is monitoring their traffic. It's vastly better to be potentially spied on by someone abroad then to be certainly spied on by someone who has direct authority over you.

To answer your first question, the most popular use cases for VPN are:

1. Circumventing censorship

2. Circumventing regional content restrictions

3. Hiding your IP while torrenting (note that this is relevant only in the US)

4. Avoiding government surveillance (again, note that US is not the only country in the world, but likely the only one with any meaningful reach outside its borders)

5. Avoiding private surveillance (public wi-fi, etc.)

6. Hiding your IP while engaging in illegal online activities (#3 is a special case of this but it's a vastly larger group so I made it separate)

Note that "weird jurisdictions" can be a significant advantage for cases #3 and #6 (because they are harder to subpoena) as well as #3 (because they don't have retention laws).

> 3. Hiding your IP while torrenting (note that this is relevant only in the US)

It's not, actually. The same BS is happening in at least Finland too these days.

Legal companies get the rights to some media (in the Nordics or whatever) and monitor some torrents and take screenshots(!) of the IP's in the torrent swarm and can then petition the market court for the subscriber details of the IP addresses in the swarm then send a threatening letter asking for a 500€ settlement. Some idiots are even caving in and paying. I don't think anyone has actually been sued yet for establishing some precedent (though the Finnish legal system isn't based on precedents).

As an example:

I set up a VPN in the Netherlands, hosted on a VPS. I was connecting from another European country (where ISPs block torrent sites).

Within minutes of attempting download of recent movie release, a Cease and Desist was emailed by ip-echelon.com.

That's the thing. With a VPN service, you don't have to read those ;)

Welp, it was only a matter of time... Thanks for the info!

> 3. Hiding your IP while torrenting (note that this is relevant only in the US)

The entire German nation would like a word with you, kind sir.

Further reading: https://www.reddit.com/r/germany/comments/2hxy4j/help_me_ger...

Between this and GEMA, using the internet in Germany is quite restricted.

>3. Hiding your IP while torrenting (note that this is relevant only in the US)

This is relevant in most of Europe and unlike in the U.S., a C/D letter can easily cost you somewhere between 300 and 1000€.

why is there a cost associated with it?

They threaten to take it to court and that would cost much more. You'll also have to deal with a lot of bureaucratic crap along the way that has very short deadlines and can cause a lot of trouble if you don't meet them, so they kindly allow you to pay to make it all go away...

because they can and a lawyer will cost you more. actually, i know a lawyer who paid upfront to avoid the threat of a lawsuit.

I can't speak for weird jurisdictions, but I use privateinternetaccess myself. I haven't tried it for torrents actually, I should give that a shot. I use it for

* getting around arbitrary region restrictions (that use case is rapidly disappearing)

* protecting myself against snoopers when on public WiFi. I'm very mobile, and often work from cafe/hotel/airport WiFi. They're mostly in the clear, but I VPN even over encrypted WiFi because of the below.

* I don't like ISPs selling my information. The service i use is fast enough that I can have it always on, without a noticeable speed loss... So I do. If my ISP wants to sell my browsing habits, they can buy them from me.

Now that you mention it, I'll totally try torrenting something. Curious to know how it performs!

PIA actually performs rather nice with bittorrent. It is slower than a bare connection from your ISP of course, but fast enough for most purposes.

I do agree that hiding bandwidth and source is reasonable use-case, but then you don't really need to know about service jurisdiction, logging policies, activism, etc. So I just seriously wonder why anyone who actually care about real privacy and logging would use public services.

For people who care about real privacy, VPNs are useful to hide Tor use from ISPs. You use a nested chain of maybe three or four VPN services, and then hit Tor. Let's say that you were using targeted onion services while the CMU jerks were pwning Tor users. Instead of your ISP-assigned IP, the FBI would just know a VPN exit IP. And they'd need to successively subpoena three or four providers in order to get your ISP-assigned IP.

So you're the guy they are talking about on TV who has "bounced through 7 proxies" ;)

That's a Snowden reference, no?

But yes, seven hops is about the minimum for any prudently private person, as I see it.

But for true overkill, see https://www.ivpn.net/privacy-guides/onion-ssh-hosts-for-logi...

It's not that hard to hit 30 hops, alternating VPNs and Tor onion services.

Nah not Snowden, it was just a joke because in TV shows whenever there is some kind of computer crime the technical specialists in the show (black hats turned white, etc.) talk about how the criminal is untraceable because they were hidden behind 7 proxies or such. Not saying you are a criminal it just made me smile/chuckle when you mentioned routing Tor over VPN which is also going through another VPN which in turn is on Tor, etc.

Thanks. I found this: http://kxan.com/2014/03/10/congressman-upset-with-edward-sno... And wondered why that was needed, given his situation. But now I see this: http://www.dailydot.com/technology/snowden-sxsw-seven-proxie...

Wow, that's a comprehensive guide indeed. Thanks for sharing

I use a VPN to watch San Francisco Giants games on my paid MLB.tv subscription. Even though I am 3+ hours from both SF and LA, and even though I can't get games on cable/broadcast TV, I am in the Dodgers blackout region. Therefore, when my favorite team plays their biggest rival, I need the VPN to watch the game.

Living in a Reds/Cubs/White Sox blackout umbrella here. Which VPN service are you using if you don't mind me asking?

I've used both Private Internet Access and Hide My Ass with success.

> *I still wonder why ... for anything other than torrets download?

"This video is not available in your region"

This government and ISP is modifying your HTTP traffic.

1. Non-unique IP, which, for good no-logging VPNs, means no way to map a connection to a person, even through the legal system.

2. Hiding your activities from your own ISP.

And I would guess that the vast majority of VPN customers are simply doing what you said VPNs are good for: hiding copyright-violating activities.

> Non-unique IP, which, for good no-logging VPNs, means no way to map a connection to a person, even through the legal system.

Not guaranteed. That depends on the network setup and on how much pressure legal system had on the ISP in question.

Possible cases:

1. Dynamic IPs allocated from a shared address pool, but no carrier-grade NAT, just 1:1 mappings. Most likely, ISP's AAA (authentication, authorization and accounting) systems keep track of those, so the account details are one warrant away. Especially if ISP has or historically had metered plans, using IP addresses is generally the most straightforward way to match flow reports (with traffic volume data) to customers.

2. User is behind a carrier-grade NAT, ISP's local jurisdiction requires ISPs to disclose information about customers, and local law enforcement aren't happy with "uh... we don't know, there's a NAT, we only can tell it's someone of those thousand accounts from that BRAS, sorry" replies, so ISP had been fined or threatened with license revocation (if ISP services are licensed in their jurisdiction). In such case they had probably at least set up two flow probes - before and after the NAT, so it's usually possible to correlate the streams. Or, more likely, implemented logging of NAT connection mappings (on GNU/Linux machines this is quite simple with conntrack and ulogd, no idea about Ciscos - not my area of expertise), so it's also well possible to determine who it was.

Since one generally can't know what ISP's routers are capable of, having carrier-grade NAT should be only considered as a possible hindrance, but not as a guaranteed way to keep their account identity anonymous.

For hiding IP and bandwidth you don't really need to know even a third of options included in that list. And for "good no-logging VPNs" do you actually belive service like that may even exist for longer than a few years?

Do check out AirVPN, BolehVPN, Cryptohippie, Insorg, iVPN, Mullvad, etc via https://archive.org/ They've been around for more than a few years. Maybe eventually they'll be unable to lease usable servers. It's hard to say.

Mullvad in the recent past had trouble find exit servers in the USA, I think it was reported in their blog.

Idiots who torrent from US endpoints tend to burn them down :(

Mullvad is one of the better companies on that list, and they've been around since at least 2010.

Another endorsement for Mullvad here.

A lot of expats and the upper middle class in China and similar countries use them. Most people don't have the expertise to set up their own

VPNs simply don't work in China. The GFW actively detects and disconnects SSH, VPN (OpenSSL, PPTP, socks.. etc)

The only reliable solution has been ShadowSocks; it's what locals and expats alike use. It simply works, and also has public servers.

I do not agree with you. I am running my own VPN Server outside of Mainland China and thanks to obfuscation my VPN is working quite well and its very reliable.

Have you tried iVPN with obfsproxy? Or AirVPN with stunnel? Or VyperVPN? Just curious.

Are you by chance aware of any simple tutorial for ShadowSocks? Last time I looked at the website it didn't seem straightforward to set up (particularly for non-techies).

Also, one needs an exit server, or not?

SoftEther VPN (Open Source) works over HTTPS and UDP, that might work for you. https://www.softether.org/

"steal everything they can"

Most people are talking about various valid use cases but it's this risk vector that I'm interested in. What exactly could a VPN steal from regular personal computing network traffic? Cookies and sessions? Web history and other meta-data? Does HTTPS / up-to-date encryption protocols stop any of this?

The advantage over your own servers is that it's harder to associate your traffic with your identity. The advantage of "weird jurisdiction" is that they won't cooperate with relevant LEA so readily.

Here's the link so that the top and left tabs stay while you scroll: https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAe...

I guess something about htmlview?sle=true breaks that.

When a Google Doc gets high traffic, they start serving up the HTML version, which doesn't support locked rows/columns.

But it always redirects to it ... :/

Another option is to run your own. I guess it's swings and roundabouts concerning privacy, traceability and so on. I have a script to automate setup of an IKEv2 server on Ubuntu, which seems nice for a balance of security and the availability of built-in clients. I was inspired to set this up by the awful proposed Investigatory Powers Bill going through in the UK.


Not really. shared public IP for dozens of users make them harder to track and their network traffic is mixed. Own VPN hides your traffic from one point, and 100% exposes in another.

A VPN, whether public or private, will not hide your traffic from the government.

Through statistical analysis and network protocol heuristics you can identify all sorts of things about bulk internet traffic - where it's coming from, where it's going to, the most likely content it's carrying, the application used, even a specific user's connection. This works over multiple network hops, encrypted, on a single tap of a large switch (though multiple taps spanning the network path work muuuuuch better).

There is one good use for a VPS, though - store-and-forward network traffic. You use a remote VPS to retrieve and store content, and at a later time, download the content in bulk (or upload, same difference). You can change both the size and the form of the content before the bulk transfer, making it much harder to identify. You can also use different network paths for connecting to issue the download/upload commands, and connecting to transfer it - Tor comes in handy here.

In that case, tunnel your VPN inside of a public VPN.

Trusting a remote VPN service not under your control, defeats the purpose of communication channel encryption.

Calling it "VPN service" makes it look appealing, without realize that you are breaking the "P" in "VPN".

If you want the "P", the master keys and certificates, and the systems where they live (client/server) should be under your control. Dot.

Security is not binary. (I'm becoming boring, most of my comments start like this.)

The question is what are you trying to protect against? If you are trying to protect against the local network, any VPN does the job. If you are trying to protect against tracking, ONLY a public VPN does the job (having a static private IP is a disaster in this scenario). If you are trying to protect against any organization seeing your traffic, then your argument might make sense.

However, unless you can run that "private" server on metal you own on a network you own, there will still be a VPS provider and an ISP that can see your traffic as much as the VPN provider would. So you might want Tor a at this point.

I can use public proxy lists since the 90's

If I want to mix my output IP with other users (futile while my browser is fingerprint-able), I don't even need any VPN, and much less a third party one.

I use VPN for what it is. Mostly to connect to my network (personal or professional) from the outside.

If I still want to mix my traffic, I can do it, without "VPublicN services", without VPrivateN daemons, and without NSA's Tor.

You are free to trust Tor and "Public VPrivateN services", and I'm free to do not trust them.

Not sure if security is binary or not, but totally sure it's about trust.

>without NSA's Tor.

Please explain your thought.

The news are explaining it for me.

>> shared public IP for dozens of users make them harder to track and their network traffic is mixed

> In that case, tunnel your VPN inside of a public VPN.

That doesn't solve anything:

#1. Public VPN -> Private VPN -> Internet <- Here you no longer have a shared IP with other users, so no more mixed traffic. Websites will see the IP of your private server/vps.

#2. Private VPN -> Public VPN -> Internet <- Here your Public VPN provider can still see your web traffic

> That doesn't solve anything:

It solves the (lack of) trust on the Public virtual Private whatever provider.

> #1. Public VPN -> Private VPN -> Internet <- Here you no longer have a shared IP with other users, so no more mixed traffic. Websites will see the IP of your private server/vps.

For mix your IP with others (are the VPN users visiting the same sites?), I said there are open proxies since the beginnings of internet.

It's not the purpose of an VPN.

> #2. Private VPN -> Public VPN -> Internet <- Here your Public VPN provider can still see your web traffic

They will always, in ANY case and scenario that involves them.

But in this case, at least, now you're sure that your channel uses your encryption and policies.

With a third party channel, you're never sure if the guy near you in starbucks with a headphone, also has the signing key of your "private thing".

I understand the issue of making my traffic public to service provider, there are other issues I had to consider:

Using Tor - you make your traffic public to SOMEONE, activists, hackers, maybe governments. No one knows.

Running own VPN - you still expose traffic somewhere and you can still be easily tracked and monitored. Here comes another problem - I can administrate simple servers, I do it as a hobby... but I'm not sysadmin, and I would make mistakes and expose everything my start and endpoint traffic that can be 100% correlated.

Not using VPN or Tor at all = exposing myself to local government/council, neighbours and GCQH.

Once the traffic hits the Internet, nothing is trusted. Why worry so much about the VPN service? Everything important should be end-to-end encrypted, anyway. The VPN service is just for obfuscation.

That kind of depends on what you want to do with your VPN. A self-hosted VPN is perfectly valid when it comes to circumvent the ISP-restrictions just one country. Example: You want to evade the censorship of lets say Turkey, and use a french VPS-hoster to host a self-configured VPN. I don't see anything wrong with it. You are not very likeley to have problems with authorities in Turkey (they don't see what is going on on the wire) or France (they know you by name, but as long you dont do anything illigal with your VPN...).

This is pretty useless. Put them all under the category of "centralized one-hop VPN." Each of these is a sitting duck for surveillance, law enforcement, hackers, and more! It doesn't even matter who runs it, each one is an attractive enough target for someone to learn how to subvert. And then what? You'll never find out all your data is being scooped up or potentially modified.

If you want to protect your network communications, run your own endpoint. Projects like Streisand and Tinfoil's OpenVPN setup scripts let you stand up and tear down VPN endpoints instantly (just remember to ditch Tor from Streisand, see why here: https://news.ycombinator.com/item?id=10735529).



I would be truly interested if someone developed Ansible scripts that setup an OpenIKED server (http://www.openiked.org/) on your choice of cloud providers, and spit out the configuration instructions for your mobile phone. iOS 9 and OS X 10.11 support IKEv2 out of the box now: https://www.ietf.org/mail-archive/web/ipsec/current/msg09931...

Well, but then there's no crowding. You're the only user. And VPS providers are just as vulnerable as VPN services.

You can setup an OpenVPN server on a VPS that's only reachable as a Tor onion service. You lease the VPS through Tor, as anonymously as possible. You pay with Bitcoin that's been mixed at least twice through Tor. See http://dbshmc5frbchaum2.onion/OpenVPN-Onion-VPS.html (using Tor, or a tor2web proxy).

Alternatively, or in addition, you can use nested chains of multiple VPN services. See https://www.ivpn.net/privacy-guides/advanced-privacy-and-ano...

I'd rather be one of a million EC2 nodes for a day, then share a single egress point with hundreds of thousands of other people for a year.

I guess in a way they're somewhat of the same thing, right? How much traffic do you think EC2, DigitalOcean, etc push out each day? Probably harder to tap that entire pipe.

Why is that?

I'm guessing that Amazon knows who you are. And I'm sure that they keep logs, for accounting and debugging. So being "one of a million EC2 nodes" doesn't hide you, in any way. That EC2 node has an IP address. While you're using it, it's your IP address.

When you "share a single egress point with hundreds of thousands of other people", determining whether some activity at some time was yours takes substantive analysis of logs. And often, those logs will be long-gone by the time anyone wants to crunch them.

But it depends on your goals, really. If you want security from local threats for doing real-name stuff (business, banking, etc) then you're better off with a private VPN. If you want a little casual anonymity, for torrenting or social media or whatever, then a VPN service is better. And if you want stronger anonymity, use Tor through VPN(s).

> I'm guessing that Amazon knows who you are. And I'm sure that they keep logs, for accounting and debugging. So being "one of a million EC2 nodes" doesn't hide you, in any way. That EC2 node has an IP address. While you're using it, it's your IP address.

I'm not as concerned with law enforcement as I am with hackers and surveillance.

> And if you want stronger anonymity, use Tor through VPN(s).

Tor is basically a honey-trap for law enforcement and others. It's trivial to get your own exit node and sniff or modify traffic (proven in practice!), hidden services are a hack that don't adequately protect your privacy, and it's trivial to identify tor users from non-tor users. I like tor the technology, I don't like tor the network.

As with my guidance on VPNs, if you want to use tor right then setup your own network of routing nodes. Don't use the horribly insecure public one.

Private Tor => no crowding => useless

Saying that Tor is just a LEA honey-trap is just plain FUD.

Evil exit nodes are a risk. And websites are increasingly blocking Tor IPs. So run a VPN server as an onion service. You look like a simple VPS. And the VPN protects your traffic from evil exit nodes. And you're hitting that VPN server through seven-relay circuits.

> Saying that Tor is just a LEA honey-trap is just plain FUD.

Explain why the FBI has been able to unmask nearly every high profile hidden service operator they go after then? Each time it's a different strategy, and they have all been incredibly effective. Some relied on bugs in Tor, others on broken tools used to access it, others on poor UX that encourages operational security failures. Russian intelligence ran their own set of exit nodes for a period and replaced all executable downloads with malware! You are objectively less safe using the public Tor network.

I don't think the concept of "crowding" is a recognized security property of a system. At least, I've never seen it used before. The way that single-hop commercial VPN services "crowd" people together creates a massive liability. The way that Tor allows anyone on their public network creates a free-for-all where you're exposed to more surveillance and more malicious code (entry/exit node manipulation). Each of these offer straightforward targets for a slow, lumbering, resourced attacker to eventually completely compromise with users none the wiser.

Well, it is the FBI. And it get's help from the NSA, for sure. There are public understandings for each of the large takedowns. Maybe some of that was parallel construction. But the point is that the public Tor network is the best that we have for anonymity. Whatever its weaknesses, creating your private Tor network is no better than a private VPN. Or maybe a chain of them. But you can't have an anonymity system without lots of users. That's what I mean by crowding.

