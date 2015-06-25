Hacker News new | comments | show | ask | jobs | submit login
How to set up a VPN in 10 minutes for free (freecodecamp.com)
31 points by quincyla 1 hour ago | hide | past | web | 24 comments | favorite





The title is "How to set up a VPN in 10 minutes for free" although it doesn't tell you how to "set up" a VPN, just how to configure your browser to use one, or to buy a service or device (router) to connect to a VPN.

If you actually are looking to set up your own VPN, I recommend this guide on Digital Ocean[1] If privacy is your main concern for using a VPN, and you are technically inclined, then it would make sense to be in control of the server acting as your VPN.

[1] https://www.digitalocean.com/community/tutorials/how-to-set-...

reply


I actually advise against digital ocean if your privacy is your main concern, as they mention in their terms[0] they will pretty much hand over anything requested.

[0]https://www.digitalocean.com/legal/terms/

plus, remember when they took out 38,000 websites because the Yes Man made a parody site?[1]

[1]https://www.techdirt.com/articles/20160629/23462634866/nra-t...

regardless, DO is known for shooting first and asking questions later, does this seem like the type of provider you want to use for a VPN?

reply


Its just a guide, and DO guides are one of the best floating around. You can use any provider; the pre-reqs is literally 'a' server running Ubuntu.

reply


> This is where the EFF’s HTTPS Everywhere extension comes in handy. It will make sure traffic to non-HTTPS websites is also encrypted.

Is it just me, or this paragraph is completely wrong? HTTPS Everywhere's job is to HTTPS when available but not explicitely used.

reply


I've used https://www.tinfoilsecurity.com/vpn/new several times to quickly set up a new VPN on a DigitalOcean droplet. Takes ~5 minutes.

Lately I had it set one up for me and have just let it run constantly since then. I effectively have my own personal VPN for $5 month.

reply


Don't mean to hijack the thread; but speaking of Tor...If some entity ran enough nodes wouldn't they be able to get a pretty good idea of the traffic sources and destinations?

reply


You should never trust an exit node.

https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-to...

reply


The "O" in TOR stands for "Onion". The name comes from having many layers with traffic routing between them. Each node only knows enough to go to the next node. You'd have to control the entire chain to track a packet from source (TOR client on end user's machine) to target (i.e. TOR-exit).

It's definitely possible but with an increased number of hops it becomes harder and harder.

reply


You can correlate traffic without the middle node thanks to timing and packet sizes. You just need the entry and the exit nodes.

Hence why they introduced entry guards. To make things a little more difficult for an adversary that manages to bring up a lot of nodes.

reply


Isn't opera owned by chinese (nothing against them just that they are the same level as US)? The traffic is only as secure as where the VPN terminates and there is no mention of what servers opera uses.

reply


That is mentioned in the article.

reply


> If you want to take things next level, you can try Tor, which is extremely private, and extremely hard to de-anonymize

I don't think Tor would eliminate the need for a VPN; wouldn't your ISP still be able to see the requested URL?

Edit: I was thinking of DNS leaks, but that's really not an issue if you use Tor Browser.

reply


The entire HTTP request, including the destination, is bundled into the TOR packet, AFAIK. Only the exit node on the tor network can know where the destination is. But even then, when using HTTPS, the exit node only knows the host of the HTTP request, not the entire URL.

reply


No, the isp could see that you're connected to TOR, but that's just an SSL connection and they cant see anything inside it.

reply


There is no privacy without open source software. This article with the recommandations to buy Netgear stuff or commercials VPN services is just a farce.

The author don't know shit, writing this type of false articles will lead to another privacy disaster.

reply


Having source isn't necessary, nor is it sufficient to determine what the software on a device is doing.

It's often convenient, but just having some source doesn't actually ensure that is the code running on the device.

reply


Whether the server is free / open source software is irrelevant to the matter of privacy with a VPN. It's running on someone else's computer, so you have no way of proving what is running, or more importantly, what isn't running - the service provider can run OpenVPN and also tcpdump, both of which are free software. You need to trust the provider not to monitor your traffic, and perhaps not to be easily compelled to monitor your traffic on someone else's behalf.

(The same is true of Tor exit nodes, incidentally, and it's very easy for an intelligence agency to run Tor and tcpdump.)

If you actually want a VPN, one of your best options is to use a commercial service that has a reputation to uphold. Some fly-by-night "non-profit" is probably a front for a miscreant running tcpdump. (And there is no conflict with a commercial service running open source code, as I'm sure you know!)

reply


Any commercial vpn recommendations from this crowd?

reply


> Hijack your searches and share them with third parties

What does it mean to "hijack" a search? If the ISP is modifying your data in flight then that'd qualify though I don't think this bill gives them that power.

Also, most (all?) searches go over SSL which would not be susceptible to MITM fiddling.

At most it gives them access to log the number of bytes sent per customer to each destination and the DNS lookups you've performed. I'd be concerned if they are selling that information but there's no need to make up fake lingo to sell this. It's crap enough as it stands.

reply


The EFF explains how this was done here:

Back in 2011, several ISPs were caught red-handed working with a company called Paxfire to hijack their customers’ search queries to Bing, Yahoo!, and Google. Here’s how it worked.

When you entered a search term in your browser’s search box or URL bar, your ISP directed that query to Paxfire instead of to an actual search engine. Paxfire then checked what you were searching for to see if it matched a list of companies that had paid them for more traffic. If your query matched one of these brands (e.g. you had typed in “apple”, “dell”, or “wsj”, to name a few) then Paxfire would send you directly to that company’s website instead of sending you to a search engine and showing you all the search results (which is what you’d normally expect). The company would then presumably give Paxfire some money, and Paxfire would presumably give your ISP some money.

In other words, ISPs were hijacking their customers’ search queries and redirecting them to a place customers hadn’t asked for, all while pocketing a little cash on the side. Oh, and the ISPs in question hadn’t bothered to tell their customers they’d be sending their search traffic to a third party that might record some of it.

Source: https://www.eff.org/deeplinks/2017/03/five-creepy-things-you...

reply


Okay that sounds completely illegal and the exact definition of digital hijacking. Any type of modification of the packets themselves outside of dropping them for network control is a clear violation in my book.

I don't see that working for connections over SSL. I wonder how the companies that operate these questionable "services" deal with the rapid rise of SSL the past few years.

reply


I think this type of attack being described was (is) actually done by hijacking requests that should have returned DNS NXDOMAIN. You tried to visit a URL that did not exist, but your DNS server failed to make that clear in the standard way to your browser, and now your traffic is sent somewhere else, instead of sending you to the familiar (or ugly, they might argue) NXDOMAIN browser error page.

So there aren't really any packets being modified, since you already get your DNS from your ISP. They're just returning bad information to requests that your browser naturally had directed at them.

reply


NXDOMAIN hijacking is closely related, but Paxfire had another service (at least in 2011, when fewer searches were done over SSL) that was sending all traffic directed to the major search engines through its proxy servers.

https://www.eff.org/deeplinks/2011/07/widespread-search-hija...

reply


The NXDOMAIN hijack isn't as bad as this. It involves replacing the response from the resource you requested with the ISPs preferred response.

It can happen either through DNS hijacking (nslookup for google.com goes to isp-fake-google.com) or they can just sniff all the traffic and MITM HTTP traffic for "GET /q=?" with a "Host: google.com". In either case they send you to whatever they'd like rather than the original request (and of course sell the data that User X searched for Y).

reply




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: