They actively marketed their product up until recently as being able to circumvent geo-restrictions, and actively helped users who had problems. That for me was the big sell.
Whilst I understand that it's a cat and mouse game now between content providers and VPN providers, they have built up a large customer base - based upon this premise.
And now they switch that they have customers and don't want to play this expensive game anymore.
Do you feel that they are obligated to never change the terms or discontinue certain policies once implemented for the lifetime of the company? What company would ever want to operate in such an environment where they had to make all decisions up-front and those decisions were set in stone until the end of time? Is the price also set in stone until the end of time?
Many of these same providers have just blocked VPN IPs and you can still use a cheap VPS to circumvent though. Some nice docker openvpn containers around...
It's not the content providers but the movie studios, music labels and rights holders and so forth. Netflix doesn't really care about users circumventing geo restrictions, otherwise it wouldn't be so easy
0 - http://www.cbc.ca/beta/news/business/netflix-crackdown-unblo...
Not complying means they would face severe enough penalties to sink the business (notwithstanding the risk of jail-time.)
FBI would like to get more information about it.
Also, since this does matter a lot: I have a 100 Mbps connection, and I get between 50-80 Mbps through almost all of their servers, barring understandably slow countries like Hong Kong.
Oh, also, they have multihop, and you select your own entry and exit server from among their pool.
I have no relationship with them, just a satisfied customer, relieved to have found a reliable, consumer VPN after many attempts.
It's expensive compared to the others, at $100 a year. I've never seen it go cheaper than this in any sales of any kind.
Some sites like Google will mark you as a bot and force captchas for searches, probably due to its userbase and their shared IPs.
Comparatively fewer servers compared to popular VPNs like PIA and TorGuard. This leads to me getting the same IP address for each server I connect to. Not sure if this is a pro or a con.
Otherwise, speed has been good, connection has been stable (a few disconnects here and there but it seems to have smoothed out for now), and I hope the chart is accurate in terms of security and privacy on their part.
I've tested many others including AirVPN and NordVPN as well but haven't seen a definitive reason yet for the higher price tag on IVPN. Not that I'm not happy with IVPN, which I am, I'm just also an incredible cheapskate.
Likewise, I'm not affiliated with IVPN nor VikingVPN in any way. I think both are great choices.
IVPN does look interesting, so I’ll have to re-review them… I’m still on Freedome’s trial, and it’s been working stellar including comparable speeds. Exit nodes in certain countries are also an important factor in my consideration, admittedly.
And AirVPN has Routing servers used for double-hops: https://airvpn.org/status/
NordVPN for instance has a ton of servers yet doesn't label the regional locations for them in the OpenVPN filenames. They're just labeled US-1 to US-339 and I ended up having to add random configs and hope it's one near my area. Their server map isn't accurate either and doesn't show all of them.
AirVPN I'm concerned with their user logging as they have this hub area for the community that reveals your username and when you're online as well as how much data you use and have a rankings for users or servers that use the most data each day/month. There's a log in anonymously checkbox but it's still a bit worrying to me.
I also find NordVPN's labeling to be very confusing.
I was checking various sites benchmarking VPNs and I remember them reporting IVPN speeds being around 3Mbps. Good to know that's not the case.
Couple of things that are missing. I use IPSec/L2TP. Does not seem to have columns tracking these. I did a bunch of sorting and filtering and the following seem to be the only providers that check all the marks for no logging and good business practices.
One thing you can objectively determine is how long they've been in business. Use https://archive.org/web/ for that. Then filter for bad news. HMA giving up users to LEA. Anonymizer being owned by the CIA. Any VPN service that's been in business for at least five years, and has no bad news, is probably OK.
I was just going off of what was presented on the spreadsheet. However based on my filtering, IVPN certainly seems worth checking out.
> What is the relationship between Gibraltar and UK?
> The main relationship between Gibraltar and UK stems from the fact that the British monarch is the head of state of both Gibraltar and UK. However, such a relationship is not enough to make Gibraltar a part of UK. For example, no one argues that Andorra is a part of France although the President of France is the head of Andorra (together with the Spanish/Roman Catholic Bishop of Urgell).
I agree entirely.
They claim to be outside of UK jurisdiction for a number of bills, although I'm not qualified to judge the veracity of these claims - again from https://www.ivpn.net/blog/should-gibraltar-be-classified-as-...
> Gibraltarian VPN service providers are not obliged to comply with the comprehensive UK laws regulating the information society
> RIPA does not apply to Gibraltar.
> The GRA [Gibraltar Regulatory Authority] supervises the enforcement of the Data Protection Act 2004, a Gibraltarian law implementing the European data protection laws.
Edit: I do freelance for them, by the way.
Edit: Not being sarcastic/rhetorical. Actually asking.
I get the open-source concern. I prefer using stock OpenVPN. But if you're going to do that, you need to manage your DNS servers, and firewall leaks. I'm not aware that iVPN provides source code. You could ask them.
I'm working on a better testing setup ...
Likely every service with questionable legal status (e.g all that state there is no logging going) does analyse all bandwidth for it's own needs and clearly going to steal everything they can. Even TOR exit nodes are more secure since you at least know they can't be trusted by default.
What advantage is there over own servers that is unlikely monitored by default and still dirt cheap?
Second, for a lot of people in this world it's a given that their ISP/government is monitoring their traffic. It's vastly better to be potentially spied on by someone abroad then to be certainly spied on by someone who has direct authority over you.
To answer your first question, the most popular use cases for VPN are:
1. Circumventing censorship
2. Circumventing regional content restrictions
3. Hiding your IP while torrenting (note that this is relevant only in the US)
4. Avoiding government surveillance (again, note that US is not the only country in the world, but likely the only one with any meaningful reach outside its borders)
5. Avoiding private surveillance (public wi-fi, etc.)
6. Hiding your IP while engaging in illegal online activities (#3 is a special case of this but it's a vastly larger group so I made it separate)
Note that "weird jurisdictions" can be a significant advantage for cases #3 and #6 (because they are harder to subpoena) as well as #3 (because they don't have retention laws).
It's not, actually. The same BS is happening in at least Finland too these days.
Legal companies get the rights to some media (in the Nordics or whatever) and monitor some torrents and take screenshots(!) of the IP's in the torrent swarm and can then petition the market court for the subscriber details of the IP addresses in the swarm then send a threatening letter asking for a 500€ settlement. Some idiots are even caving in and paying. I don't think anyone has actually been sued yet for establishing some precedent (though the Finnish legal system isn't based on precedents).
I set up a VPN in the Netherlands, hosted on a VPS. I was connecting from another European country (where ISPs block torrent sites).
Within minutes of attempting download of recent movie release, a Cease and Desist was emailed by ip-echelon.com.
The entire German nation would like a word with you, kind sir.
Between this and GEMA, using the internet in Germany is quite restricted.
This is relevant in most of Europe and unlike in the U.S., a C/D letter can easily cost you somewhere between 300 and 1000€.
* getting around arbitrary region restrictions (that use case is rapidly disappearing)
* protecting myself against snoopers when on public WiFi. I'm very mobile, and often work from cafe/hotel/airport WiFi. They're mostly in the clear, but I VPN even over encrypted WiFi because of the below.
* I don't like ISPs selling my information. The service i use is fast enough that I can have it always on, without a noticeable speed loss... So I do. If my ISP wants to sell my browsing habits, they can buy them from me.
Now that you mention it, I'll totally try torrenting something. Curious to know how it performs!
But yes, seven hops is about the minimum for any prudently private person, as I see it.
But for true overkill, see https://www.ivpn.net/privacy-guides/onion-ssh-hosts-for-logi...
It's not that hard to hit 30 hops, alternating VPNs and Tor onion services.
"This video is not available in your region"
2. Hiding your activities from your own ISP.
And I would guess that the vast majority of VPN customers are simply doing what you said VPNs are good for: hiding copyright-violating activities.
Not guaranteed. That depends on the network setup and on how much pressure legal system had on the ISP in question.
1. Dynamic IPs allocated from a shared address pool, but no carrier-grade NAT, just 1:1 mappings. Most likely, ISP's AAA (authentication, authorization and accounting) systems keep track of those, so the account details are one warrant away. Especially if ISP has or historically had metered plans, using IP addresses is generally the most straightforward way to match flow reports (with traffic volume data) to customers.