If the NSA can help deanonymize Tor hidden services, people shouldn't stand up Tor hidden services. The point of cryptography isn't simply to make it more difficult to attack something; it's to make it intractable.

My intuitions are generally with you, but Tor developers have claimed that low-latency anonymity against a pervasive network adversary may be impossible, and formally excluded it from their threat model back in 2004. In that case, the best that can be done may be to defend successfully against some weaker adversaries (although a better move in many ways is to switch to high-latency anonymity).

Maybe successfully defending against the weaker adversaries is useful to many people, although it raises a serious challenge of how to clearly disclose the risks and limitations, which I see as a very important challenge for Tor on both the browser and hidden service sides.

(Hidden services might have categorically worse problems so that there's almost no realistic threat model in which their current design is safe; maybe that's what you're getting at?)

Yes. I share Dan Guido's take on Tor. It's an interesting and important research project that is in no way appropriate for the problems to which most of its users apply it.

Like everything else in cryptography, users don't care if things are insecure: things must be secure, because users want them to be! Ignore the Tor users getting zorched by governments; they're all outliers!

> My intuitions are generally with you, but Tor developers have claimed that low-latency anonymity against a pervasive network adversary may be impossible, and formally excluded it from their threat model back in 2004.

This is a point that I wish more people were familiar with. Tor has been oversold as the privacy project to protect from everything. The Snowden docs leaked out and privacy activists ruffled around their pockets asking, "what do we have to rally behind?" They found Tor and stuck with it, despite it certainly not being built for that task.

Explain why the FBI has been able to unmask nearly every high profile hidden service operator they go after then

Almost always failure to follow the grugq's advice about compartmentalization and opsec. CMU attack was an isolated incident.

They're all going to be "isolated incidents". That's the nature of a honey trap. It's not much of a trap if it springs just because you look at it funny.

If you're really paranoid, you VPS through the same node that's running a web crawler. It combines obfuscation of where and what you are looking at, along with plausible deniability for some web activity.

Like, this won't save you if you're engaging in evil shenanigans. It will make you much harder to surveil.

If anyone has any questions about the Tinfoil VPN creator, I'm here (cofounder and CTO) and happy to answer. :)

That's very cool!

I'm freaked by the idea of using third-party generated PKI, I must admit. But that's arguably no worse than trusting third-party VPN providers.

And then there's the absence of crowding. Unless users share their VPNs.

By all means, feel free to run the script yourself. It's open source.

We just provide a nifty UI so you don't have to :)


Maybe add ta.key?

Pull requests are welcome! :)

Your comment is pretty useless to the majority of people who want to simply protect their internet activity in the most easily accessible way.


You need to determine who your adversary is (at least the category of adversary they're in).

If your adversary is The NSA, you're probably fucked already - get off the internet.

If your adversary is your local drug or anti-terror law enforcement, they're probably getting "hints" from the NSA and likely parallel reconstructing evidence against you based on that.

If your adversary is closer to local cops, MPAA/RIAA, your boss, your parents, your ex-wife's lawyer, or your ISP - this list provides a great deal of useful information.

What if your adversary is the pervasive data collection entities in the business of selling eyeballs (aka ad networks and that related ecosystem)?

Good question - I guess the quick answer is "the most anonymous and secure VPN in the universe isn't going to help if you browse to pages with Facebook like buttons in the same browser where you've got an actively logged in Facebook session - or even non-logged-in session cookies". (Substitute Twitter/Google/Yahoo/whoever as appropriate)

Browser/cookie hygiene is orthogonal to VPN/network hygiene.

I'm not convinced signing up with one of the existing VPN services is any significantly easier than signing up with Digital Ocean or Rackspace, and using the Tinfoil creator service. Have you tried it?

It’s less work if you need to use multiple locations for geocircumvention, at least.

I’m happy to pay somebody 5/mo to handle that + patching etc. etc.

Nope. Sounds too complicated.

Not entirely certain how one signup form is more complicated than another, but I recommend trying it before judging it.

I'm sure it's simple for someone who is familiar with the technology, but what about everyone else? How would your average Joe know which DigitalOcean plan to sign up for, or which settings to apply?

We tell them, right on the page. We even give you a coupon so it's free. There are no settings to apply.

The steps are: 1) Make a DigitalOcean or Rackspace account. 2) Make an API key by clicking <link> and hitting the button. 3) Insert it in this box. 4) Hit go.

That's it. Then you download/install the client (like you would with any other VPN service) and you're done. You don't need to know anything about the droplet size, or anything else.

Quite literally, my mom has done this, and she sells clothing for a living and is not technically adept.

His argument is also flawed in that he says you need to roll your own because the VPN service providers can be compromised. Well, where are you going to run your server then? Any endpoint can be compromised by the business that owns it weather it be your ISP, AWS, or whatever else you plan to use.

I'm planning on implementing IKEv2 support in Streisand soon. I wanted to get OpenConnect/AnyConnect implemented first. I had not heard of OpenIKED until your comment, and I got really excited, but it looks like the portable version for Linux has been deprecated? If that's the case, it is really unfortunate; I love OpenBSD and their security track record.

I will likely use Libreswan for both L2TP/IPsec and IKEv2, and give the user a choice between those options at installation. L2TP/IPsec support is still a little more ubiquitous, but IKEv2 will be set up by default. It's a much better protocol with significantly less legacy baggage.

Your comments on Tor are thought-provoking too. I can look into making that optional as well, either through a prompt or command-line flag.

Thanks for the feedback! Let me know if you have any other suggestions.

Thanks, that would be great! Yes, I would very much like to see options to strip down Streisand. I'm not worried about getting my packets filtered by the Great Firewall. I'd rather have the minimum number of agents necessary: IKEv2, SSH, and maybe stunnel. I consider every additional agent to add risk of compromise to the entire setup.

Sidenote: Ubuntu's security posture appears slightly better than Debian's, but I'm a little vague on the details. Historically, Ubuntu has had people like Kees Cook working on security of their distro and relentless pursued AppArmor policies, adoption of exploit mitigations, and reducing the footprint of the default install. Any way you can make it more distro-agnostic so I could run the installers on Ubuntu instead would be appreciated!

Btw, I didn't notice that portable OpenIKED was deprecated :-(.

Yeah, I will probably make it possible to choose the list of services instead of singling out Tor specifically. I have heard from some users who only want to run Shadowsocks, for example. The diversity of services really helps keep things flowing in restrictive environments. Not everyone falls into that category though.

Good news! Your Ubuntu dreams are already a reality. The playbooks are currently designed for Ubuntu 14.04. I was using Debian 7 at launch (which might be what you saw previously) but I switched the base distribution late last year. Ubuntu 16.04 is the frontrunner for the next upgrade. The playbooks and roles are complicated enough that it's not terribly practical to target multiple distros, especially given the wide support that Ubuntu enjoys.

I'm wondering how much interest there is for an application that will put up a new AWS or Azure instance with the proper VPN access points. Which can then be torn down when you're done, so if you didn't have too much data pumping through your VPN you could set it up for $0.02 an hour.

I'm 90% done, just need motivation to spend another 90% to finish up the last %10.

It's an interesting idea. But there's no exit crowding. And so everything is easily linked to the user.

What might be effective would be an app that created multiple instances, with multiple providers, and then shared them with other users. So you were all using multihop VPNs, with the hops changing frequently. The https://www.softether.org/ project allows users to share their VPN servers. You'd just take that to the next level.

That's what I'm asking for. Check the Tinfoil Security link.

very cool. fill time usage at $0.02/hr ~ $0.50/day ~ $15/mth. reasonable usage, say 5%-10% of the time, $1.00 / month. totally reasonable.

Does anyone know of a hosted VPN service that provides a firewall too?

It seems like the only effective way to control outbound traffic from my Android phone. These solutions don't work effectively:

* Detect and block each outbound connection manually: There are endless holes to close and always new ones; that is playing whack-a-mole.

* Software firewall on phone: The firewall would need to operate on a low enough level to block everything. That is a challenge for all software firewalls, and from my sense of Android's outbound data 'features', that seems especially difficult.

* Hardware firewall of my own: Because my phone is mobile, it's not always connecting through the same hardware. I could create a VPN back to my personal firewall, but then either I must share all my data with my ISP or I must create a 2nd VPN connection from my firewall to a hosted VPN service, which seems like too much latency and complexity.

I can't be the only one who wants this ... ?

Yours seems like a valid use case, but the underlying issue appears not being able to trust and administer your own computing device. From what I can tell a local firewall is possible (with iptables), but you need to install a custom Android build and 'root' your phone.

> the underlying issue appears not being able to trust and administer your own computing device

I'm not sure it's wise to trust your phone these days. I can root and install a custom ROM, but that doesn't solve the problem. What ROM do you recommend? Most are forks of Android that change some features or remove bloatware; I don't know one that locks down the fundemental security of the OS.

> From what I can tell a local firewall is possible (with iptables)

How can you efficiently configure iptables?

1) Run each app in isolation

2) Sniff network traffic

3) Detect and identify every packet heading to an undesirable destination

4) Write a rule to block it

5) Retest until traffic is clean

6) Repeat every time any software is added or updated.

That's not practical. Also, some of the leakage is embedded so deeply in the OS that I don't know if iptables (or other software firewalls) are sufficient.

That is, I fear, the sad state of mobile operating systems. On the desktop you can choose from a bunch of GNU/Linux distributions that are generally considered quite secure and are under a lot of scrutiny — when Ubuntu introduced a search feature that sent search strings from their dash directly to Amazon to helpfully present purchasable media, this was strongly condemned and ultimately disabled by default.

But on smartphones your choices are limited. There are a couple of alternatives, but losing access to either Google's or Apple's app-store appears to be an insurmountable obstacle for most smartphone owners. I am assuming (not judging though!) this is the case here too.

On a technical level though, all IP traffic passes through iptables, even on Android. You are right that manually blocking all that stuff is impractical. Doing the filtering outside of the phone won't solve that dilemma though.

Just a note: You've made multiple assumptions about me in multiple posts, and it's no surprise that all of them are false. Maybe it would be better to just omit the assumptions about others from your posts.

Hmm, Cloak is not there. I really like the people behind it, and they truly care about privacy and security. The iOS app is sorta wonky and turns on and off when it shouldn’t, though.

Love Cloak, great app (not encountered the wonkyness you speak of).

For me I love the OS X and iOS integration, plus feels somewhat less dodgy than alternatives!

You should reach out with a bug report: they're pretty responsive.

Note that iOS will disconnect the VPN when the phone goes to sleep, however in iOS9+ you can force all traffic over the VPN (unlike earlier versions).

The best feature of Cloak (to me) is that I have it auto-connect when on any network other than my home network. Airports, cafes, work; Cloak is default on.

I think that you are referring to a known bug that was introduced in iOS 9. They have a blog entry describing this.


I have always wondered when I see charts like this that add a column for bitcoin accepted. I would much rather pay with a prepaid gift card / visa which can be purchased with cash. If I even wanted to pay with bitcoin I have no idea how I could get a balance and remain anonymous.

There are plenty of privacy laundering services for Bitcoin. This is the first one that came up in Google: https://bitmixer.io/

They're called "mixers".

The best mixer is Bitcoin Fog: http://foggeddriztrcar2.onion/

no!! There have been many MANY reports of bitcoin fog selectively scamming and it would be wise to use another option. Bitblender, sigant, and helix should be much safer options.

This thread highlights exactly why using Bitcoin for this purpose is tricky for outsiders. Buying a gift card with cash is a process I can understand, but with Bitcoin the amount of knowledge needed to get started safely and anonymously is quite large, and there seems to be a lot of conflicting information going about.

That's all bullshit.

Edit: Consider the Sheep Market thief. They didn't steal his Bitcoin, even though the transaction was so large that it crashed their service.

Edit: It seems likely that victims of the Sheep Market theft are behind at least some of the lies about Bitcoin Fog.

Helix is also a solid and reliable mixer, with the downside that it requires TOR to access

PayPal doesn't like gift cards.

You can check our vpn service https://www.torrentguard.com/prices/ for hassle free browsing.

This would be a lot more useful if the header rows and name column were frozen. Once I scroll I lose all track of what each column means or what row I'm on.

From the FAQ:

Q: Why didn't you freeze the headers/turn on filters? A: The headers ARE frozen, but when the sheet is being viewed by a lot of people, Google sends out the static html version. You can delete everything from /htmlview? to the end of the url for the real version

You can also direct download the sheet using the links below, and do whatever you want to the sheet to make it more readable for you. (xlsx or ods formats)

.xlsx format https://www.google.com/url?q=https://docs.google.com/spreads...

.ods format https://www.google.com/url?q=https://docs.google.com/spreads...

I copied and pasted everything into a new google Sheets and froze the column/row myself

It also might not be possible to freeze columns/rows on the read only web view. You can actually see the thick line below the first row that indicates OP did in fact freeze them.

If anyone related to list is here here is my suggestion for improvement: add information about year certain service started to operate into the list. May be worth also add information if there some real company behind that service if country of jurisdiction provide way to check it exist.

Many clearly wouldn't want to pay for longer periods if service created few months ago and don't have real company behind it.

Hello from China. Lantern https://getlantern.org/ is a fairly reliable free option maade by a non-profit. It's slower that the paid options here, but works well enough for gmail, facebook, etc.

Also, the more people outside China who have it the better, so if you wouldn't mind installing that would be great

I'm not sure this is good advise. It seems to be peer-to-peer, so if someone does something illegal using my internet access, I get into trouble.

TOR runs on the same principle. I suppose the trouble you could get into depends on how well plausible deniability holds up in court.

I personally wouldn't risk it, being in the UK with our ever increasingly draconian rules. A sad state of affairs.

"Accessibility from China" might be a good column to add.

He covers that exact comment in his FAQs.

Q: Why don't you have some obvious fields like "Works with Netflix/Hulu", "Works in China", etc? A: Besides the impracticality of testing each of them, these services/governments could use the data I publish to crack down on those that still work.

I suppose. Perhaps if it were a webapp instead of a spreadsheet, people could use a voting system to test and fill in the columns (similar to the coupon code websites).

The latter point though I think isn't all that strong. From a government perspective, the entire list is a checklist of what to block, whether or not that column exists. Most of the VPN providers

I use AirVPN, fairly satisfied, the only thing that bothers me is that they affiliate with ipleak.net , which is a website that checks your connection for dns leak among other things. That's great by itself but it's more of a honeypot at this point because the website heavly relies on google scripts so if you happen to have a google normal/evercookie installed in your browser you are instantly identified no matter what VPN you use.

Thanks for the meticulous efforts, whoever worked on it.

However I especially didn't understand why some of the values under Privacy > Traffic / DNS Traffic say "NO" but are still in green. Or why some of the other values under the same Privacy column like "connection" say "Yes" but are in red.

Can anyone explain what those mean? Also does empty values there mean "no data available" or something else?

You are missing headings in Row 2 & 3.

I think you are talking about Column E (Privacy->Logging->Activity->"DNS Requests") ? Since it falls under "Logging", you want it to be Red for YES & Green for NO (you don't want your VPN provider to log DNS Requests, etc). You will notice that everything within the "Logging" columns (Col D-H) follow this color coding, whereas for Col J-M (which are still under "Privacy", but the subsection is "Activism") it's opposite.

>whoever worked on it

This chart was compiled by reddit user ThatOnePrivacyGuy.

Those say no and are green because they do not log traffic/DNS, which is good. Very simply, green means good and red means bad.

I think it's referring to the fact that certain details (traffic, DNS requests, timestamps, IP addresses) are logged. Ideally you want a service that does not log anything, that's why "Yes" is red.

Google Docs lets you lock rows so that they always show up. It'd be really helpful if that were done for the headers.

This is addressed in the FAQs. The headers are already frozen, but Google's serving it as static HTML.

marklawrutgers' link in another comment fixes this: https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAe...

Could you change the title to "Privacy VPN Service Comparison Chart"?

VPN in of itself is meaningless. This could mean anything from corporate VPN products, through to AWS site to site VPN services.

One thing I'm curious about is if there's any VPN services out there that will do virtual LAN functionality, a la Hamachi but with the same focus on privacy mentioned in the threads here.

We[1] do!

Our service is similar to Hamachi in that we offer you an L2 network. We also provide DHCP by default on the subnet. We don't offer Internet access, but if you add your own proxy (proxies? :)) or router to the Virtual LAN, you're all set.

We've started our service recently, so any feedback is more than welcome.

[1]: https://wormhole.network

"Try it for free" - but what's the actual pricing?


Thanks for your feedback! :)

This has been a common complaint and we're looking to change it.

Once you sign up, you get a page with pricing and the option to just move on with the free account. We will change it soon.

I'm working on a service [1] that will have virtual (L3) LAN with quite advanced routing rules.

[1]: https://multilink.link

We use NordVPN running on OpenWRT box. Very happy so far

You really should publish and share the published version of Google docs unless the users needs to edit the shared version.

What's the meaning of cell color? Some red cells say "yes" while some say "no"?

Desirability. Green=good, red=bad.

it's best to run your own on a cheap VPS, check this out https://github.com/kylemanna/docker-openvpn

How would you feel if a review site was using affiliate links only in reviews of VPN companies that they really liked, and were glad to promote?

There is plenty of such "review sites" on internet already and main problem with them is trust. Overall Joe simply don't need your website since he don't know how VPN works at all and just use some exe installer from website. So he don't need all these geeky details to decide use service or not.

For more skilled internet user any affiliate links and weirdly-designed redirections trying to hide them is usually no-go BS.

I'm very surprised there is no mention at all about the safety of the VPN clients. Your biggest problem concerning privacy could be IPv6 leaking and DNS hi-jacking and leaking. You can have a trillion-bits VPN connection for IPv4 traffic, no logging, warrant canaries etc., but if your IPv6 traffic, which most browsers prefer, is not going through this tunnel you can say goodbye to your privacy. The same for DNS leaking, if you are still using your default DNS servers after setting up a VPN connection everybody can see what websites your are visiting or redirect your requests. And to prevent DNS hi-jacking your VPN client should at least use your VPN gateway as a DNS server. I built WifiMask (https://www.wifimask.com), which is not in the list, and is not vulnerable to any of these.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact