I've ditched PPTP (not safe any more) and shifted to IPsec (IKEv2 + RSA with X509, IKEv1 + PSK + XAUTH) as it is being used by a lot of MNCs - can't killall. The GFW has developed technique to detect OpenVPN well and it is easily blocked so I don't use it at all. Over the past few years many home brewed protocols emerge - e.g. shadowsocks and variants and many others (I've never used any of them).
The best thing to do with VPN is that to understand the basics of the VPN solution of choice, try to install and configure from scratch on VPS and use that as your main protection (encapsulation) while using public Wi-Fi or untrusted network. There's been many good discussions on how to do this on HN.
NOTE: I am maintaining around 10 strongSwan powered IPsec VPN and 2 OpenVPN to help family members and close friends to access the real Internet (have to keep a low-profile though). Funny though, my networking skills evolved with GFW.
Coupled with the official cable TV service, which is amusingly abbreviated CCTV, and other state-controlled media, it's an eye-opening thing to see (more blatant) information control in action.
Can you read Chinese? I ask because if not, the experience of people who can might be very different.
I'm completely against the censorship; I just wonder how effectively they implement it.
In China, you may need to use one (Or multiple) of following:
And +https://github.com/gfwlist/gfwlist for automatic proxy switch.
Those applications may require a dedicated server or VPS to run. Once you set it up, it will act like a relay between you and the host you want to access (So that server or VPS must located outside GFW's shadow. And you better set it up and get it well tested before you move to China).
If you don't want to setup a server all by yourself, you can use Lantern or Psiphon, but they are considered not safe as you don't have any control once data leaves your machine.
I personally use Shadowsocks + my own one made with Golang. Both of them works very good for me. Some people may had problem with Shadowsocks but cause of those problems remain a myth.
When I was in China last April, SSTP worked fine (though long-lived connections tend to become slower over time, and then need a few minutes of cool down before being usable again). Most Chinese people I met were using shadowsocks.
But in a vlog I've watched on Youtube, the host of that vlog said "Over the last coupe of days, ALL the VPN is been very difficult to use". So, I guess that includes ExpressVPN.
Here is the video if you interested: https://www.youtube.com/watch?v=EuEdYvQmVFg (5:20)
As someone who owns and works and knows the ins and outs of an ISP and had the 'pleasure' to deal with many 3-word government organization, I can't help but feel that many people think privacy exist in some form and using VPN somehow makes you immune.
Please learn to understand double-speak.
If the FBI says they are having a hard time cracking smart-phones or some kind of encryption, understand that they actually want you to use that security because they have figured out how to get around it.
I may sound like an alarmist, but it isn't intentional - because the government is much much more powerful in terms of resources they can throw at a problem - if they can't crack something they will find a way to intimidate someone to install a backdoor for them while completely denying it in public. This happens ALL the time. Most of us just don't know about it.
Do you have any evidence, or is this just speculation? I can buy that governments have access to zero-day exploits; I don't buy that every form of encryption they complain about has been secretly been broken.
Was slow, but it worked.
Do you recommend that I set up strongSwan?
Whether you can find one with reasonable data rates in China is probably the main question.
Two that I have used with great success are Kyivstar from Ukraine and China Unicom HK (note it must be HK, not mainland China). Others may be listed at .
My T-Mobile had free international roaming baked in at 2G speeds. Unlike the US however, most foreign carriers in developed Asian nations (China/Korea) don't support 2G fallback, so I had free 3G everywhere.
It was pretty much like using the American internet.
If it is only for yourself and traffic is very little, it may survive the period of your stay in China. Nobody I know in mainland runs OpenVPN any more so I cannot really prove that, sigh...
That's why Tor had to implement HTTPS-like fake traffic padding in its obfsproxy modules, which also need to keep evolving...
1. DNS resolution may not work, so you'll need to find a way to resolve the domain name (i.e. hk.privateinternetaccess.com) to IPs for your config.
2. Even if you get an IP it may not work all the time. You will have to keep resolving the domain name for another IP (or maybe just look at all the DNS records?).
EDIT: I should mention I used PIA's PPTP (yes, it's discouraged but it worked for my purposes) and L2TP configurations just fine.
In hotel, the Wi-Fi network cannot connect to many sites. Sometimes, I can connect the Internet via OpenVPN, but, Shadowsocks is more stable.
Furthermore, if ExpressVPN is allowed, could you connect to that and inner-tunnel to your own VPN?
Basically, if you offer me the service to protect my IP address and don't even have the decency to let me inform myself about your offering without handing over my IP address to Google et al., then I'm not using your service.
Unfortunately, VPN providers collectively don't seem to be aware of this presentation layer, so it's neigh impossible to find one which doesn't violate privacy here.
So far, I've found exactly two: azirevpn.com and airvpn.org
They load in Piwik, which I'm okay with.
These two providers also check a lot of other boxes for me, but yeah, it's still just two providers after hours of research, so if anyone knows any other VPN providers with privacy-respecting webpages, please do tell.
Note that this is also one of the criteria in the Vpn comparison chart: https://docs.google.com/spreadsheets/d/1L72gHJ5bTq0Djljz0P-N...
I mean, sorry if I sound rude and thanks for trying to help, but yeah, I'm not clicking on that link.
As for sorting out my threat vectors, I think you should sort out your threat vectors, if you don't consider the biggest data broker on the planet to be part of that.
But even if you yourself are entirely unaware of Google being a threat vector, I do think I made it abundantly clear in my initial comment that I don't want my IP address shared with Google, so then linking me to a Google webpage has got to either be a bad joke or so incredibly oblivious that I very much do think, it warrants a dick response.
What I know is that Google will store that data point indefinitely and will correlate it with a near-infinite number of other data points to generate conclusions about me. Whether those conclusions are right or wrong doesn't even matter.
They'll also make these data points and conclusions available to intelligence agencies around the world. Which might use it to damage me as part of the ongoing cyber war or if it's my own country's intelligence agency, then they might use it against me, in case I'm unpleasant for the reigning government.
I consider something safe when I know that it's safe, not when I don't know it to be unsafe.
Check out my VPN service, DataBuster. I made the VPN only for myself at the beginning but my friends requested the features and it became a viable product.
The only "tracking" I do on the main page is a passive analysis of Apache logs made with Piwik, so there is no visible JS tracking code or third-party tracker.
The underlying technology used is from Algo VPN, a well-acclaimed open source VPN solution. https://github.com/trailofbits/algo
What I mean is that just by reading this thread, we've all been added to whatever VPN user list the (insert bad guy name here) has set up. From there it's just simple data mining. One of the easiest ways to link user to VPN service might be through tracking scripts, but that's not specific to the VPN sites. Presumably your're researching which VPN and then reading more on specific VPNs as you narrow down your choice. Then you want to be "anonymous" so you search for bitcoin info. Then you suddenly stop searching for bitcoin and VPN info. So, you have the data from all those searches (specific breadcrumbs), the length of time searched (length of time correlated to how serious and educated you are about the topic), the time the searches stopped (correlated to VPN subscription start), your previous un-anonymized topics of interest that led to the search for VPNs, the exit nodes of the VPN you probably chose, etc. That's on top of all the physical variables - when you're likely to be awake, schedule of connections, location, etc.
I would argue that just having a tracking script on the VPN provider's website is a drop in the bucket, even from a legal perspective - it's better to have a preponderance of evidence. You're not giving 'them' any more information than they'd already need for a search warrant, which is the real danger threshold for this conversation.
It's conflating an annoyance with a threat.
Even if you're entirely above board your users may not. Child porn, illegal substances, gambling, stalking/bullying, fake emergency calls, bomb threats, and so on. Your users are just waiting in the wings to place you into law enforcement's crosshairs.
If I opened a VPN I'd spend 10% on equipment and the other 90% on lawyers, fraud prevention, and liability insurance.
If I go to Bob's website on my computer without any VPN, and Bob wants to find me, all he would need to do is get my IP, call my ISP with a warrant, and then get my information.
If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions. Then he calls the VPN company, and asks them to associate the IP and specific browser sessions with me. In that case a) the VPN really does store logs even though they advertise they don't, so they're able to associate me with my activity, or b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.
It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?
So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?
If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users? Wouldn't it be easier for Bob to call AWS with a warrant and get your account info than mess with some offshore VPN provider?
The downside in a nutshell:
"Researchers recently tested 300 free VPN apps on Google Play and found that nearly 40 percent installed malware or malvertising on users’ machines."
"Bob" very likely doesn't know you even exist and doesn't care. The downside of VPNs is that many VPN hosting companies are even less trustworthy than "Bob" and do care who you are. An unscrupulous VPN provider can MitM your connections, harvest anything you give the VPN's app privilege to see (probably a lot), etc.
Step one of security is to understand the threat you want to defend against and make sure your defense against that is (a) adequate, (b) appropriate, and (c) not compromising you in other ways.
Also, don't choose a VPN based on some online review. Most of those are basically paid advertising. Either "pay if you want a good review" or "pay more for highter rank", or stuff by independent affiliates, who get paid for referrals.
Better, choose VPNs that have been recommended by consensus in relevant communities. Torrent users. Wilders. Me ;) And by the way, I do consult for IVPN, but my opinions are otherwise unbiased.
(Basically, all AV companies listed on stock market sell your data.)
I wrote a post last summer for IVPN's blog. Bottom line, AhnLab and Emsisoft seemed to be the only commercial ones that don't share data.
AhnLab: “AhnLab will not collect any personal information other than [data collected during software use] and will not disclose such data to any third party.”
Emsisoft: “Any information we collect from you is only used by us to serve you better. Your information is never given to a third party.”
[+] I'm not trying advocate crime here or advising how to avoid it. Just trying to bring to light a vulnerability.
People who are interested in not being identified probably shouldn't. But there are good security reasons to potentially do so.
Freenode and Snoonet, two major IRC networks, are now owned by them.
Disclaimer: Happy PIA customer.
If control of PIA — for whatever reason, and be it that Andrew Lee dies and his heirs sell it, or that he can't finance it anymore, or that a three-letter agency forces him to — ends up in the wrong hands, then also all of Freenode and Snoonet end up under control of that entity.
It's not that I don't trust PIA, but that I fear that PIA itself may end up in the wrong hands.
And I'm not on a crusade against PIA — I won't complain about their donations without requirement to advertise in return to projects such as KDE, with a transparent funding process.
But I am on a crusade against centralizing any services, be it killing XMPP federation (thanks, Google), be it pushing a "secure" Messenger that is bound to a single social graph and server infrastructure controlled by one group in the US (thanks, Moxie), or be it a single compsny gaining significant control over several major IRC networks, clients, libraries, and over Matrix at the same time.
No matter the intentions, how good they may be.
My only beef is I thought PIA would be a kickass gig to work at. Alas, never heard back from my resume. They post in the monthly thread.
Still interested, if any of you PIA people are watching :D
To be honest, my only problem with them is their customer service. And their phone app. My connection is half speed on my phone. :( They also have some strange problems with the linux app (which I wish they would open source). Otherwise I'm really happy with them.
As for the Linux side, their app just needed some better instructions on their site, and then works fine. So I'm not really upset on that, just had to argue with tech support for awhile to get transferred to somebody that knew what I was talking about.
 - https://krita.org/en/item/krita-foundation-update
This is why we can't have nice things...
When I checked in mid 2016, their custom Windows client leaked while the VPN was reconnecting after uplink interruption. But then, only six of the 29 VPNs that I tested didn't leak: AirVPN, FrootVPN, IVPN, Mullvad, Perfect Privacy and SlickVPN. Strangely, FrootVPN didn't leak using open-source OpenVPN, suggesting that they're doing something unusual at the networking level. PIA's OS X client didn't leak, however.
They do tend to oversell their servers, however. So you'll often get less throughput than with AirVPN, IVPN or Mullvad.
Is this semantics? I am uncertain. I do think that it's in PIA's best commercial interests not to keep logs. It's the core of their business model. The moment a PIA customer's identity is revealed through them is the moment they lose all business.
Another issue is, all their IPs are well known. When browsing while connected to them, you can run into a lot of issues: captchas, blocked sites, etc.
The other day I was accidentally connected and made a purchase. What a giant headache. My purchase was flagged and blocked and it took a lot of my time to call the company and get it cleared up.
I will mention that while it doesn't magically fix slow speed issues, they have the ability to report a slow server through the app (on Windows, I can't attest to any others). You just right click the icon in the notification tray and click "Send Slow Speed Complaint." They do add more servers in areas that are overloaded.
Until it's important-enough for them to track down the card, figure out when it was bought, go over the security footage of who was buying at the time, extract footage of you buying it. They can then extract your face and match against a DB. Or perhaps see what car you enter into, and extract its license-plate.
Heck, even if they don't have that, they can ask the cell-phone companies to see which phone-numbers were connecting to the nearest tower during that period. That already narrows down the list to say, 1000 people?
We're almost there. All the technology is already in place, and the only thing stopping it from happening is consolidation.
I find the speed has almost been completely acceptable. I have had only a handful of times where it seemed sluggish and bogged down.
I know there is a some question of whether they can truly be trusted? Do they truly not keep logs? And they are US based which are all things to consider. I weighed those factors against the customer reviews, price, and simplicity of their service, and I think my choice has served me well. Their rates are dirt cheap for what seems to be a reliable service.
And they have great clients for Windows, OS X and iOS. I've found a few others that are just as leak-free. However, the data there are old, and just about all VPN services have improved their clients. What's most relevant about the site is the testing protocol. There's more about that in an IVPN guide.
I also recommend AirVPN, Mullvad and PIA. But not necessarily for their clients. I mean, IVPN doesn't have a custom Linux client. So in many cases, you need firewall rules. And you need to make sure that you're not using an ISP-assigned DNS server with the VPN.
I used PIA for a couple of years without issue, but then it went into some kind of decline for me, always driving network traffic to zero after a few hours. After changing hardware and reinstalling the OS with no effect, I finally tried AirVPN and things went back to normal. AirVPN is a bit more expensive, but their client is light years ahead of the PIA client.
The only step beyond this that I have seen is a recommendation to use OpenBSD as a firewall in a virtual machine.
But. It's basically what I described. For public VPN network, just use the default (all output, only established input). For private LAN, deny all output and input, and allow output to selected IP addresses (VPN and DNS servers).
Perhaps something like this can be scripted; if it becomes polished enough it could be recommended as a part of every VPN setup.
That's why you generally ignore online reviews.
Say for instance there are two vpn services. Both have a 100,000 users. One makes $1,000 a year off of advertising, and the other makes $1,000,000 a year($9/month). Now both are approached by a nefarious gentleman who offers them $20,000 a year to harvest their user's information. But every year there is a 25% chance people find out and your service is shut down.
Who takes the deal? Maybe the free guy, but very few people would risk a 1M/year revenue stream to make a little extra cash, but someone might risks a much smaller revenue stream for a comparatively bigger payoff.
how can you prove what the provider is using? people can lie
I recently signed up for such a service, in order to get my Nintendo Switch online for multiplayer gaming. My home internet connections sub-let from the landlord and could be considered semi-hostile -- not able to connect to peers on the Switch due to triple NAT, and I suspect some QoS throttling as well. The VPN solves my routing problems, but if anyone has a suggestion for another option here I'm all ears.
a) Install OpenVPN yourself (open source)
b) Download an OpenVPN profile from the VPN company
c) Configure OpenVPN with the profile
Specifically, you don't have to install any binary software from the company itself.
Re OpenVPN vs IKEv2/IPSec, this IVPN FAQ seems accurate. But then, I helped edit it, so I'm biased. Still, if anyone can point to inaccuracies, I'll recommend fixing them :) The major weakness is pre-shared IKE keys.
On the other hand, I get from IVPN that the IPSEC implementation in iOS is very secure.
For example: It's way easier for a client to install a mobileconfig to ios that supports on demand VPN than it is to have them download and configure openvpn. Fairly set and forget.
Rarely addressed: VPN CLIENT ISOLATION.
The majority of us sit behind a NAT'd address range provided by our physical router, thus isolating our machines via a hardware router / firewall from our ISP. When you connect via a VPN, you are not automatically isolated from other client-peers on that VPN and must implicitly trust the VPN provider has properly configured client isolation. You can do testing, like firing up Wireshark and listening for broadcast traffic or simply by trying to nmap other hosts on the network, however, whatever you find could change with a configuration setting at any time.
One way to further "secure" this would be to run the VPN client on a hardware router like pfSense (instead of directly on your laptop) and block all incoming connections on the vpn client tunnel interface?
A disadvantage of this method would be that the WIFI signal from your Laptop to the router is no longer secured by the Vpn...
"Processing in hardware", meaning application specific hardware acceleration, is a not a plus in security related things: it's not safer, and it doesn't exist in most boxes, and it's often impossible to field upgrade when bugs are found. It's done to speed things up/lower cost at large scale, but that's irrelevant for consumer/small office gear.
I agree and am a big fan of host firewalls and host intrusion prevention systems, however, they must of course cover the VPN tunnel in their scope. In many cases they do not.
Recently the Federal Government sent out a malware to certain persona of interest. That malware played a higher pitch sound than can be heard by the human ear. They were able to track that person and identify them because they heard the sound on the computer's microphone. TOR or VPN can stop this.
Some of the brightest minds of this generation are working on ad tech.
It appears to have happened already
My tinfoil hat is spinning!
Are they able to do this? Yes, for sure.
Are they willing to this? For terrorists or maffia bosses, no doubt. For smaller fish? Maybe they can't be bothered. Or maybe they can.
I can no longer hear it. Still I can hear 1khz, so that's what's important.
You're saying that the persons of interest in this case were identified and targeted only based on an IP address and not based on some other aspect of their online activity?
That should be "... can not be heard ..." right?
Also, do you have a link with more details.
would both work, but your interpretation isn't correct.
I don't use a VPN to hide my identity from the websites I'm connecting to. I use a VPN to hide the websites I'm connecting to from my ISP.
Residential ISPs in the UK are supposed to log a bunch of internet stuff (not clear exactly what), which is then made available warrant-free to over 40 government departments, including for purposes obviously unrelated to "national security" (not that that would make it OK), e.g. HMRC and the Food Standards Agency
Additionally, I use a DigitalOcean VM and run OpenVPN myself, I don't get a service from a VPN company.
I've been looking to do the same recently, do you use Digital Ocean Droplets? If so, how have you found the experience?
Or you can do it the easy way (but you won't learn as much) and run a bash script to configure everything automagically :
That said, always verify that the tunnel is operating correctly before assuming it is and taking off. I've found on more than one instance that the OpenVPN client was misconfigured and seemed to connect, yet my IP was still being reported as my ISP's.
I didn't use DO but an even cheaper host and set up VPN at router using DD-WRT.
Occasionally I have to turn it off at router as certain sites/ services recognize the datacenter IP but not all that often.
Main reason I set it up is I use a small local ISP and know the owners and no need to have them watching net traffic.
The settings on both ends have to match perfectly. Don't forget to set DNS for openVPN also.
I have a device through which I netflix on which I do not do other personal browsing.
Quite a shame though, but nothing netflix can do about that. :-(
No advertiser is going to come after your VPN provider asking for logs, and even if they did your VPN provider is going to tell them to get fucked anyway. Again, unless the advertiser in question happens to be the federal government and they have a subpoena or a warrant, no VPN provider is going to give you logs to help you associate a user, I have no idea why you would even think that.
If you don't want traffic from users on the VPN you are free to block them (Netflix does this) but nobody is going to give logs over to a random webmaster to help deanonymize users.
If you want to remove the VPN provider from the question entirely (many of them are on the shady side), you can use Algo to automatically deploy a Digital Ocean droplet or Linode instance to relay your connections for you. However this doesn't fundamentally change anything - if someone comes after you with a warrant or a subpoena, then Digital Ocean/Linode is going to give you up.
This is not exactly a difficult concept to understand so if you have asked this question repeatedly and still aren't satisfied with the answer, perhaps you should look inward.
They absolutely are for a huge number of people. Why do you think so many VPN's advertise the fact that they don't keep logs? I imagine far (_far_) more people use VPN services as a way to evade copyright holders than as a mechanism to avoid marketers (most people don't give two craps about the latter issue.)
BTW, was the snarky bit at the end really necessary?
Some VPNs imply this when they claim they don't keep logs on their users.
isn't SSL supposed to do that? At most an ISP ought to only be able to sniff the domain.
Sell what exactly?, the domains you visit because with SSL that is all what they know.
* Inability to send mail though a mail program
* Daily disconnections of VPN service
* Captchas and other verification/friction when using services (eg youtube, amazon etc)
* Some services may believe you are in a different country incorrectly, meaning you have to force them to use the right location, or be happy with it being wrong
* Some services will not work at all (for example purchasing through apple)
* Paid streaming services – like netflix, hbo go and amazon streaming will likely not work at all
* You may not be able to port tunnel traffic inside the VPN
And of course you have to trust the provider. For example PureVPN claims 'no logs' but it seems that isn't the case...
There is a lot of friction in using a VPN. Which makes the idea, often proposed by technical people that if you are worried about privacy - 'just get a VPN' either naive or disingenuous. That said even with the friction it is worth the cost and hassle IMHO.
In practice you have to have a way to flip on and off VPN on some machines/devices.
There is more discussion on this here...
(edit: fix formatting)
Even so, it's prudent to assume that your VPN provider logs, works with your adversaries, etc. Just like the Tor project assumes that any particular relay may be malicious. So Tor clients create three-relay circuits, to distribute the risk. And one can do the same with VPN services. I'm currently working through a nested VPN chain, using servers from multiple providers. I use pfSense VMs as VPN gateways, and workstation VMs. It's also easy to add Whonix to the mix, so I can use Tor through nested VPN chains.
If "Bob" wants to know who you are when you visit his website, he doesn't have any options to get that information. If "Bob" thinks you are violating his copyright rights, he can file a DMCA complaint against you. If "Bob" doesn't want people from Iceland to access his site, he can try to filter based on IP range.
VPNs do three things: 1. obscure your identity 2. obscure your location 3. prevent local inspection of your network traffic.
How effective that "obscurity" is depends on who wants to know and why.
This is usually due to the ec2/do instances being the cheapest or second cheapest with bad CPUs and overcrowding.
If you don't want Bob to identify you then yeah you need more than just VPN such as ad blockers, disabling cookies, and more.
2. oVPN.to is probably a good idea, as long as you are not based in China
3. Pay anonymously for the VPN. If it need to be really secure, only access VPN via TOR.
* Connection issues are really annoying. At home it is manageable, but reconnecting to a different wifi network with a phone introduces a delay that sometimes lasts minutes before it becomes functional again
* Some websites make you enter captchas in order to use them, probably due to VPN abuse by malicious users. Others outright block traffic to any detectable VPN traffic.
* It is slower in general, but the worst case slowness seems much worse and more common. Unavoidable really, you're introducing another potential point of failure.
* Useful LAN functions (like *.local domains) become non-functional
Is that true if you 1. disable the "force all DNS traffic over VPN" setting, but then 2. have a local resolver (e.g. dnsmasq) that resolves LAN domains but forwards all other traffic to a DNS server on an IP that will end up routed through the VPN?
Congress removed FCC regs. that would have prevented it. ISPs have been claiming both the regulation is unneeded but that they won't sell your data.
Here's arstechnica: https://arstechnica.com/information-technology/2017/03/how-i...
>It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?
I'm not sure how you made this jump. If the provider doesn't have logs, Bob can't find you. The end.
I figure my ISP is quite likely to sell my data and do other unfriendly things. But I figure they are quite unlikely to attack my traffic and do other illegal things.
1. They're blocking lots of torrent websites, using a VPN circumvents this
2. They're sending out letters to people saying "you're torrenting, stop". VPN stops this
3. Some ISPs throttle traffic to certain services and streaming sites, VPNs circumvent this
On the other hand, if your VPN operates in another country, some websites within your country may block you due to content licensing issues.
1) First VPN, that only my ISP and second VPN see: I choose one that's popular where I live, and commonly used for torrenting, and I have a torrent client up 24/7.
2) Second VPN, that only the first and third VPNs know about: I choose one that does business from a jurisdiction that isn't very friendly with my government and its friends.
3) Third VPN ...
4) Final exit VPN, that only the previous VPN and websites see: I choose one that doesn't attract too much attention. For Mirimir, that's IVPN, because I'm already so associated with it.
I've thought about doing it all in one OS, with iptables or pf to control routing. It'd be lots lighter, but more fragile.
If the VPN is malicious or self-hosted.
If the servers and the company headquarters are located in a country not part of the "14 Eyes", and most importantly, host a lot of other traffic that is not you, there is obfuscation, legal barriers, and plausible deniability that you did not do what "they" are claiming you did.
Every TCP connection is uniquely represented by (src ip, src port, dst ip, dst port). Bob can provide all four of these, and a timestamp, to the VPN provider. The VPN provider can then resolve that to a specific user if they are logging connections.
I believe there is the alternate option of setting up your own VPN .
Instead of using AWS, you could set it up on an additional router or on your PC/pi wherein you'd lose the advantage of anonymity amongst other users but your information is still encrypted to be acceptably safe.
Whether it's through negligence or ignorance or intentional lying, it's nearly impossible to not log user activity in some way.
And really, think about this: Even if you try really hard not to log, as a provider you're competing with thousands of forensic scientists who do nothing all day but figure out how to associate activity with the people who committed that activity.
And once a federal agency has identified your VPN traffic, every single thing you've done through that VPN provider is all wrapped up in one neat bundle for them to peruse.
What should you use if you're smart enough to come to HN for reading? SSH of course.
When it leaves that computer it's no longer encrypted.
It's not hard to look at unencrypted traffic leaving the computer you've SSH'd into and associate the traffic with the computer you've SSH'd in through.
And browsing the internet over a VPN is different... how, exactly?
That’s entirely not true. If you’d said “some”, you’d be right, but “most” is categorically incorrect.
Want to connect 2 lan's together and have full protocol binding and internal DNS support without mucking with 65535*N-nodes port forwardings?
not to mention 'vpn' isn't a product..
so your entire notion of 'making money out of it' makes no sense.
as for commercial: OpenVPN is great, free, and fairly simple to use.
TCP/TCP is another point.. and a good one, yes.
These articles explain the concept, but it takes nothing but SSH & Linux (albeit it can work on macOS too with additional software):
I've seen it done before where it was fully transparent to both networks. This required the tunnel to be setup on the default gateway for both networks. Again, as mentioned before and you agreed too, this is not a solution I would ever want to see in production for a company I was at.
> which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'
Which I agree, it isn't simple, but I was replying to someone saying it wasn't possible, not that it is easy to do.
And then I realize the question is actually about third-party VPN proxy services, which seem to be a substantially different use-case.
It's just a shame that the term "VPN" has become so ambiguous.
1. Add a VPN host to your home network, either as another role on your router/firewall or as role on a host inside your network. For example, if you're running pfSense as your firewall, you can add an IPSec/L2TP or OpenVPN role to the pfSense host. Many hardware router/firewall devices have VPN host capabilities. You can start simple by defining users at the VPN host. Later you can use your home network's LDAP directory for users, but I personally didn't bother doing that.
2. Set up your laptop(s) and phone(s) to connect to that VPN. Disable "split tunneling" on the devices. If split tunneling is enabled, only traffic that is intended for your private network would be sent to the VPN. Disabling it requires that all traffic—even traffic destined for the public Internet—needs to be routed through the VPN host.
3. Connect to the VPN whenever you are outside of your home.
4. You can optionally assign a static private IP to each device so that when you're connected, all devices use known IP addresses that you can name using a local DNS server. This would allow you to, for example, reach your laptop by the name "laptop.yourdomain.org" (or whatever). I give all of my devices hostnames so that I don't need to remember their IP addresses.
5. The result is you have a personal "virtual private network" that facilitates private LAN-like communication between all of your devices. For example, I use this to access my personal file server from anywhere.
6. You can get even more sophisticated by setting up site-to-site VPN connectivity between your home network and a machine or network you run at a data-center. This allows you to, for example, reach not just your home file server but also manage your personal public-facing Internet services running at your data-center hosted machine or VM—from any of your devices.
This is where I’ve always got hung up. I’ve for a long time wanted a static URI for a machine at home (e.g. SSH, IRC bouncer, music files, etc.)
I assumed I’d have to use some kind of local host tunneling solution (like pagekite.io), which are either expensive or difficult to trust/rely-on, or register as a business to get a static IP.
However, the entire scenario relies on you having at least one static IP address for your firewall/VPN endpoint. You need to be able to reach that from anywhere on the public Internet.
I can even access my home automation system. Shoot, I have one installed at my mom's house and can monitor her furnace when she's on travel in the winter. Everyone would enjoy a personal VPN.
Once you have SSH access to home there are a number of ways to tunnel your traffic (on desktop platforms, not sure about mobile). Sshuttle works pretty nice. You can also optionally just tunnel traffic for certain apps or browser profiles by using ssh -D (SOCKS5 proxy)
Most of the time what people think they need a VPN for, a VPN won't actually help them much. They have a narrow use-case in privacy contexts, in which case you're better off using Tor.
Here are some reasons I've used, and continue to use, VPN:
* When I am on a network that uses an idiotic blacklist to block certain types of content. The network might even be run by my employer and I might be accessing content that is necessary for my work, but there might be no way to appeal the idiotic blacklist.
* When I am on a network that INJECTS content into HTTP responses (a certain paid airline WIFI used to do this).
* When I am on a network that might allow other users on the network to snoop on / mess with my traffic.
* When I want to access services that I have paid to access but are only available to IP addresses in a specific geographic region, and I happen to be in another geographic region.
My general position is this: I don't trust my phone provider. At all. Just a week or so ago there was an HN post demonstrating how an ad provider can get your full name, cellphone plan details etc just by calling an API from a page rendered on your phone. But I also don't really have a choice - AT&T or Verizon or T-Mobile, they're all different flavors of the same crap.
Do I trust my VPN provider unequivocally? No. But I trust them a hell of a lot more than my phone provider, and they can't sell my personal info against my browsing history because they don't have it.
A VPN isn't the answer to everything, but nor is it useless.
What have they done to earn your trust?
Your VPN provider is just some random company. You went up to them. They're randomly selected (insofar as your choices are random) from the space of all VPN providers, and most providers aren't malicious.
Your ISP is, at least in the US, almost always a monopoly. They're self-selected: they went up to you.
So incompetence is a reason to not trust a provider as well.
The only positive point of trust a VPN provider has is that no-one has exposed them selling browsing data. Definitely not great, but also better than my phone company by default.
* My VPN provider has not done anything to lose that trust.
> Are VPNs truly private?
> Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?
Which is basically also saying you can't trust a commercial VPN provider. I suppose it does differ in that it says it's still an option, though.
My ISP choices are limited to two companies that are both terrible. A VPN is a nice way of limiting what they can do to you.
I think we can both agree that wasting your money on wishful thinking ("maybe provider doesn't log") instead of using free open-source privacy-by-design solutions is a bad idea.
The privacy-by-design solutions have their problems at well (ex: speed). It would be better to use them over VPN IF AND ONLY IF their features would be strictly equal.
As they are not, one simply calculates the expected value of both, taking into account the probability of the VPN actually logging the traffic (which should be low for VPNs with good reputation).
For some use cases, even a VPN that logs traffic would be a good idea. For instance in many countries if you download a torrent they will log your IP and try to identify you. IF you have a VPN, they won't even bother asking the provider the IP because it is just not worth it for something like that. If you were exchanging child porn on the other hand they will ask for it and take time to find you.
Not everybody needs the same guarantee of privacy or has the same risk if the privacy was to fail.
Your statement is the same as saying one should never invest in shares because the return is not known in advance, so you should just buy government bonds which are safe.
Consider the attacker: a service you've visited that has your "outermost visible" IP, and wants to know who you are. From their perspective, it doesn't matter if your ISP is willing to give information freely, because they don't know who your ISP is until they've already gotten the information from your VPN provider. Each layer prevents the layer below it from being attacked, until it is removed.
Yes, a state actor could just ask "every ISP at once" to look at their logs of OpenVPN-protocol traffic and identify the packets that match the ones that arrived at the service. But state actors aren't the usual attacker profile, and require entirely different strategies (e.g. getting human "proxies" to use Internet cafes for you.)
They run massive PR campaigns with carefully structured press releases designed to convince the kind of people they want to detain that TOR is private and safe for any kind of activity.
Because of this people tend to get swole when you suggest that TOR is not any good for protecting your privacy because lots and lots of people have been arrested, tried and convicted after trying to use it to hide elicit activities.
The US government has made millions of dollars of investment into TOR:
Pretty much every time the US government is investing in something you can be certain that their intention is not to help you out.
Please, find me a counter-example - because I haven't seen one.
Admittedly, one thing that has happened is that the authorities are able to target compromises in the Tor Browser specifically, rather than in a wider range of clients that non-Tor VPN users might use. But they're probably more vulnerable than the Tor Browser is anyway.
And that they'll follow the instructions that come with the TOR browser and assume that it's safe.
So when I say that TOR isn't safe, I mean that it isn't safe as it's presented.
Saying that TOR isn't safe if you know what you're doing is like selling someone a car with no seatbelts and then telling them well if you knew what you were doing you'd install seat belts yourself and then the car would be safe.
Sure. But it is no more dangerous to use Tor on its own than it is to use a VPN privacy service on its own. So your claim that the US Government is enticing people into using Tor to entrap them is nothing more than an unsubstantiated conspiracy theory. It would be easier for governments if criminals didn't use Tor.
You are of course correct. :)
The worst case scenario is not just that they're as bad as AT&T. The worst case scenario is that they're as bad as AT&T and still provide a false sense of security.
Even if you're diligent, other users with your (ISP, VPN) provider pairing might not be, and they could be harmed as a result.
The comments security nerds make here on HN aren't one-on-one individualized consulting (n.b. that's paid work in my field), they're general advice for the public to refer to.
> You are on a known-hostile network
is true for every network in the USA. You can be sure they ae all being snooped on by 1. the ISP collecting traffic data for profit and 2: the gov. because they get it all anyways.
Source? And why would it be good enough when it has been shown time and time again that it's ineffective (example: DNT header)?
The internet is not designed for privacy, and privacy does not benefit the majority of commercial stakeholders of the internet. This is probably why most privacy solutions feel like shoving a square peg through a round hole. My personal feeling is that we should combat commercial bulk surveillance through legislative means.
No, at least now facebook may not know your exact location (especially if you use their onion service: https://www.facebookcorewwwi.onion/ ) and they can't track your activity outside of facebook. Of course, it doesn't solve - nor can any other anonymity system - the fact that you transmitted personally identifiable information with facebook.
> What are the benefits?
Because of its 3-hop design, a non global passive adversary (GPA) would need to control both your entry node and the exit node to de-anonymize one of your Tor circuits. In addition, Tor circuits generally last for 10min only. Also using the Tor Browser you get stream isolation meaning that you get different Tor circuits for different websites.
You can also setup your own non-exit node and connect to it to ensure that no single point in your Tor circuit controls both the entry node and the exit node.
That's not a benefit, that's a feature. A benefit involves a use-case. What does a person gain from not having their traffic de-anonymized? The described user is someone who doesn't have any particular activities they need to keep secret or risk jailtime. So, for them, what's an example of something that could happen differently in their real life if they used Tor vs. if they didn't?
(This wasn't a rhetorical question; there are such use-cases. I'm just commenting to prod you into zooming out a bit from "privacy is its own end" to thinking more about what regular people care about and how privacy helps them get it.)
Chrome sends a whole lot of data to Google (and possibly to their data-sharing partners) such as, at the least, what sites you visit and how long you are on each. When combined with Analytics, cookies, profiling and whatever G services you use, and the fact that Chrome is a program (not a site) connecting that all, you have pretty much lost any legitimate hope to privacy before you begin.