2. User is behind a carrier-grade NAT, ISP's local jurisdiction requires ISPs to disclose information about customers, and local law enforcement aren't happy with "uh... we don't know, there's a NAT, we only can tell it's someone of those thousand accounts from that BRAS, sorry" replies, so ISP had been fined or threatened with license revocation (if ISP services are licensed in their jurisdiction). In such case they had probably at least set up two flow probes - before and after the NAT, so it's usually possible to correlate the streams. Or, more likely, implemented logging of NAT connection mappings (on GNU/Linux machines this is quite simple with conntrack and ulogd, no idea about Ciscos - not my area of expertise), so it's also well possible to determine who it was.
Since one generally can't know what ISP's routers are capable of, having carrier-grade NAT should be only considered as a possible hindrance, but not as a guaranteed way to keep their account identity anonymous.
The only reliable solution has been ShadowSocks; it's what locals and expats alike use.
It simply works, and also has public servers.
Also, one needs an exit server, or not?
Most people are talking about various valid use cases but it's this risk vector that I'm interested in. What exactly could a VPN steal from regular personal computing network traffic? Cookies and sessions? Web history and other meta-data? Does HTTPS / up-to-date encryption protocols stop any of this?
I guess something about htmlview?sle=true breaks that.
Through statistical analysis and network protocol heuristics you can identify all sorts of things about bulk internet traffic - where it's coming from, where it's going to, the most likely content it's carrying, the application used, even a specific user's connection. This works over multiple network hops, encrypted, on a single tap of a large switch (though multiple taps spanning the network path work muuuuuch better).
There is one good use for a VPS, though - store-and-forward network traffic. You use a remote VPS to retrieve and store content, and at a later time, download the content in bulk (or upload, same difference). You can change both the size and the form of the content before the bulk transfer, making it much harder to identify. You can also use different network paths for connecting to issue the download/upload commands, and connecting to transfer it - Tor comes in handy here.
Trusting a remote VPN service not under your control, defeats the purpose of communication channel encryption.
Calling it "VPN service" makes it look appealing, without realize that you are breaking the "P" in "VPN".
If you want the "P", the master keys and certificates, and the systems where they live (client/server) should be under your control. Dot.
The question is what are you trying to protect against? If you are trying to protect against the local network, any VPN does the job. If you are trying to protect against tracking, ONLY a public VPN does the job (having a static private IP is a disaster in this scenario). If you are trying to protect against any organization seeing your traffic, then your argument might make sense.
However, unless you can run that "private" server on metal you own on a network you own, there will still be a VPS provider and an ISP that can see your traffic as much as the VPN provider would. So you might want Tor a at this point.
If I want to mix my output IP with other users (futile while my browser is fingerprint-able), I don't even need any VPN, and much less a third party one.
I use VPN for what it is. Mostly to connect to my network (personal or professional) from the outside.
If I still want to mix my traffic, I can do it, without "VPublicN services", without VPrivateN daemons, and without NSA's Tor.
You are free to trust Tor and "Public VPrivateN services", and I'm free to do not trust them.
Not sure if security is binary or not, but totally sure it's about trust.
Please explain your thought.
> In that case, tunnel your VPN inside of a public VPN.
That doesn't solve anything:
#1. Public VPN -> Private VPN -> Internet
<- Here you no longer have a shared IP with other users, so no more mixed traffic. Websites will see the IP of your private server/vps.
#2. Private VPN -> Public VPN -> Internet
<- Here your Public VPN provider can still see your web traffic
It solves the (lack of) trust on the Public virtual Private whatever provider.
> #1. Public VPN -> Private VPN -> Internet <- Here you no longer have a shared IP with other users, so no more mixed traffic. Websites will see the IP of your private server/vps.
For mix your IP with others (are the VPN users visiting the same sites?), I said there are open proxies since the beginnings of internet.
It's not the purpose of an VPN.
> #2. Private VPN -> Public VPN -> Internet <- Here your Public VPN provider can still see your web traffic
They will always, in ANY case and scenario that involves them.
But in this case, at least, now you're sure that your channel uses your encryption and policies.
With a third party channel, you're never sure if the guy near you in starbucks with a headphone, also has the signing key of your "private thing".
Using Tor - you make your traffic public to SOMEONE, activists, hackers, maybe governments. No one knows.
Running own VPN - you still expose traffic somewhere and you can still be easily tracked and monitored. Here comes another problem - I can administrate simple servers, I do it as a hobby... but I'm not sysadmin, and I would make mistakes and expose everything my start and endpoint traffic that can be 100% correlated.
Not using VPN or Tor at all = exposing myself to local government/council, neighbours and GCQH.
If you want to protect your network communications, run your own endpoint. Projects like Streisand and Tinfoil's OpenVPN setup scripts let you stand up and tear down VPN endpoints instantly (just remember to ditch Tor from Streisand, see why here: https://news.ycombinator.com/item?id=10735529).
I would be truly interested if someone developed Ansible scripts that setup an OpenIKED server (http://www.openiked.org/) on your choice of cloud providers, and spit out the configuration instructions for your mobile phone. iOS 9 and OS X 10.11 support IKEv2 out of the box now: https://www.ietf.org/mail-archive/web/ipsec/current/msg09931...
You can setup an OpenVPN server on a VPS that's only reachable as a Tor onion service. You lease the VPS through Tor, as anonymously as possible. You pay with Bitcoin that's been mixed at least twice through Tor. See http://dbshmc5frbchaum2.onion/OpenVPN-Onion-VPS.html (using Tor, or a tor2web proxy).
Alternatively, or in addition, you can use nested chains of multiple VPN services. See https://www.ivpn.net/privacy-guides/advanced-privacy-and-ano...
I guess in a way they're somewhat of the same thing, right? How much traffic do you think EC2, DigitalOcean, etc push out each day? Probably harder to tap that entire pipe.
I'm guessing that Amazon knows who you are. And I'm sure that they keep logs, for accounting and debugging. So being "one of a million EC2 nodes" doesn't hide you, in any way. That EC2 node has an IP address. While you're using it, it's your IP address.
When you "share a single egress point with hundreds of thousands of other people", determining whether some activity at some time was yours takes substantive analysis of logs. And often, those logs will be long-gone by the time anyone wants to crunch them.
But it depends on your goals, really. If you want security from local threats for doing real-name stuff (business, banking, etc) then you're better off with a private VPN. If you want a little casual anonymity, for torrenting or social media or whatever, then a VPN service is better. And if you want stronger anonymity, use Tor through VPN(s).
I'm not as concerned with law enforcement as I am with hackers and surveillance.
> And if you want stronger anonymity, use Tor through VPN(s).
Tor is basically a honey-trap for law enforcement and others. It's trivial to get your own exit node and sniff or modify traffic (proven in practice!), hidden services are a hack that don't adequately protect your privacy, and it's trivial to identify tor users from non-tor users. I like tor the technology, I don't like tor the network.
As with my guidance on VPNs, if you want to use tor right then setup your own network of routing nodes. Don't use the horribly insecure public one.
Saying that Tor is just a LEA honey-trap is just plain FUD.
Evil exit nodes are a risk. And websites are increasingly blocking Tor IPs. So run a VPN server as an onion service. You look like a simple VPS. And the VPN protects your traffic from evil exit nodes. And you're hitting that VPN server through seven-relay circuits.
Explain why the FBI has been able to unmask nearly every high profile hidden service operator they go after then? Each time it's a different strategy, and they have all been incredibly effective. Some relied on bugs in Tor, others on broken tools used to access it, others on poor UX that encourages operational security failures. Russian intelligence ran their own set of exit nodes for a period and replaced all executable downloads with malware! You are objectively less safe using the public Tor network.
I don't think the concept of "crowding" is a recognized security property of a system. At least, I've never seen it used before. The way that single-hop commercial VPN services "crowd" people together creates a massive liability. The way that Tor allows anyone on their public network creates a free-for-all where you're exposed to more surveillance and more malicious code (entry/exit node manipulation). Each of these offer straightforward targets for a slow, lumbering, resourced attacker to eventually completely compromise with users none the wiser.
Maybe successfully defending against the weaker adversaries is useful to many people, although it raises a serious challenge of how to clearly disclose the risks and limitations, which I see as a very important challenge for Tor on both the browser and hidden service sides.
(Hidden services might have categorically worse problems so that there's almost no realistic threat model in which their current design is safe; maybe that's what you're getting at?)
Like everything else in cryptography, users don't care if things are insecure: things must be secure, because users want them to be! Ignore the Tor users getting zorched by governments; they're all outliers!
This is a point that I wish more people were familiar with. Tor has been oversold as the privacy project to protect from everything. The Snowden docs leaked out and privacy activists ruffled around their pockets asking, "what do we have to rally behind?" They found Tor and stuck with it, despite it certainly not being built for that task.
Almost always failure to follow the grugq's advice about compartmentalization and opsec. CMU attack was an isolated incident.
Like, this won't save you if you're engaging in evil shenanigans. It will make you much harder to surveil.
I'm freaked by the idea of using third-party generated PKI, I must admit. But that's arguably no worse than trusting third-party VPN providers.
And then there's the absence of crowding. Unless users share their VPNs.
We just provide a nifty UI so you don't have to :)
Maybe add ta.key?
You need to determine who your adversary is (at least the category of adversary they're in).
If your adversary is The NSA, you're probably fucked already - get off the internet.
If your adversary is your local drug or anti-terror law enforcement, they're probably getting "hints" from the NSA and likely parallel reconstructing evidence against you based on that.
If your adversary is closer to local cops, MPAA/RIAA, your boss, your parents, your ex-wife's lawyer, or your ISP - this list provides a great deal of useful information.
Browser/cookie hygiene is orthogonal to VPN/network hygiene.
I’m happy to pay somebody 5/mo to handle that + patching etc. etc.
The steps are:
1) Make a DigitalOcean or Rackspace account.
2) Make an API key by clicking <link> and hitting the button.
3) Insert it in this box.
4) Hit go.
That's it. Then you download/install the client (like you would with any other VPN service) and you're done. You don't need to know anything about the droplet size, or anything else.
Quite literally, my mom has done this, and she sells clothing for a living and is not technically adept.
I will likely use Libreswan for both L2TP/IPsec and IKEv2, and give the user a choice between those options at installation. L2TP/IPsec support is still a little more ubiquitous, but IKEv2 will be set up by default. It's a much better protocol with significantly less legacy baggage.
Your comments on Tor are thought-provoking too. I can look into making that optional as well, either through a prompt or command-line flag.
Thanks for the feedback! Let me know if you have any other suggestions.
Sidenote: Ubuntu's security posture appears slightly better than Debian's, but I'm a little vague on the details. Historically, Ubuntu has had people like Kees Cook working on security of their distro and relentless pursued AppArmor policies, adoption of exploit mitigations, and reducing the footprint of the default install. Any way you can make it more distro-agnostic so I could run the installers on Ubuntu instead would be appreciated!
Btw, I didn't notice that portable OpenIKED was deprecated :-(.
Good news! Your Ubuntu dreams are already a reality. The playbooks are currently designed for Ubuntu 14.04. I was using Debian 7 at launch (which might be what you saw previously) but I switched the base distribution late last year. Ubuntu 16.04 is the frontrunner for the next upgrade. The playbooks and roles are complicated enough that it's not terribly practical to target multiple distros, especially given the wide support that Ubuntu enjoys.
I'm 90% done, just need motivation to spend another 90% to finish up the last %10.
What might be effective would be an app that created multiple instances, with multiple providers, and then shared them with other users. So you were all using multihop VPNs, with the hops changing frequently. The https://www.softether.org/ project allows users to share their VPN servers. You'd just take that to the next level.
It seems like the only effective way to control outbound traffic from my Android phone. These solutions don't work effectively:
* Detect and block each outbound connection manually: There are endless holes to close and always new ones; that is playing whack-a-mole.
* Software firewall on phone: The firewall would need to operate on a low enough level to block everything. That is a challenge for all software firewalls, and from my sense of Android's outbound data 'features', that seems especially difficult.
* Hardware firewall of my own: Because my phone is mobile, it's not always connecting through the same hardware. I could create a VPN back to my personal firewall, but then either I must share all my data with my ISP or I must create a 2nd VPN connection from my firewall to a hosted VPN service, which seems like too much latency and complexity.
I can't be the only one who wants this ... ?
I'm not sure it's wise to trust your phone these days. I can root and install a custom ROM, but that doesn't solve the problem. What ROM do you recommend? Most are forks of Android that change some features or remove bloatware; I don't know one that locks down the fundemental security of the OS.
> From what I can tell a local firewall is possible (with iptables)
How can you efficiently configure iptables?
1) Run each app in isolation
2) Sniff network traffic
3) Detect and identify every packet heading to an undesirable destination
4) Write a rule to block it
5) Retest until traffic is clean
6) Repeat every time any software is added or updated.
That's not practical. Also, some of the leakage is embedded so deeply in the OS that I don't know if iptables (or other software firewalls) are sufficient.
But on smartphones your choices are limited. There are a couple of alternatives, but losing access to either Google's or Apple's app-store appears to be an insurmountable obstacle for most smartphone owners. I am assuming (not judging though!) this is the case here too.
On a technical level though, all IP traffic passes through iptables, even on Android. You are right that manually blocking all that stuff is impractical. Doing the filtering outside of the phone won't solve that dilemma though.
For me I love the OS X and iOS integration, plus feels somewhat less dodgy than alternatives!
Note that iOS will disconnect the VPN when the phone goes to sleep, however in iOS9+ you can force all traffic over the VPN (unlike earlier versions).
The best feature of Cloak (to me) is that I have it auto-connect when on any network other than my home network. Airports, cafes, work; Cloak is default on.
They're called "mixers".
Edit: Consider the Sheep Market thief. They didn't steal his Bitcoin, even though the transaction was so large that it crashed their service.
Edit: It seems likely that victims of the Sheep Market theft are behind at least some of the lies about Bitcoin Fog.
Q: Why didn't you freeze the headers/turn on filters?
A: The headers ARE frozen, but when the sheet is being viewed by a lot of people, Google sends out the static html version. You can delete everything from /htmlview? to the end of the url for the real version
You can also direct download the sheet using the links below, and do whatever you want to the sheet to make it more readable for you. (xlsx or ods formats)
.xlsx format https://www.google.com/url?q=https://docs.google.com/spreads...
.ods format https://www.google.com/url?q=https://docs.google.com/spreads...
It also might not be possible to freeze columns/rows on the read only web view. You can actually see the thick line below the first row that indicates OP did in fact freeze them.
Many clearly wouldn't want to pay for longer periods if service created few months ago and don't have real company behind it.
Also, the more people outside China who have it the better, so if you wouldn't mind installing that would be great
I personally wouldn't risk it, being in the UK with our ever increasingly draconian rules. A sad state of affairs.
Q: Why don't you have some obvious fields like "Works with Netflix/Hulu", "Works in China", etc?
A: Besides the impracticality of testing each of them, these services/governments could use the data I publish to crack down on those that still work.
The latter point though I think isn't all that strong. From a government perspective, the entire list is a checklist of what to block, whether or not that column exists. Most of the VPN providers
However I especially didn't understand why some of the values under Privacy > Traffic / DNS Traffic say "NO" but are still in green. Or why some of the other values under the same Privacy column like "connection" say "Yes" but are in red.
Can anyone explain what those mean? Also does empty values there mean "no data available" or something else?
I think you are talking about Column E (Privacy->Logging->Activity->"DNS Requests") ? Since it falls under "Logging", you want it to be Red for YES & Green for NO (you don't want your VPN provider to log DNS Requests, etc). You will notice that everything within the "Logging" columns (Col D-H) follow this color coding, whereas for Col J-M (which are still under "Privacy", but the subsection is "Activism") it's opposite.
This chart was compiled by reddit user ThatOnePrivacyGuy.
Those say no and are green because they do not log traffic/DNS, which is good. Very simply, green means good and red means bad.
VPN in of itself is meaningless. This could mean anything from corporate VPN products, through to AWS site to site VPN services.
Our service is similar to Hamachi in that we offer you an L2 network. We also provide DHCP by default on the 100.64.0.0/24 subnet. We don't offer Internet access, but if you add your own proxy (proxies? :)) or router to the Virtual LAN, you're all set.
We've started our service recently, so any feedback is more than welcome.
Thanks for your feedback! :)
This has been a common complaint and we're looking to change it.
Once you sign up, you get a page with pricing and the option to just move on with the free account. We will change it soon.
For more skilled internet user any affiliate links and weirdly-designed redirections trying to hide them is usually no-go BS.