Use HTTPS everywhere is a no-brainer, as at least the middle steps won't see the data. IMO, using a commercial VPN is just not that difficult and the speed is close to native, so its a lot easier than TOR.
Or just be a nice happy good citizen in the normal world. What you do in other worlds should then not be mixed with the normal word.
> That isn't great privacy wise as it's still privacy by policy. The best way to torrent is to use i2p which - unlike Tor - encourages that activity. (Short tuto: the default Java i2p bundle already comes with I2PSnark, a torrent client. To download a torrent, search through known i2p trackers such as the Postman Tracker: http://tracker2.postman.i2p )
What? i2p is a self-contained network and not really meant for clearnet browsing.
I'm trying to figure out why they made this. They can't really run ads without ending up like the founder of TPB.
Regardless, it doesn't seem unreasonable to expect people to know what a magnet link is. When all you need to do is download transmission and click on a magnet link, people are fine with that.
My point was that I2P can help them since it's (a) torrent friendly, (b) has a bundled Torrent client (I2PSnark), (c) there are many eepsite torrent trackers such as: http://tracker2.postman.i2p
Either of these options, depending on your preferences (protip: use Algo, unless you're in a place that blocks IPSEC VPNs...It's cheap enough to have both available). This at least covers the basics of what they're talking about being snooped in the post. Then you don't have to worry about trusting the VPN provider (but you do have to worry about trusting your cloud provider).
If your threat model is different, you might want to be in a pool of users, but you can use the same service and solve this problem socially...
..links to github repos...
You are blessed with technical skills and experience so this is trivial to you (and many people on HN), but there are tons of people out there for whom this is not a trivial task.
That won't give you any privacy as anyone who wants to de-anonymize its traffic can correlate the fact that you connect to it with your IP (asking the VPS provider for logs) and that you bought it (asking the VPS provider for your banking info).
Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service). Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).
It only solves it against a particular ISP.
> Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service).
I completely agree, that's why I always maintain that only privacy by design solutions should be relied on (Tor and i2p for example).
> Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).
But they know the IP, so that's still identifiable information.
Use of one doesn't exclude another.
I don't think that adds any privacy, setting up your own non-exit relay and connecting to it may significantly increase your privacy depending on your threat model (since then you can be sure that no single point in your Tor circuits controls both the entry node and exit node, and hence can't correlate your traffic. You're still vulnerable to a global passive adversary (GPA) of course).
I've been putting off setting one up for a while.
A lot of folks are doing their automated testing with AWS systems and blocking those IPs would likely cause a lot of people some headaches.
The DNS blackhole that Algo by-default puts ad providers in causes me more problems than that, in all honesty, because occasionally I have to log into service like Hubspot that are blocked.
That's my guess at least.
No. Rights holders groups asked for it, and they said yes to increase their margins.
Whether the move increases Netflix or not - doesn't matter really. As long as they license someone else's content, they have to play by someone else's rules. If this play also increases Netflix's margins, so be it - all I care about is having access to movies.
I imagine that Netflix as a distribution platform may wield more power than you imagine.
Don’t think they can ignore the VPNs without significant legal issues and potentially losin much of their content.
They block VPN's and other tools because their contracts with content providers say so.
4.3. You may view the Netflix content primarily within the country in which you have established your account and only in geographic locations where we offer our service and have licensed such content.
Don't get me wrong, requiring someone to disable a VPN to use the service is bullocks. But some services don't have much of an option. From what I understand Netflix is aggressively trying to obtain world-wide rights for their whole library, but until the old dog content producers get on board they'll have a rough time.
Correct me if I am wrong.
I've been paying pretty much all bitcoin invoices that way for several years.
Blockchain sleuths would never be able to tell if a bitcoin transaction was just an exchange shuffling coins or if someone like me was actually on a different and opaque blockchain.
That depends on the nature of the investigation. Say they bust an illegal website and now have their subscriber records. If your bitcoin transactions match those of a subscriber to the website, they have more than enough info to come after you. With the website transaction records in one hand, and the public blockchain in the other, it would be trivial for an investigator to get a reasonable idea of who you are and where you live. Unless you spin up new accounts for each and every transaction, and mine your own coins, the public blockchain means they can identify patterns and make connections.
(I won't quibble on the technical definitions of reasonable suspicion. Suffice to say any such match will be enough to get a warrant and turn your life inside out.)
so secondly the bitcoin transaction would have been executed by someone else, from a mixer. The mixer was instructed by my transaction to it from an opaque blockchain, as explained earlier. Your rebuttal implies you have never seen the differentiating features of Monero. It is a public blockchain, but transactions are not linked.
Say they shut down an illegal website that subscribers paid 25$ for every month. If they see that your account paid out 25$/month, but stopped doing so when the website shut, then that's strong enough evidence for a warrant regardless of the exact path of transactions. That can be done via the blockchain far more easily than trying to gain access to bank records.
Will you just try using Monero before you say another word?
First, your assumption relies on having a nexus currency of Bitcoin to begin with, when Monero could easily be the base currency someone maintains a balance in. Monero has USD markets and has many default countermeasures towards linkability.
Second, your assumption relies on just not seeming to know how Monero works.
Third, I want to clarify that I'd be open to rebuttals if they actually acknowledged technology thats been around since 2014, but you are making rebuttals about rudimentary bitcoin mixers from 2012 when thats not even what we are talking about.
surprised this article does not mention tor? or has tor been abandoned as a tool for privacy?
Encouraging people to use a VPN is much more likely to be effective
CiPHPerCoder provided a great link in this discussion  that details a short list of a few reasons why VPN's are likely not what "regular people" who are concerned for privacy should be using.
that all being said, tools like tor have become much easier to use with setups like tails  which may have its own security issues but I'll agree that regular users may not be capable of using Qubes with Whonix.....yet
I think advocating for a VPN is actually harmful to the "regular user" not only in the fact it will not accomplish what they want, it will deepen their ignorance on how the internet works because they will think "its encrypted" "so I am secure."
I do have some concerns that tor is a tool that needs to be improved upon greatly to truly accomplish its goals but I am not aware of any projects that are doing so. Re metadata, fingerprinting, developers inserting backdoors etc.
[edit:added concerns about tor]
I always try to tell people about Tor's limitations, which are considerable. (I wrote the content for the EFF graphic that was linked above, and one goal was to show people things that aren't hidden by Tor — for example you can see an NSA agent in the graphic performing some kind of correlation attack between source and destination by monitoring the network at multiple points. Of course, the source of data for this doesn't have to be fiber optic taps, so other entities that can get source and destination data can correlate them too.)
Tor is doing work on all of the things that you mention: metadata, fingerprinting, and developers inserting backdoors. One could wish for more work and that it had happened longer ago, but all of those are active areas of concern and research for the Tor project.
Thank you! I constantly share that link with people, I (and many others) appreciate your work!
I regret not going into software development, I wish those are projects I could contribute to, alas my closest work towards development is tinkering with linux etc .conf files to get home projects to work, which is not development at all.
I can testify that the ability to help people tinker with Linux configuration files is something that continues to be in great demand. :-)
I know many people who use Tor daily for regular browsing - myself included. Yes, it's slower than not using Tor but that's expected from the 3-hop design.
They are still useful for lumping your traffic in with others for copyright infringement. Torrent clients offer the files for sharing while downloading.
They are still useful for some simple geo evasion as well.
They aren't a solution for every security issue at all. Tor is generally better to run from open wifi from a tails USB rather than from a VPN.
Also, many VPNs actually log things they can provide to the FBI even though they lie and say they don't. They can get a NSL and end up having to without being able to tell you that they did. Sometimes a NSL canary is used, but not always.
Can you expand on that? I’m also on Verizon and feel like having a panic attack.
Also, the permacookie nonsense, and they are certainly data mining the crap out of everything you do.
Please feel free to correct me.
It takes a little bit of technical know-how (or bravery) to get started, but the setup process is dead-simple and you end up with a completely personal VPN with dozens of options that can work around a number of different situations. Best of all, it's entirely under your control. You can tear it down and start from scratch, or move to a new location or cloud provider easily. The docs are clear and easy to understand, and it's constantly being improved. It's a pretty remarkable project.
Now all I need to do is manually set up a shadowsocks server and I'll be sorted. But I'd rather tackle that manually than also have the extra stuff streisand bundles in.
Insanely easy to get running: plugged it in to my home router, and now I do all my remote browsing from my home network. I HIGHLY recommend it. I know it doesn't help with privacy, since you're using your home network, but I'm currently more concerned with WiFi hacks, pineapples, and the like.
Downside is that it basically only works per device. It doesn't run on any routers that I know, to get full coverage over your network traffic.
Or if Amazon provides one I'd use that for sure.
Both would help with ISP selling data to advertisers level snooping and open WiFi network insecurity issues though.
The arguments here often sound similar to "experts" that complain about 2 factor auth: Sure, it's not perfect and there are better solutions in some cases, but it's still better than nothing for a lot of people.
EDIT: another poster mentioned Algo . This method requires a high degree of savvy and entails a higher level of difficulty, but looks much more configurable.
Inconvenient and cumbersome at best.
Every VPN has an endpoint, and whether that endpoint is acceptable depends on your use case.
* Many VPNs use "split-tunneling': To save bandwidth, they route https traffic through the hostile network interface
* Some don't route other protocols via the VPN, for example, IPv6 and even DNS are sometimes excluded.
* If the VPN connection drops
* When the VPN connection is out of sync with the device's network connection (e.g., after the computer boots and before the VPN starts, or after the VPN is disconnected and before the computer shuts down).
If you think you need a VPN, you probably need a good VPN protocol to go with it. Rather than using outdated legacy cruft like OpenVPN or IPsec, you might like WireGuard:
It's still in the early days, but the protocol is formally verified, the overall design has received academic review, the Linux implementation is maturing quite rapidly, and we'll soon have Mac and Windows clients available. Part of the WireGuard Protocol uses the Noise Protocol Framework from Trevor Perrin, of Signal Protocol fame.
It's Swiss based so I assume there would be a decent amount of round trip latency, but for sheer privacy it seems like a solid company that goes the extra mile by locating itself for legal purposes.
I have a paid account with Netflix/Hulu/HBO and I'd like to watch it when I'm travelling or when I'm working remotely from third world countries. That would be my sole use case. Can they stream without huge latency?
If I don't make any preference, it will connect me to a server in Canada. It's very fast, but a bit annoying because now I get all the Canadian search results in Google.
Is there any downside to using a VPN server in the same state or country that you are in?
BTW, I have been using AirVPN for a few days and really like it. Super minimal UI (which I like) and gets the job done. Also, I like that they accept BitCoin as payment if you so choose.
I'm curious if anyone has any commentary on other providers worth looking into. BVPN is based in Hong Kong which has a strong history of pro-privacy AFAIK, and they claim to not even have the technical ability to keep logs of relevant info. Either way, I think I'd rather have some random Hong Kong company have my semi-anonymized info rather than my ISP.
(a) There's not much you can do with VPN that you can't do with SSH (actually I can't think of anything). And SSH is much more configurable.
(b) To avoid tracking of your browsing it is not a smart idea to pipe all your browsing through the servers of one VPN provider. A smart way would be to split up browsing streams, not to combine them.
I'm very sceptical about Mozilla writing such an ad page and trying to sell it as a reasonable technical blog post.
For most end-users, there is nothing they can reasonably do with ssh.
Everybody who is able to repair a bike though is also able to use SSH.
Access the internet, then smash the entire thing and throw it away and repeat.
I was just giving an extreme example for true anonymity now, something we just sort of had on the internet in the 90's.
Bitcoin can be tracked, use zcash? . Can't believe mozilla got this wrong.
While the standard VPN pro/cons apply, if you have unpatched or unpatchable hardware it seems like a fairly compelling reason right now.
Exercise caution. Do your research.
> Are VPNs truly private?
Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?
Was it somehow unclear? Pretty clear to me at least.
I wish people would stop throwing this question at every headline that happens to have a question mark at the end of it. The headline here isn't clickbait, it's an attempt to answer a question that is pertinent to many.