Hacker News new | comments | show | ask | jobs | submit login
Do you need a VPN? (blog.mozilla.org)
969 points by thesumofall 4 months ago | hide | past | web | favorite | 479 comments

Grew up in China (moved to Australia since early 2008) where GFW is in place and getting overwhelmingly powerful, I've been through multiple stages to cross the `great wall`, SSH Dynamic Forwarding, PPTP, OpenVPN and now IPsec (strongSwan). The GFW has evolved so much (capable of massive scale MITM attack, DNS spoofing, traffic sniffing etc. you'll be amazed how capable the GFW is - of course courtesy of the team behind it) that it makes increasingly more difficult for people to access the real Internet.

I've ditched PPTP (not safe any more) and shifted to IPsec (IKEv2 + RSA with X509, IKEv1 + PSK + XAUTH) as it is being used by a lot of MNCs - can't killall. The GFW has developed technique to detect OpenVPN well and it is easily blocked so I don't use it at all. Over the past few years many home brewed protocols emerge - e.g. shadowsocks and variants and many others (I've never used any of them).

The best thing to do with VPN is that to understand the basics of the VPN solution of choice, try to install and configure from scratch on VPS and use that as your main protection (encapsulation) while using public Wi-Fi or untrusted network. There's been many good discussions on how to do this on HN.

NOTE: I am maintaining around 10 strongSwan powered IPsec VPN and 2 OpenVPN to help family members and close friends to access the real Internet (have to keep a low-profile though). Funny though, my networking skills evolved with GFW.

I was in China this year and found it surprising that it's as powerful as it is. Consequently, I also found out how powerful not having the entire internet is. The amount of information/sites I wasn't able to access due to it not being accessible at all; or "accessible" but never fully downloadable (i.e. javascript not able to download fully, other assets blocking actual content from being loaded) was staggering.

Coupled with the official cable TV service, which is amusingly abbreviated CCTV[1], and other state-controlled media, it's an eye-opening thing to see (more blatant) information control in action.

[1] https://en.wikipedia.org/wiki/China_Central_Television

> The amount of information/sites I wasn't able to access due to it not being accessible at all; or "accessible" but never fully downloadable (i.e. javascript not able to download fully, other assets blocking actual content from being loaded) was staggering.

Can you read Chinese? I ask because if not, the experience of people who can might be very different.

I'm completely against the censorship; I just wonder how effectively they implement it.

Not OP, but I suppose that people only reading Chinese in China won't notice this much, because most (all?) of what they find is inside the Great Firewall and thus under control (direct or indirect) of the Chinese government. But that's exactly as intended.

Because GFW (maybe accidentally) blocked quite a few CDNs, that influenced many other 'not-on-list' sites overseas to download their assets properly.

VPN and SSH or other public (detectable) protocols are goner for very long time now. I don't understand why you guys still trying to use it.

In China, you may need to use one (Or multiple) of following:

https://github.com/shadowsocks https://github.com/v2ray https://github.com/XX-net https://github.com/ginuerzh/gost

And +https://github.com/gfwlist/gfwlist for automatic proxy switch.

Those applications may require a dedicated server or VPS to run. Once you set it up, it will act like a relay between you and the host you want to access (So that server or VPS must located outside GFW's shadow. And you better set it up and get it well tested before you move to China).

If you don't want to setup a server all by yourself, you can use Lantern or Psiphon, but they are considered not safe as you don't have any control once data leaves your machine.

I personally use Shadowsocks + my own one made with Golang. Both of them works very good for me. Some people may had problem with Shadowsocks but cause of those problems remain a myth.

I was in China a couple months ago and ExpressVPN worked fine for me, are they actually using their own custom protocol?

ExpressVPN is the only one afaik that is allowed by the Chinese government. You can assume that it is actually not "private".

When I was in China last April, SSTP worked fine (though long-lived connections tend to become slower over time, and then need a few minutes of cool down before being usable again). Most Chinese people I met were using shadowsocks.

Many friends indicated Express was down almost an entire week surrounding the big meetings. Not as reliable as it once was. Or so they say

Doesn't matter if it's not "private" if you have certified encryption though, right?

I think his assertion is that as it is "allowed" by China's government that they somehow have access to the keys (or the VPN provider is keeping a buffer of the traffic and has an arrangement to provide it to relevant government agencies upon request).

I have no experience with ExpressVPN, so I can't help you with that.

But in a vlog I've watched on Youtube, the host of that vlog said "Over the last coupe of days, ALL the VPN is been very difficult to use". So, I guess that includes ExpressVPN.

Here is the video if you interested: https://www.youtube.com/watch?v=EuEdYvQmVFg (5:20)

Im in china at the moment using expressvpn (been using it for a year by now) and since about two weeks only three server locations work well (Hong Kong, Tokyo, Los Angeles). Some others work off an on. Before that most locations worked and some of them, Taiwan for example, used to be very fast. Its still usable for streaming and surfing but I'm afraid the end is near. I think sometime in the future one will have to go with shadow socks and or similar protocols/solutions but until then expressvpn is quite convenient (mobile client, router with expressvpn client).

Maybe. Vypr VPN has an own "Chameleon" protocol. Maybe Express has it's own

Hijacking the top comment to link to something I wrote recently.

As someone who owns and works and knows the ins and outs of an ISP and had the 'pleasure' to deal with many 3-word government organization, I can't help but feel that many people think privacy exist in some form and using VPN somehow makes you immune.

Please learn to understand double-speak. If the FBI says they are having a hard time cracking smart-phones or some kind of encryption, understand that they actually want you to use that security because they have figured out how to get around it.

I may sound like an alarmist, but it isn't intentional - because the government is much much more powerful in terms of resources they can throw at a problem - if they can't crack something they will find a way to intimidate someone to install a backdoor for them while completely denying it in public. This happens ALL the time. Most of us just don't know about it.


"Please learn to understand double-speak. If the FBI says they are having a hard time cracking smart-phones or some kind of encryption, understand that they actually want you to use that security because they have figured out how to get around it."

Do you have any evidence, or is this just speculation? I can buy that governments have access to zero-day exploits; I don't buy that every form of encryption they complain about has been secretly been broken.

Infosec 101: if it truly is a problem for you, you don't tell anyone.

I just went to Shanghai, bought a local SIM card and installed any VPN app from the App Store on my phone (I used "HexaTech"). Had no problems at all with it, even with the free tier. I was kind of surprised how easy it was to get through the GFW

Being in China now, I can say that just because it works doesn't mean that it's great. I think the government has demonstrated multiple times that they can block and throttle VPN connections at the flick of a switch. If one works, it's because of the government's mercy, not because of some circumvention team's ingenuity. That's my final conclusion. Yes, new methods might break through those times the switch gets turned on to block, but those new methods get blocked eventually too. It's an arms race where one side has near unlimited funding.

The most terrible fact about GFW is that it makes people forget they have a chance to access the other part of internet. Most netizens here don't even have a idea to cross it.

Remember that Chinese people who do it are subject to attracting negative government attention; they face much more risk, even it works.

The amount of censorship varies by province; I wouldn't be surprised if it is easier in Shanghai than in other parts of China.

I'm in Beijing. After ExpressVPN was down a friend of mine recommended to give a try for NordVPN as Astrill looks like China's government VPN which logs everything. And I was surprised - Nord works significantly and costs just over 3 bucks.

When I was in China for 6 months I just wrapped my OpenVPN in a regular TCP tunnel with stunnel https://www.stunnel.org/index.html

Was slow, but it worked.

I will be traveling to China in a couple of days and was ignorantly hoping my OpenVPN-based VPN would work.

Do you recommend that I set up strongSwan?

Another option is roaming on a foreign SIM card - this usually bypasses the GFW quite effectively; roaming is effectively a VPN back to the home provider, and there seems to be some whitelist for these roaming tunnels. The providers probably provide surveillance access to the Chinese govt, but you will not have trouble accessing Google and other blocked sites, and any VPN you like should work fine through a roaming SIM.

Whether you can find one with reasonable data rates in China is probably the main question.

Two that I have used with great success are Kyivstar from Ukraine and China Unicom HK (note it must be HK, not mainland China). Others may be listed at [0].

[0] http://prepaid-data-sim-card.wikia.com/

I can confirm that the foreign SIM card override works from my experience a couple of years ago.

My T-Mobile had free international roaming baked in at 2G speeds. Unlike the US however, most foreign carriers in developed Asian nations (China/Korea) don't support 2G fallback, so I had free 3G everywhere.

It was pretty much like using the American internet.

Try to change the default port 1194 to something else (e.g. 443) - this may not help as the GFW has the ability to detect OpenVPN specific traffic.

If it is only for yourself and traffic is very little, it may survive the period of your stay in China. Nobody I know in mainland runs OpenVPN any more so I cannot really prove that, sigh...

That trick no longer works at all, to my knowledge. The GFW is wise to it.

That's why Tor had to implement HTTPS-like fake traffic padding in its obfsproxy modules, which also need to keep evolving...

I used PIA with relative success. The caveats being:

1. DNS resolution may not work, so you'll need to find a way to resolve the domain name (i.e. hk.privateinternetaccess.com) to IPs for your config.

2. Even if you get an IP it may not work all the time. You will have to keep resolving the domain name for another IP (or maybe just look at all the DNS records?).

EDIT: I should mention I used PIA's PPTP (yes, it's discouraged but it worked for my purposes) and L2TP configurations just fine.

Set up Shadowsocks. (OpenVPN won't work regardless of port and choice of udp/tcp, unless you tunnel it through obfsproxy or similar.)

A few months ago, I went to Shanghai. Before going to China, I setup the Shadownsock on my server. My 4G network is roaming SIM card. I can surf on Google Map over my SIM card without any proxy or VPN. To prevent from sniffing, I always connect to the network via OpenVPN with non default port.

In hotel, the Wi-Fi network cannot connect to many sites. Sometimes, I can connect the Internet via OpenVPN, but, Shadowsocks is more stable.

Just use Psiphon or ShadowsocksR, you will be fine, don't use a cliche old VPN.

If your VPN server is used by many users it tends to be detected and blocked by GFW. In case you found managing shadowsocks servers cumbersome, you may want to check out https://foxshadowsocks.com They manage shadowsocks servers for you and allow you to move servers across regions (to get a new IP).

I still believe some of the loopholes are intentional left alone by the government.

With China being such a manufacturing powerhouse, I can imagine loopholes are essential to keep international business and trade in order.

International companies can apply for VPN which allows them to legally use one. They need to attest that it will be used for business purposes; this should sensibly part of the negotiation process when investing and establishing a presence.

I'm not sure about VPNs? As I understand, it's corporate lines to overseas that's allowed. That's what we use, we lease bandwidth on a major submarine cable that goes to California and sign a contract that says we won't be using it to break laws, and Vvv we tell our employees to only use it for work.

The data has to get from office to submarine cable, VPN is needed. When logging in from home, I need to select the end-point of the VPN, so I'm pretty sure it is a VPN. This is common with any country - connecting to the corporate network must be via VPN (unless the corporate is crazy and in violation of many laws disclosing customer data).

Nope, ISP gives us fiber that goes from our PoP in Shenzhen to Guangzhou to Hong Kong (roundabout way because they have no fiber direct from Shenzhen to Hong Kong), and somewhere down the line, it hooks up with the submarine cable. No VPN at all.

It is not encrypted?

If it is a loophole it is not legitimate. To keep business and trade IN ORDER it would be legal. I think some of the loopholes are “honeypot” just to capture potential intelligence.

Can you use SSH? If so, can you SSH tunnel?

Furthermore, if ExpressVPN is allowed, could you connect to that and inner-tunnel to your own VPN?

SSH Dynamic forwarding (ssh -D) to do application-level port forwarding and configure browser to use remote host to do DNS lookup was 1 of the earliest techniques to bypass the GFW and was countered by the GFW long time ago. The wall can easily detect non-administrative SSH traffic and block it. So I won't recommend using it, it is not reliable.

When evaluating a VPN service for trustworthiness, I always look at what their webpage loads in terms of tracking scripts.

Basically, if you offer me the service to protect my IP address and don't even have the decency to let me inform myself about your offering without handing over my IP address to Google et al., then I'm not using your service.

Unfortunately, VPN providers collectively don't seem to be aware of this presentation layer, so it's neigh impossible to find one which doesn't violate privacy here.

So far, I've found exactly two: azirevpn.com and airvpn.org

They load in Piwik, which I'm okay with.

These two providers also check a lot of other boxes for me, but yeah, it's still just two providers after hours of research, so if anyone knows any other VPN providers with privacy-respecting webpages, please do tell.

> I always look at what their webpage loads in terms of tracking scripts.

Note that this is also one of the criteria in the Vpn comparison chart: https://docs.google.com/spreadsheets/d/1L72gHJ5bTq0Djljz0P-N...

by https://thatoneprivacysite.net/

Which itself is hosted on Google Docs. Does not compute, does it?

I mean, sorry if I sound rude and thanks for trying to help, but yeah, I'm not clicking on that link.


Fully aware that I sounded like a dick there. I even apologized for it.

As for sorting out my threat vectors, I think you should sort out your threat vectors, if you don't consider the biggest data broker on the planet to be part of that.

But even if you yourself are entirely unaware of Google being a threat vector, I do think I made it abundantly clear in my initial comment that I don't want my IP address shared with Google, so then linking me to a Google webpage has got to either be a bad joke or so incredibly oblivious that I very much do think, it warrants a dick response.

First of all, your apology still made you sound like a dick. Secondly, enlighten me, what is the threat in reading an open spreadsheet on Google detailing pros and cons of different VPN vendors?

I don't know. Not a scooby.

What I know is that Google will store that data point indefinitely and will correlate it with a near-infinite number of other data points to generate conclusions about me. Whether those conclusions are right or wrong doesn't even matter.

They'll also make these data points and conclusions available to intelligence agencies around the world. Which might use it to damage me as part of the ongoing cyber war or if it's my own country's intelligence agency, then they might use it against me, in case I'm unpleasant for the reigning government.

I consider something safe when I know that it's safe, not when I don't know it to be unsafe.

It is the first time I have ever encounter a philosophy close to mine about this subject.

Check out my VPN service, DataBuster[0]. I made the VPN only for myself at the beginning but my friends requested the features and it became a viable product.

The only "tracking" I do on the main page is a passive analysis of Apache logs made with Piwik, so there is no visible JS tracking code or third-party tracker.

[0] https://databuster.net

That’s fantastic! My only suggestion would be to not require JavaScript for the page to load any text at all.

I’m interested in the technology behind the service; any details you can provide?

Yes, I provide some details in a blog article: https://stan.sh/posts/building-a-distributed-vpn-service

The underlying technology used is from Algo VPN, a well-acclaimed open source VPN solution. https://github.com/trailofbits/algo

Loyal customer of AIRvpn here. No complaints here

Been using it for about a year now and I am quite happy with it! Recommended it to a few friends, works great on Linux.

Why does this matter for anyone not doing something that would attract the attention of a government agency? If you're running illegal weapons, sure. But if you're just trying to connect to your company's server or prevent Comcast from seeing your search history, this shouldn't matter. It reminds me of the recent uproar over Facebook supposedly listening though the mic at all times. It sounds like a severe lack of appreciation for how much data we leak at any given moment.

What I mean is that just by reading this thread, we've all been added to whatever VPN user list the (insert bad guy name here) has set up. From there it's just simple data mining. One of the easiest ways to link user to VPN service might be through tracking scripts, but that's not specific to the VPN sites. Presumably your're researching which VPN and then reading more on specific VPNs as you narrow down your choice. Then you want to be "anonymous" so you search for bitcoin info. Then you suddenly stop searching for bitcoin and VPN info. So, you have the data from all those searches (specific breadcrumbs), the length of time searched (length of time correlated to how serious and educated you are about the topic), the time the searches stopped (correlated to VPN subscription start), your previous un-anonymized topics of interest that led to the search for VPNs, the exit nodes of the VPN you probably chose, etc. That's on top of all the physical variables - when you're likely to be awake, schedule of connections, location, etc.

I would argue that just having a tracking script on the VPN provider's website is a drop in the bucket, even from a legal perspective - it's better to have a preponderance of evidence. You're not giving 'them' any more information than they'd already need for a search warrant, which is the real danger threshold for this conversation.

It's conflating an annoyance with a threat.

ProtonVPN (same team as ProtonMail) appears to load no external trackers.

I'm itching to set one up as a side project...

Be cautious of the potential legal headaches, register it as a limited liability company, and host away from your place of residence (so police don't raid your home).

Even if you're entirely above board your users may not. Child porn, illegal substances, gambling, stalking/bullying, fake emergency calls, bomb threats, and so on. Your users are just waiting in the wings to place you into law enforcement's crosshairs.

If I opened a VPN I'd spend 10% on equipment and the other 90% on lawyers, fraud prevention, and liability insurance.

This is good advice. I had to deal with crap like this just from running a high traffic message board. Not OP, but I want to do this as a side project just for myself though.

IVPN loads only typekit.net in Linux/Firefox.

windscribe.com is another one.

Windscribe.com appears to be behind Cloudflare, which means that they allow a third party to MITM https connections to their site. I would not trust their service.

I always ask this on the VPN threads here, and don't feel like I get a solid answer (I'm not particularly well-versed on the topic so I'm genuinely curious and would love to be corrected).

If I go to Bob's website on my computer without any VPN, and Bob wants to find me, all he would need to do is get my IP, call my ISP with a warrant, and then get my information.

If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions. Then he calls the VPN company, and asks them to associate the IP and specific browser sessions with me. In that case a) the VPN really does store logs even though they advertise they don't, so they're able to associate me with my activity, or b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.

It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?

So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?

If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users? Wouldn't it be easier for Bob to call AWS with a warrant and get your account info than mess with some offshore VPN provider?

So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?

The downside in a nutshell: "Researchers recently tested 300 free VPN apps on Google Play and found that nearly 40 percent installed malware or malvertising on users’ machines."

"Bob" very likely doesn't know you even exist and doesn't care. The downside of VPNs is that many VPN hosting companies are even less trustworthy than "Bob" and do care who you are. An unscrupulous VPN provider can MitM your connections, harvest anything you give the VPN's app privilege to see (probably a lot), etc.

Step one of security is to understand the threat you want to defend against and make sure your defense against that is (a) adequate, (b) appropriate, and (c) not compromising you in other ways.

Well, never use free VPNs!

Also, don't choose a VPN based on some online review. Most of those are basically paid advertising. Either "pay if you want a good review" or "pay more for highter rank", or stuff by independent affiliates, who get paid for referrals.

Better, choose VPNs that have been recommended by consensus in relevant communities. Torrent users. Wilders. Me ;) And by the way, I do consult for IVPN, but my opinions are otherwise unbiased.

And then you have stuff like AV companies' VPNs for which you pay AND your data gets sold.

(Basically, all AV companies listed on stock market sell your data.)

well, I've suspected that. But can you point to evidence?

I wrote a post last summer for IVPN's blog. Bottom line, AhnLab and Emsisoft seemed to be the only commercial ones that don't share data.

AhnLab: “AhnLab will not collect any personal information other than [data collected during software use] and will not disclose such data to any third party.”

Emsisoft: “Any information we collect from you is only used by us to serve you better. Your information is never given to a third party.”

What is your opinion on PrivateInternetAccess?

They've been recommended by a lot because they recently backed up their claims of no logging (FBI asked them for data, and they couldn't provide it). You'll see that they are ranked pretty high on this list, where there are some breakdowns. They are pretty cheap and popular too. Popular helps by making associations more difficult. That is seeing a VPN server accessed page X and that you were accessing the VPN server at said time. A college student was connected to a bomb threat by this method, being he was the only one on campus to be using TOR at the time the bomb threat was made (from TOR). You'll be fine with any VPN that is relatively popular and doesn't do any tracking.

A relevant detail to that story is that he admitted his guilt under questioning. Had he continued to deny any involvement, they would not have been able to prove that he was sending the bomb threat, as it could have been from someone who wasn't on campus.

Very true. But there have been several instances of cases like this. And this thing doesn't matter if your VPN logs or not[+]. But what I was trying to point out is that these types of access collisions are important to understand. And why I don't think people should roll their own VPN.

[+] I'm not trying advocate crime here or advising how to avoid it. Just trying to bring to light a vulnerability.

> And why I don't think people should roll their own VPN.

People who are interested in not being identified probably shouldn't. But there are good security reasons to potentially do so.

Criminals are great examples, because their OPSEC failures are often detailed in court records, reported in the media, and discussed online. One of my articles on IVPN's website uses several such OPSEC failures (Silk Road, Sheep Marketplace, etc) as examples.

It's also worth noting that PIA supports several free software projects.

Or, to phrase it differently: PIA outright bought a great number of previously community-run projects, and is concentrating power.

Freenode and Snoonet, two major IRC networks, are now owned by them.

Enough. You do this on every mention of PIA and you have been told to stop or get banned [0]. I don't know why you are on this crusade when there is not even the slightest hint of wrongdoing [1] so please, easy on the conspiracy theories.

Disclaimer: Happy PIA customer.

[0] https://news.ycombinator.com/item?id=14911509

[1] https://news.ycombinator.com/item?id=14911915

It's not about conspiracy theories, but about concentration of power.

If control of PIA — for whatever reason, and be it that Andrew Lee dies and his heirs sell it, or that he can't finance it anymore, or that a three-letter agency forces him to — ends up in the wrong hands, then also all of Freenode and Snoonet end up under control of that entity.

It's not that I don't trust PIA, but that I fear that PIA itself may end up in the wrong hands.

And I'm not on a crusade against PIA — I won't complain about their donations without requirement to advertise in return to projects such as KDE, with a transparent funding process.

But I am on a crusade against centralizing any services, be it killing XMPP federation (thanks, Google), be it pushing a "secure" Messenger that is bound to a single social graph and server infrastructure controlled by one group in the US (thanks, Moxie), or be it a single compsny gaining significant control over several major IRC networks, clients, libraries, and over Matrix at the same time.

No matter the intentions, how good they may be.

Wow, what's going on there? :/ Case of sour grapes for that user?

My only beef is I thought PIA would be a kickass gig to work at. Alas, never heard back from my resume. They post in the monthly thread.

Still interested, if any of you PIA people are watching :D

(not the person you were responding to)

To be honest, my only problem with them is their customer service. And their phone app. My connection is half speed on my phone. :( They also have some strange problems with the linux app (which I wish they would open source). Otherwise I'm really happy with them.

Have you tried using a standard OpenVPN client (on your phone, on Linux, etc.) with PIA profiles?

I actually haven't. I will try later and report back. But I have a 60/30 connection (down/up) and am getting 26/5, after messing with settings (which strangely is using TCP instead of UDP). And yes, this is under 5G, and I've tried multiple servers.

As for the Linux side, their app just needed some better instructions on their site, and then works fine. So I'm not really upset on that, just had to argue with tech support for awhile to get transferred to somebody that knew what I was talking about.

Just discovered - you can get a 63% off a 2-year subscription in (presumably) the next 24 hours https://stacksocial.com/sales/private-internet-access-vpn-2-...

Ha ha ... that's an affiliate link ;)

Oops, sorry :(

Yes, and interestingly, the Freenode staff had previously disabled Tor access to the Freenode network for over a year or so because of "attacks" which they claimed they could not handle. This was a pretty flimsy excuse once I finally found someone that knew the technical details, and though I chased the "right" people down several times to ask why Tor access had not been enabled, I never got a good answer. Cue PIA taking over Freenode, and within a couple of weeks, Tor access to Freenode was once more enabled. I've been a happy PIA customer for some years now, but that left such a huge and positive impression on me. I'm not completely sure the two things are simply correlated, but after talking to all those Freenode staffers over the years about it, I can't imagine it wasn't pushed by PIA.

I was actually primarily talking about their donation to the Krita Foundation [1], but yeah, it's good to be aware of the above, even if thus far I haven't seen anything nefarious from them.

[1] - https://krita.org/en/item/krita-foundation-update

"A college student was connected to a bomb threat by this method"

This is why we can't have nice things...

I'd use them. They're among the least expensive. And they don't seem to retain logs or detailed access records, based on testimony to a US court. But that was about an exit in the US, where there's no legal requirement for VPNs to log. Where there are such legal requirements, maybe they (or any other VPN) would retain and produce logs.

When I checked in mid 2016, their custom Windows client leaked while the VPN was reconnecting after uplink interruption. But then, only six of the 29 VPNs that I tested didn't leak: AirVPN, FrootVPN, IVPN, Mullvad, Perfect Privacy and SlickVPN. Strangely, FrootVPN didn't leak using open-source OpenVPN, suggesting that they're doing something unusual at the networking level. PIA's OS X client didn't leak, however.

They do tend to oversell their servers, however. So you'll often get less throughput than with AirVPN, IVPN or Mullvad.

I've been very happy with PIA. It's cheap with minimal impact to my bandwidth. The concern is that, like all VPNs, we are trusting them not to keep logs. PIA claims that they proved in court that they do not keep logs because they provided no useful data to an FBI request. There's a debate over whether this proves they don't keep logs or not here:


Is this semantics? I am uncertain. I do think that it's in PIA's best commercial interests not to keep logs. It's the core of their business model. The moment a PIA customer's identity is revealed through them is the moment they lose all business.

I think they're good, but there are some downsides. Sometimes traffic can really slow down because they're _too_ big.

Another issue is, all their IPs are well known. When browsing while connected to them, you can run into a lot of issues: captchas, blocked sites, etc.

The other day I was accidentally connected and made a purchase. What a giant headache. My purchase was flagged and blocked and it took a lot of my time to call the company and get it cleared up.

A few weeks back I ran in to the same issue with accidentally making a purchase while connected to PIA. Mine was also flagged and I had to jump through several hoops to prove I made the purchase. It was a pain but I completely understand why that happened and I'm still very happy with PIA.

I will mention that while it doesn't magically fix slow speed issues, they have the ability to report a slow server through the app (on Windows, I can't attest to any others). You just right click the icon in the notification tray and click "Send Slow Speed Complaint." They do add more servers in areas that are overloaded.

I've used PrivateInternetAccess, they are trustworthy, but US based so count on them rolling on you if someone has a good reason to be interested in you.

Well, they apparently didn't roll for a US court, in a case involving harassment, as I recall. Would they roll for the NSA? How would they handle a NSL? I have no clue. Their founder has said that, although he lives in the US, none of their server admins do.

I don't use PIA, but one advantage of them is you can use a Starbucks or Target gift card to pay. Buy the gift card with cash then there is no trail.

>"Buy the gift card with cash then there is no trail."

Until it's important-enough for them to track down the card, figure out when it was bought, go over the security footage of who was buying at the time, extract footage of you buying it. They can then extract your face and match against a DB. Or perhaps see what car you enter into, and extract its license-plate.

Heck, even if they don't have that, they can ask the cell-phone companies to see which phone-numbers were connecting to the nearest tower during that period. That already narrows down the list to say, 1000 people?

We're almost there. All the technology is already in place, and the only thing stopping it from happening is consolidation.

I have been pleased with their service. It wasn't much hassle to set up, particularly. Was certainly a little trickier on my linux machine.

I find the speed has almost been completely acceptable. I have had only a handful of times where it seemed sluggish and bogged down.

I know there is a some question of whether they can truly be trusted? Do they truly not keep logs? And they are US based which are all things to consider. I weighed those factors against the customer reviews, price, and simplicity of their service, and I think my choice has served me well. Their rates are dirt cheap for what seems to be a reliable service.

Would you recommend IVPN?

Well, of course I would! They're one of the oldest. Except for the the first generation, anyway, such as Anonymizer (now basically owned by the CIA) and Cryptohippie (still very cool, but very expensive).

And they have great clients for Windows, OS X and iOS. I've found a few others that are just as leak-free.[0] However, the data there are old, and just about all VPN services have improved their clients. What's most relevant about the site is the testing protocol. There's more about that in an IVPN guide.[1]

I also recommend AirVPN, Mullvad and PIA. But not necessarily for their clients. I mean, IVPN doesn't have a custom Linux client. So in many cases, you need firewall rules. And you need to make sure that you're not using an ISP-assigned DNS server with the VPN.

0) https://vpntesting.info/

1) https://www.ivpn.net/privacy-guides/how-to-perform-a-vpn-lea...

The great thing about Mullvad is you can use OpenVPN instead of their client if you want. And those guys really know what they are doing.

Even better, with Mullvad you can now use WireGuard instead of OpenVPN, for considerably better performance and possibly better security. I've configured my EdgeRouter Lite to route all wifi traffic on my default home network through WireGuard for a couple of weeks and it has worked very well.


You can use open-source OpenVPN with any VPN service that offers OpenVPN connectivity. You can also use AirVPN's client Eddie, which has a pretty decent built-in firewall.

Just adding another vote for Mullvad. Tried a few others, have had the best luck with Mullvad (bandwidth, # of servers, rock-solid connection, etc.)

I use OpenVPN to connect to PIA both on my Linux machines and Android.

Same applies to IVPN, FWIW.

My VPN activities run on a old Windows box, and I did not want to trust the VPN clients to not fail and blast my data in the open for a day or two before I noticed. I ended up writing a SafeVPN Windows service that kills processes within 30 seconds of VPN failure.

I used PIA for a couple of years without issue, but then it went into some kind of decline for me, always driving network traffic to zero after a few hours. After changing hardware and reinstalling the OS with no effect, I finally tried AirVPN and things went back to normal. AirVPN is a bit more expensive, but their client is light years ahead of the PIA client.

It's better to use Windows Firewall, because blocking is virtually instant. Basically, you set LAN as a private network, and the VPN as a public network. For LAN, you allow connections only to the VPN server(s) that you use, plus a DNS server that's not associated with your ISP. You can also allow connections to other LAN devices, if you like. For the VPN, you allow all output, but only input for established connections.

Can you point to a writeup of how to do this?

The only step beyond this that I have seen is a recommendation to use OpenBSD as a firewall in a virtual machine.

No, sorry. I used to know a URL, but ... And most of your search hits will feature application-level blocking, which seems silly to me. Also, I don't use Windows much anymore. And I've forgotten the specifics.

But. It's basically what I described. For public VPN network, just use the default (all output, only established input). For private LAN, deny all output and input, and allow output to selected IP addresses (VPN and DNS servers).

Thanks for taking the time to reply. It seems like this would be worth a write-up!

Perhaps something like this can be scripted; if it becomes polished enough it could be recommended as a part of every VPN setup.

Interesting feature of Windows firewall, thanks. As the AirVPN client connects, it checks several hundred servers for the lightest load, so for that default behavior, I don't know which IPs to configure locally.

Well, the AirVPN client in Windows has its own firewall, which I didn't manage to make leak.

Various sites on the internet (e.g. Reddit, piracy sites, etc) will recommend either PIA and/or Torguard over anything else.

That's because PIA and Torguard are willing to outbid others to get that ranking :) Or so I've heard.

That's why you generally ignore online reviews.

Well my Torguard license is expiring soon. Who would you personally recommend instead?

AirVPN, IVPN, Mullvad or PIA. They've all been around for several years, and focus on privacy. And I've never heard anything bad about any of them. PIA is the least expensive, and IVPN costs the most. AirVPN and IVPN are probably the fastest. IVPN and Mullvad probably have the best technical expertise.

Or just DIY if you're just a regular Joe or Jane, it's quick, cheap, and easier than most assume.

I’m curious about your DIY solution and what that involves.

Algo is quite easy to install and run

Why do you think that just because a VPN isn't free, it won't ALSO sell you out on the other side?

Basically how much they have to lose.

Say for instance there are two vpn services. Both have a 100,000 users. One makes $1,000 a year off of advertising, and the other makes $1,000,000 a year($9/month). Now both are approached by a nefarious gentleman who offers them $20,000 a year to harvest their user's information. But every year there is a 25% chance people find out and your service is shut down.

Who takes the deal? Maybe the free guy, but very few people would risk a 1M/year revenue stream to make a little extra cash, but someone might risks a much smaller revenue stream for a comparatively bigger payoff.

That's not what was said. "Free VPNs are not to be trusted" does not imply "All paid VPNs can be trusted".

But to flip that around, what about adding payment into the mix has any bearing at all on the trustworthiness of a VPN provider?

Payment means there may be a viable business model other than sharing private information. Realistically I don't know how you can ever be sure, but I'd absolutely never trust a free VPN service.

It's not so much that they couldn't sell you out, but that if word got around that they had, it would be bad for business.

Everytime you turn around we heart of another free VPN selling data. How else do they stay in business.

Why not just use a trusted solution like openvpn and only use providers who provide openvpn servers? That immediately gets rid of one half of your problem; and as for the other half, vpn services that allow for connections via openvpn are likely to be more trustworthy. In addition, the vpn company can't MitM connections which are already on an encrypted channel outside of the vpn conneciton.

> use providers who provide openvpn servers

how can you prove what the provider is using? people can lie

This suggestion is intended to solve the "free VPN app installs malware" problem and not solve the "VPN provider who actually logs/is in league with govt/MPAA/etc" problem.

Indeed. Threat models are crucial here.

OpenVPN is a protocol. If the VPN provider supports it, you set it up in your own client that supports OpenVPN. Using a VPN provider that requires you use some proprietary app is madness.

I recently signed up for such a service, in order to get my Nintendo Switch online for multiplayer gaming. My home internet connections sub-let from the landlord and could be considered semi-hostile -- not able to connect to peers on the Switch due to triple NAT, and I suspect some QoS throttling as well. The VPN solves my routing problems, but if anyone has a suggestion for another option here I'm all ears.

It is irrelevant what software the provider is using as long as they use the openvpn protocol. This will be obvious to anyone who tries to connect using openvpn.

Can you explain further, how can you be sure things weren't aded to the software?

When you use a VPN service that supports openvpn, you:

a) Install OpenVPN yourself (open source)

b) Download an OpenVPN profile from the VPN company

c) Configure OpenVPN with the profile

Specifically, you don't have to install any binary software from the company itself.

To the client side or the server side? On the client side, you should download the code from a location you trust. On the server side, it is irrelevant if something is added to the software for the attack we are discussing.

You can use your own OpenVPN client.

Isn't openvpn kind of a hack and a IKEv2/IPSEC based strongswan solution to prefer?

It's arguably no more a "hack" than TLS is one. Right?

Re OpenVPN vs IKEv2/IPSec, this IVPN FAQ seems accurate.[0] But then, I helped edit it, so I'm biased. Still, if anyone can point to inaccuracies, I'll recommend fixing them :) The major weakness is pre-shared IKE keys.

On the other hand, I get from IVPN that the IPSEC implementation in iOS is very secure.

0) https://www.ivpn.net/knowledgebase/160/Is-using-L2TPorIPSec-...

Don't see why you're getting downvoted. From a user standpoint, IKEv2 doesn't require a secondary client and integrates with most major OS better.

For example: It's way easier for a client to install a mobileconfig to ios that supports on demand VPN than it is to have them download and configure openvpn. Fairly set and forget.

IKE is a nightmare to admin, only for Cisco level bureaucracies.

OpenVPN protocol is sorta weird (I wrote a clean room client and server impl). But IPSec stuff is such a pain to deal with that it is not worth it despite it having better OS integration.

>So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?

Rarely addressed: VPN CLIENT ISOLATION.

The majority of us sit behind a NAT'd address range provided by our physical router, thus isolating our machines via a hardware router / firewall from our ISP. When you connect via a VPN, you are not automatically isolated from other client-peers on that VPN and must implicitly trust the VPN provider has properly configured client isolation. You can do testing, like firing up Wireshark and listening for broadcast traffic or simply by trying to nmap other hosts on the network, however, whatever you find could change with a configuration setting at any time.

Exactly my thoughts;

One way to further "secure" this would be to run the VPN client on a hardware router like pfSense (instead of directly on your laptop) and block all incoming connections on the vpn client tunnel interface?

A disadvantage of this method would be that the WIFI signal from your Laptop to the router is no longer secured by the Vpn...

That's how I do VPN. I have my ISP connected router, then a DMZ network with my test servers & three routers: 1) guest, 2) main, 3) VPN. I then use a virtual LAN from (2) to (3) over a virtual interface on (2) to connect to (3) which is NAT'd. Honestly though, the whole advice of "get a VPN to be secure" is ridiculous because it can end up exposing you far more than what you were previously, especially if you are running a VPN client on a host that is running a media client / server like Plex, Kodi, WinAmp, iTunes (Bonjour), etc. If you are a developer and using The Fiddler, Charles Proxy, or the Burp Suite, then there's an easy route to the rest of your internal network. I know the first time I was on a VPN and saw someone on the VPN come through my interception proxy it freaked me out enough to instantly understand the dangers of VPN services.

It's more effective to block what you want on your host firewall and not rely on the the network to keep you safe.

"Processing in hardware", meaning application specific hardware acceleration, is a not a plus in security related things: it's not safer, and it doesn't exist in most boxes, and it's often impossible to field upgrade when bugs are found. It's done to speed things up/lower cost at large scale, but that's irrelevant for consumer/small office gear.

>It's more effective to block what you want on your host firewall and not rely on the the network to keep you safe.

I agree and am a big fan of host firewalls and host intrusion prevention systems, however, they must of course cover the VPN tunnel in their scope. In many cases they do not.

It is a configuration option, for sure. But I've never even heard of a VPN service that put multiple clients on the same subnet. It'd be a security nightmare. And I can't imagine what the advantage to the provider would be.

Another downside:

Recently the Federal Government sent out a malware to certain persona of interest. That malware played a higher pitch sound than can be heard by the human ear. They were able to track that person and identify them because they heard the sound on the computer's microphone. TOR or VPN can stop this.

Without a source to corroborate, the tinfoil hat factor is extremely high with this one

I slightly agree. However, these days it seems more and more that "thing elite spy agency does to track terrorist" is on about a 6 months to 1 year lead on "thing startup does to target ads."

Wouldn’t even surprise me if it was the other way around either.

Some of the brightest minds of this generation are working on ad tech.


Angelheaded hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery of night, indeed.

Interesting thanks

Sorry here is the source:


It appears to have happened already

Wow, now 44.1kHz sound cards should be very desirable

> A team of researchers from the Brunswick Technical University in Germany discovered [234] Android apps that employ ultrasonic tracking beacons to track users and their nearby environment.


My tinfoil hat is spinning!

Ability and motive...

Are they able to do this? Yes, for sure.

Are they willing to this? For terrorists or maffia bosses, no doubt. For smaller fish? Maybe they can't be bothered. Or maybe they can.

Once it's productized, it's probably easy to reuse.

Technically, but maybe not bureaucratically.

Here is a source, but no „malware“ but ads, the line gets more and more blurry


I'm surprised a computer speaker has the frequency response to play an inaudible tone.

Tested my kids - they could hear an alleged 21khz tone out of laptop speakers. The actual level of the tone doesn't matter - it was above my level of hearing. Wasn't a double blind, but they told me when it started and stopped based on a bash script with random intervals.

I'm 20 but I can still hear 20 khz, albeit not very well.

I could when I was 20, did a proper hearing test when I joined my company. 15.625khz was very noticeable - I scoffed at the old timers who couldn't hear it.

I can no longer hear it. Still I can hear 1khz, so that's what's important.

Most wouldn’t, I’d imagine OP is referring to a mobile device, look at Androids dev docs they recommend sticking to 44.1khz, which we know does fail into the range of human hearing with its 22khz reproduction, albeit fewer people. I’d suspect the person being spied on would become suspicious upon many children they encounter and even more dogs fleeing from their direction.

If they were able to gain access to a person's microphone doesn't that mean they are already compromised?

> TOR or VPN can stop this.

You're saying that the persons of interest in this case were identified and targeted only based on an IP address and not based on some other aspect of their online activity?

Wasn't this how they caught the Silk Road guy? Ross Ulbricht? They played a loud noise from his computer in a public area, as I recall.

that is not how they caught him. They used a correlation attack. He was stupid and posted something using his personal email on stackoverflow about setting up tor website and processing bitcoin transactions. He then used a linked account to advertise silk road a few times. This made him a prime suspect. They followed him for weeks and watched that every time dread pirate roberts logged in and posted on silk road he was sitting in a cafe or library on his computer connected to a vpn. This was enough for them to get a search warrant and they found all the other evidence they needed to convict him on his laptop

Do you have a source for that? I've never heard it before.

Nevermind, they chatted with him, but that was to ensure that he was logged in to SR before grabbing his laptop in an unencrypted state, not to identify him: https://www.wired.co/2015/01/silk-road-trial-undercover-dhs-...

> That malware played a higher pitch sound than can be heard by the human ear.

That should be "... can not be heard ..." right?

Also, do you have a link with more details.

No, it's right as-is.

Ah I think I read the "higher" as "high" and misunderstood it.

That still doesn't really make sense. I think you misread "than" as "that".

"a higher sound than can be heard" or "played a sound, which cannot be heard due to its pitch"

would both work, but your interpretation isn't correct.

Not really an answer to any of the questions you asked, but I'll provide my perspective.

I don't use a VPN to hide my identity from the websites I'm connecting to. I use a VPN to hide the websites I'm connecting to from my ISP.

Residential ISPs in the UK are supposed to log a bunch of internet stuff (not clear exactly what), which is then made available warrant-free to over 40 government departments, including for purposes obviously unrelated to "national security" (not that that would make it OK), e.g. HMRC and the Food Standards Agency


Additionally, I use a DigitalOcean VM and run OpenVPN myself, I don't get a service from a VPN company.

> I use a DigitalOcean VM and run OpenVPN

I've been looking to do the same recently, do you use Digital Ocean Droplets? If so, how have you found the experience?

I've been using DO for my VPN needs and it's been a very good experience. You can start a 5$ Ubuntu droplet, which is more than enough to host OpenVPN, and then configure your VPN manually. Check here :


Or you can do it the easy way (but you won't learn as much) and run a bash script to configure everything automagically :


I just tried that but on my VPS the 'tun' device was not enabled and the automagic script died. Seems that is not easy to fix on a VPS depending on your provider. Thanks for the tip though.

Not the OP and I don't use DO specifically, but I've found using a VPS provider to be a more or less painless VPN experience. Providers like DO, OVH, and Vultr have scripts for easy one-click OpenVPN setup, or you can roll your own if you don't trust their scripts (though if that's the case maybe you don't trust the VPS provider at all...)

That said, always verify that the tunnel is operating correctly before assuming it is and taking off. I've found on more than one instance that the OpenVPN client was misconfigured and seemed to connect, yet my IP was still being reported as my ISP's.

I did notice the Vultr OpenVPN deploy has license restrictions of two clients.

I think that's an OpenVPN restriction, not a Vultr specific restriction. You have to pay for a commercial license if you want multiple connections with OpenVPN.

It's a bit trickier (and more time consuming) to set up than I initially imagined but not at all undoable. A lot of tutorials are bit out of date or conflicting so it wasn't quite as easy as just following a recipe.

I didn't use DO but an even cheaper host and set up VPN at router using DD-WRT.

Occasionally I have to turn it off at router as certain sites/ services recognize the datacenter IP but not all that often.

Main reason I set it up is I use a small local ISP and know the owners and no need to have them watching net traffic.

The settings on both ends have to match perfectly. Don't forget to set DNS for openVPN also.

Unfortunatly, you lose access to certain sites, like Netflix, who block cloud IP ranges.

NordVPN works mostly reliably with Netflix.

Add to that many shopping sites (Best Buy for instance), deal sites, ticket buying sites, hotel/airline sites, heck, even my state's offender tracking system blocks the handful of VPS services I've tried.

You lose those with any VPN provider I've tried.

airVPN has this problem, unfortunately.

I have a device through which I netflix on which I do not do other personal browsing.

Quite a shame though, but nothing netflix can do about that. :-(

They could use billing address or something else to establish your location instead of your ip.

VPNs aren't a defense against subpoenas or warrants, they're a defense against ISPs scraping your connections and selling them to advertisers.

No advertiser is going to come after your VPN provider asking for logs, and even if they did your VPN provider is going to tell them to get fucked anyway. Again, unless the advertiser in question happens to be the federal government and they have a subpoena or a warrant, no VPN provider is going to give you logs to help you associate a user, I have no idea why you would even think that.

If you don't want traffic from users on the VPN you are free to block them (Netflix does this) but nobody is going to give logs over to a random webmaster to help deanonymize users.

If you want to remove the VPN provider from the question entirely (many of them are on the shady side), you can use Algo to automatically deploy a Digital Ocean droplet or Linode instance to relay your connections for you. However this doesn't fundamentally change anything - if someone comes after you with a warrant or a subpoena, then Digital Ocean/Linode is going to give you up.


This is not exactly a difficult concept to understand so if you have asked this question repeatedly and still aren't satisfied with the answer, perhaps you should look inward.

>VPNs aren't a defense against subpoenas or warrants

They absolutely are for a huge number of people. Why do you think so many VPN's advertise the fact that they don't keep logs? I imagine far (_far_) more people use VPN services as a way to evade copyright holders than as a mechanism to avoid marketers (most people don't give two craps about the latter issue.)

BTW, was the snarky bit at the end really necessary?

> VPNs aren't a defense against subpoenas or warrants, they're a defense against ISPs scraping your connections and selling them to advertisers.

Some VPNs imply this when they claim they don't keep logs on their users.

> they're a defense against ISPs scraping your connections and selling them to advertisers.

isn't SSL supposed to do that? At most an ISP ought to only be able to sniff the domain.

> ISPs scraping your connections and selling them to advertisers.

Sell what exactly?, the domains you visit because with SSL that is all what they know.

There are lots of problems you see in practice which are not discussed often....

* Inability to send mail though a mail program

* Daily disconnections of VPN service

* Captchas and other verification/friction when using services (eg youtube, amazon etc)

* Some services may believe you are in a different country incorrectly, meaning you have to force them to use the right location, or be happy with it being wrong

* Some services will not work at all (for example purchasing through apple)

* Paid streaming services – like netflix, hbo go and amazon streaming will likely not work at all

* You may not be able to port tunnel traffic inside the VPN

And of course you have to trust the provider. For example PureVPN claims 'no logs' but it seems that isn't the case...


There is a lot of friction in using a VPN. Which makes the idea, often proposed by technical people that if you are worried about privacy - 'just get a VPN' either naive or disingenuous. That said even with the friction it is worth the cost and hassle IMHO.

In practice you have to have a way to flip on and off VPN on some machines/devices.

There is more discussion on this here...


(edit: fix formatting)

Sure, adversaries could pressure VPN providers for logs, account information, help tracing traffic, etc. So you pick VPN services that have been in business for several years, are well known and recommended in relevant communities, and have no history of giving up their customers. There's a recent relevant thread on Wilders: https://www.wilderssecurity.com/threads/purevpn-keeping-logs...

Even so, it's prudent to assume that your VPN provider logs, works with your adversaries, etc. Just like the Tor project assumes that any particular relay may be malicious. So Tor clients create three-relay circuits, to distribute the risk. And one can do the same with VPN services. I'm currently working through a nested VPN chain, using servers from multiple providers. I use pfSense VMs as VPN gateways, and workstation VMs. It's also easy to add Whonix to the mix, so I can use Tor through nested VPN chains.

You're assuming that private parties have the ability to get warrants or subpoenas to get information from your ISP. They do not.

If "Bob" wants to know who you are when you visit his website, he doesn't have any options to get that information. If "Bob" thinks you are violating his copyright rights, he can file a DMCA complaint against you. If "Bob" doesn't want people from Iceland to access his site, he can try to filter based on IP range.

VPNs do three things: 1. obscure your identity 2. obscure your location 3. prevent local inspection of your network traffic.

How effective that "obscurity" is depends on who wants to know and why.

Speed, in terms of bandwidth and latency. I consistently get slower speeds using a VPN. Granted, I'm using Google Fiber so I have symmetric gigabit, but there is a downside to it, depending on your use case.

I'm in the same boat as well. I'm not in the US but I do have symmetric gigabit as well. I've been using EC2/DO boxes to setup VPNs for me, but they hardly ever come close to my home speed.

This is usually due to the ec2/do instances being the cheapest or second cheapest with bad CPUs and overcrowding.

You're also only guaranteed gigabit speeds on the higher tier instances. I'd be interested in what you get using iperf3 between EC2 and your home connection.

Did you try HMA? I had amazing speed with them.

Tried them out yesterday and they give about 10% of my Internet speed on any server. So my 400 Mpbs connection slowed down to 40 Mbps, which is a pretty rough drop. And I haven't been able to find an OpenVPN connection that could handle more than that 40 Mbps.

No, I was using PIA, I might try them out though, thanks.

PIA is cool because it works seemlessly with your phone as well. It used to be you had to have some special access to get it to work with a provider like Verizon, but it works flawlessly now.

Was there any point to this comment other than humblebragging about your fiber connection?

It's a legitimate point to consider. I've set up my home router with Tomato by Shibby, which allows routing all traffic over a VPN link. I was finding the router couldn't keep up with a 50 Mbps link. Granted, these routers aren't designed with that use case in mind. But, running a VPN link all the time on mobile devices kills battery very quickly, so setting up the link on the router is preferable. Consequently, I don't route all traffic over the VPN, which is suboptimal.

I put a 2nd router behind my regular router and switch the gateway, on devices I want to use the VPN, to this 2nd router. Benefits: 1. allow devices to use non-vpn friendly sites 2. Keeps everyone on the same subnet so the VPN is not in the way for local file transfers. 3. main router not overburdened by VPN software

Tomato allows selective routing, both by destination and by device, so that's helpful. Your setup definitely avoids some of the overhead mine has. But, really, I'd just like the little ARM processor in my R7000 to be able to keep up so I can saturate my link. I'm not familiar with ARM's ISA all that much, but it seems an AES-NI equivalent would be really nice to have.

There's no catching him, he's behind 80 proxies.

VPNs protect you from snooping by 3rd parties on the way to Bob's site, such as your ISP, anyone on your network, or anyone on any of the intervening nodes between you and Bob's.

If you don't want Bob to identify you then yeah you need more than just VPN such as ad blockers, disabling cookies, and more.

Depends on what you mean by VPN but the let-me-bittorrent ones don't get you confidentiality (or integrity) to web sites you visit, past your immediate ISP.

1. VPN Overview https://thatoneprivacysite.net/

2. oVPN.to is probably a good idea, as long as you are not based in China

3. Pay anonymously for the VPN. If it need to be really secure, only access VPN via TOR.

I've been using one pretty consistently ever since the legislation passed allowing ISPs to sell your browsing history. I generally don't have any problems with it, but that isn't to say it is not problematic:

* Connection issues are really annoying. At home it is manageable, but reconnecting to a different wifi network with a phone introduces a delay that sometimes lasts minutes before it becomes functional again

* Some websites make you enter captchas in order to use them, probably due to VPN abuse by malicious users. Others outright block traffic to any detectable VPN traffic.

* It is slower in general, but the worst case slowness seems much worse and more common. Unavoidable really, you're introducing another potential point of failure.

* Useful LAN functions (like *.local domains) become non-functional

> Useful LAN functions (like .local domains) become non-functional

Is that true if you 1. disable the "force all DNS traffic over VPN" setting, but then 2. have a local resolver (e.g. dnsmasq) that resolves LAN domains but forwards all other traffic to a DNS server on an IP that will end up routed through the VPN?

I'm not sure if your methods would fix the issue but you can get around it if your router supports acting as a VPN client. After you configure the connection it becomes invisible to all your lan clients and you can use all of your local network goodies.

Do you happen to have a link to the legislation you mention?


Congress removed FCC regs. that would have prevented it. ISPs have been claiming both the regulation is unneeded but that they won't sell your data.

Googling this gives you lots of links: "isp sell browsing history"

Here's arstechnica: https://arstechnica.com/information-technology/2017/03/how-i...

>b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.

>It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?

I'm not sure how you made this jump. If the provider doesn't have logs, Bob can't find you. The end.

No-log providers can still very likely be compelled to start logging by a combination of the All Writs Act and NSLs.

I also couldn't understand his reasoning here, and I'm surprised you're the only one that pointed this out in this thread.

Is Bob a cop? Does he have probable cause that you were involved in criminal activity. I don't think you can just handwave "call my ISP with a warrant".

Chief on my mind would be the issue of trust. Your traffic is coming out of the VPN node unencrypted. They could snoop you, MITM you, basically anything. So, who do you trust more? Your ISP or a mysterious VPN service probably in Russia that you learned about yesterday?

I figure my ISP is quite likely to sell my data and do other unfriendly things. But I figure they are quite unlikely to attack my traffic and do other illegal things.

So I know of normal people using VPNs in the the UK for some or all of the reasons below:

1. They're blocking lots of torrent websites, using a VPN circumvents this

2. They're sending out letters to people saying "you're torrenting, stop". VPN stops this

3. Some ISPs throttle traffic to certain services and streaming sites, VPNs circumvent this

Think about it this way: What if your VPN operates in another country? It becomes an international issue if Bob wants your VPN to tell them who you are.

On the other hand, if your VPN operates in another country, some websites within your country may block you due to content licensing issues.

My favorite formula, in constructing nested VPN chains:

1) First VPN, that only my ISP and second VPN see: I choose one that's popular where I live, and commonly used for torrenting, and I have a torrent client up 24/7.

2) Second VPN, that only the first and third VPNs know about: I choose one that does business from a jurisdiction that isn't very friendly with my government and its friends.

3) Third VPN ...

4) Final exit VPN, that only the previous VPN and websites see: I choose one that doesn't attract too much attention. For Mirimir, that's IVPN, because I'm already so associated with it.

What is your favorite way to create VPN chains in Windows/Linux/OSX?

I mostly use VirtualBox, or VMware in Windows. pfSense VMs make great VPN gateways. VPN and pf setup are pretty easy with their webGUI. Debian VMs also make great VPN gateways, but setup is harder, and their disk footprint is greater.

I've thought about doing it all in one OS, with iptables or pf to control routing. It'd be lots lighter, but more fragile.

Another option, if you want more security against exploits, is Qubes. But the hardware requirements are far more restrictive, and the learning curve is steeper.

It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP

If the VPN is malicious or self-hosted.

If the servers and the company headquarters are located in a country not part of the "14 Eyes", and most importantly, host a lot of other traffic that is not you, there is obfuscation, legal barriers, and plausible deniability that you did not do what "they" are claiming you did.

> If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions.

Every TCP connection is uniquely represented by (src ip, src port, dst ip, dst port). Bob can provide all four of these, and a timestamp, to the VPN provider. The VPN provider can then resolve that to a specific user if they are logging connections.

in which case, if you can't trust 1 VPN, can't you jerry-rig a better VPN by daisy chaining several together, so that each VPN will have to be asked to sort through traffic?

Isn't that what TOR is all about?

You will sometimes face hassle authenticating with certain sites. Your VPN will trigger two-factor auth verification, or sometimes trigger an account lock-out or force password resets, etc.

Your VPN provider might not log. Or it might log and sell your internet activity. Of course, the same is true of your ISP, so you have to see who you trust more.

If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users

I believe there is the alternate option of setting up your own VPN .

Instead of using AWS, you could set it up on an additional router or on your PC/pi wherein you'd lose the advantage of anonymity amongst other users but your information is still encrypted to be acceptably safe.

Such a VPN that did keep logs would lose their entire business model if it broke that they kept logs - even if they kept logs (and why should they? That might always leak and kill their business) why should they help a third-party to them?

For me it’s not bob I don’t trust, it’s my ISP.

Verifiably VPN providers lie when they say they don't log:


Whether it's through negligence or ignorance or intentional lying, it's nearly impossible to not log user activity in some way.

And really, think about this: Even if you try really hard not to log, as a provider you're competing with thousands of forensic scientists who do nothing all day but figure out how to associate activity with the people who committed that activity.

And once a federal agency has identified your VPN traffic, every single thing you've done through that VPN provider is all wrapped up in one neat bundle for them to peruse.

Think of SSH as the secure networking swiss pocket knife but that it is free for everybody to use, learn and script with. Now think how someone could make money out of it. They can't. So they start creating an alternative, that is so complex and hard to understand, that no person alone can manage it, and even the best solutions are unreliable, expensive and corporate. This is something you can sell and argue well that you need a shitload of engineers to maintain. This is VPN.

What should you use if you're smart enough to come to HN for reading? SSH of course.

Do you mean you can use SSH for anonymous browsing? I genuinely don’t know how that works out, isn’t that just transfer the risk to the server you ssh into, so you end up having to trust the server? Do you have some links for reference?

SSH has a Socks compliant proxy built in. That said, you are right, you are basically shifting responsibility to the SSH server you are connecting to so you have to trust it the same way you would a VPN provider. As such, it’s essentially the exact same and so GP was clearly misguided.

You can provide the ssh server yourself. Which is not so hard. And security is something different than avoiding tracking. Avoiding tracking is very simply done by not using a centralized proxy which is maintained by someone else (like in VPN). When you are really under attack it's very different and in that case you couldn't trust VPN either. Even the VPN client would be a danger.

Though this can provide an extra level of defense against MITM, if you trust your personal connection to the internet less than the server's connection to the internet.

All SSH does is move your traffic to a different computer.

When it leaves that computer it's no longer encrypted.

It's not hard to look at unencrypted traffic leaving the computer you've SSH'd into and associate the traffic with the computer you've SSH'd in through.

> All SSH does is move your traffic to a different computer.

And browsing the internet over a VPN is different... how, exactly?

Not to mention incredibly limited IP support. You can forward a few specific ports, or use SOCKS, but that's about it.

Why is SOCKS limited? Just make whatever you want to send your traffic through proxy it through the SOCKS.

Indeed, ssh -D {port} is something I use heavily (to create a SOCKS5 connection to a remote server, effectively a VPN)

This assumes 'whatever you want to send traffic through' speaks SOCKS.. most things dont. Web yes, but not most other things.

> most things don’t

That’s entirely not true. If you’d said “some”, you’d be right, but “most” is categorically incorrect.

I guess you’ve never heard of TUN/TAP support in SSH?

Hm, do DNS queries go through an SSH tunnel?

Presumably so; when I've tried the SOCKS support built in to Firefox, I've noticed that sites that I have blackholed via my hosts file begin working again.

And VPN encrypts your traffic directly to Facebook? No. At some point it also leaves the VPN's network.

Umm. No.

Want to connect 2 lan's together and have full protocol binding and internal DNS support without mucking with 65535*N-nodes port forwardings?


not to mention 'vpn' isn't a product..

so your entire notion of 'making money out of it' makes no sense.

as for commercial: OpenVPN is great, free, and fairly simple to use.

While it’s not the right tool for the job, it is possible to connect two networks together using SSH as the secure transport. Many (most?) good network folks will recoil in horror though about tunneling TCP inside TCP.

Re Full network: How?, without additional software e.g. ppp+socat+ssh along with TUN/TAP or similar, or running a non standard SSH client/server and having various nonstandard utilities on both ends, which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'..

TCP/TCP is another point.. and a good one, yes.

> Re Full network: How?

These articles explain the concept, but it takes nothing but SSH & Linux (albeit it can work on macOS too with additional software):




I've seen it done before where it was fully transparent to both networks. This required the tunnel to be setup on the default gateway for both networks. Again, as mentioned before and you agreed too, this is not a solution I would ever want to see in production for a company I was at.

> which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'

Which I agree, it isn't simple, but I was replying to someone saying it wasn't possible, not that it is easy to do.

I wish that we had arrived at a different term for third-party VPN proxy services. I use VPN connectivity to my home network whenever I am on the road so that my traffic is encrypted over-the-air (Wifi) regardless of its protocol or destination. When I read, "Do you need a VPN?" I think "I love having a personal VPN to my home network that I use from everywhere. You might love it too!" I am evangelical about creating and using a personal virtual private network—that is, a "VPN" in the more traditional sense of the term.

And then I realize the question is actually about third-party VPN proxy services, which seem to be a substantially different use-case.

It's just a shame that the term "VPN" has become so ambiguous.

Would you mind sharing your tips for setting this up? I've been considering doing something similar for a little while now but am unsure how to get started.

Not to trivialize it, but the basic steps are:

1. Add a VPN host to your home network, either as another role on your router/firewall or as role on a host inside your network. For example, if you're running pfSense as your firewall, you can add an IPSec/L2TP or OpenVPN role to the pfSense host. Many hardware router/firewall devices have VPN host capabilities. You can start simple by defining users at the VPN host. Later you can use your home network's LDAP directory for users, but I personally didn't bother doing that.

2. Set up your laptop(s) and phone(s) to connect to that VPN. Disable "split tunneling" on the devices. If split tunneling is enabled, only traffic that is intended for your private network would be sent to the VPN. Disabling it requires that all traffic—even traffic destined for the public Internet—needs to be routed through the VPN host.

3. Connect to the VPN whenever you are outside of your home.

4. You can optionally assign a static private IP to each device so that when you're connected, all devices use known IP addresses that you can name using a local DNS server. This would allow you to, for example, reach your laptop by the name "laptop.yourdomain.org" (or whatever). I give all of my devices hostnames so that I don't need to remember their IP addresses.

5. The result is you have a personal "virtual private network" that facilitates private LAN-like communication between all of your devices. For example, I use this to access my personal file server from anywhere.

6. You can get even more sophisticated by setting up site-to-site VPN connectivity between your home network and a machine or network you run at a data-center. This allows you to, for example, reach not just your home file server but also manage your personal public-facing Internet services running at your data-center hosted machine or VM—from any of your devices.

> 4. You can optionally assign a static private IP to each device so that when you're connected, all devices use known IP addresses that you can name using a local DNS server.

This is where I’ve always got hung up. I’ve for a long time wanted a static URI for a machine at home (e.g. SSH, IRC bouncer, music files, etc.)

I assumed I’d have to use some kind of local host tunneling solution (like pagekite.io), which are either expensive or difficult to trust/rely-on, or register as a business to get a static IP.

Any tips?

I was speaking of assigning private static IPs to everything on your virtual private network, and then using a private DNS server. This allows you to reach your devices/hosts by name rather than their IP.

However, the entire scenario relies on you having at least one static IP address for your firewall/VPN endpoint. You need to be able to reach that from anywhere on the public Internet.

I think the easiest way is to get a router capable of running DDWRT or similar that has an OpenVPN server built in to it, flash your router, generate some keys, and hook in with all the OpenVPN clients on Windows, Linux, Android, iPhone, and MacOS. It's really not that bad. I use it all the time when I'm out of my house. I can browse knowing that no one between me and my home can know anything about what I'm doing. Of course, my ISP at home can see everything all the time.

I can even access my home automation system. Shoot, I have one installed at my mom's house and can monitor her furnace when she's on travel in the winter. Everyone would enjoy a personal VPN.


One low maintenance way of doing this would be to setup a SSH server at home (and configure your home NAT/Router to forward traffic to that machine)

Once you have SSH access to home there are a number of ways to tunnel your traffic (on desktop platforms, not sure about mobile). Sshuttle works pretty nice. You can also optionally just tunnel traffic for certain apps or browser profiles by using ssh -D (SOCKS5 proxy)

And those which work as browser extensions, aren't even VPN proxies, they're just plain HTTP[S] proxies.

I didn't realize there was much of a difference beyond a third-party hosting and maintaining the VPN or not.

Every time this sort of question comes up, I reflexively link people to this page: https://gist.github.com/joepie91/5a9909939e6ce7d09e29

Most of the time what people think they need a VPN for, a VPN won't actually help them much. They have a narrow use-case in privacy contexts, in which case you're better off using Tor.

The title of this should be "Don't expect VPN to magically protect your privacy," not "Don't use VPN services."

Here are some reasons I've used, and continue to use, VPN:

* When I am on a network that uses an idiotic blacklist to block certain types of content. The network might even be run by my employer and I might be accessing content that is necessary for my work, but there might be no way to appeal the idiotic blacklist.

* When I am on a network that INJECTS content into HTTP responses (a certain paid airline WIFI used to do this).

* When I am on a network that might allow other users on the network to snoop on / mess with my traffic.

* When I want to access services that I have paid to access but are only available to IP addresses in a specific geographic region, and I happen to be in another geographic region.


I used to be employed at a place that was so restrictive I couldn't even access asp.net (the website). I think it was something to do with it being in the cloud and looking like it was being hosted in the middle east. Most people probably don't know what it's like to work in a company with the extremely power hungry network admin that want someone coming to them for everything.

Three of your four points are explicitly addressed in there as reasons to use a vpn.

That github note doesn't really disagree with the article, which points out that you need to trust your VPN provider.

My general position is this: I don't trust my phone provider. At all. Just a week or so ago there was an HN post demonstrating how an ad provider can get your full name, cellphone plan details etc just by calling an API from a page rendered on your phone. But I also don't really have a choice - AT&T or Verizon or T-Mobile, they're all different flavors of the same crap.

Do I trust my VPN provider unequivocally? No. But I trust them a hell of a lot more than my phone provider, and they can't sell my personal info against my browsing history because they don't have it.

A VPN isn't the answer to everything, but nor is it useless.

Why do you trust your VPN provider more than your phone carrier?

What have they done to earn your trust?

It's a bit like how "stranger danger" isn't a thing kids get taught about anymore, because random strangers aren't risky if you go up to them, only if they come up to you. (Or, in more statistical terms: bad actors are a small proportion of the pool, but they have an incentive to self-select into interacting with you that good actors do not. If you just draw randomly from the pool, you won't get a bad actor. If you let the pool show the initiative, you'll get mostly bad actors.)

Your VPN provider is just some random company. You went up to them. They're randomly selected (insofar as your choices are random) from the space of all VPN providers, and most providers aren't malicious.

Your ISP is, at least in the US, almost always a monopoly. They're self-selected: they went up to you.

A VPN provider can tell you they're not logging your traffic because they think they aren't but really they are because there's a box somewhere that your traffic passes through that has logging enabled (for example -- and don't hyperfocus on the example, I know how you programmer types like to pick up the example and play ping pong with it for six hours).

So incompetence is a reason to not trust a provider as well.

Partially, at least, they don't need to earn my trust as much. They don't have my name, address, date of birth and social security number/credit data, like my phone company does.

The only positive point of trust a VPN provider has is that no-one has exposed them selling browsing data. Definitely not great, but also better than my phone company by default.

I suspect that in general there are two reasons.

* My VPN provider explicitly states that they do not collect user information or store logs of user activity. Unlike my ISP that has a No Privacy Policy.

* My VPN provider has not done anything to lose that trust.

So which is worse, your VPN provider telling you that they don't store logs of user activity and then very well doing it (as has been proven in multiple cases), or your cell provider telling you they're going to fuck you, then fucking you?

No, hold on. The two articles disagree very much. The one Scott just cited explains that you can't trust a commercial VPN provider.

The Mozilla post says:

> Are VPNs truly private?

> Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?

Which is basically also saying you can't trust a commercial VPN provider. I suppose it does differ in that it says it's still an option, though.

I trust most VPN services more than I trust my ISP. If what you are trying to do is avoid your ISP collecting your surfing data for advertisers, throttling Netflix traffic, or adding a super-cookie to headers, then a VPN might make sense.

My ISP choices are limited to two companies that are both terrible. A VPN is a nice way of limiting what they can do to you.

You don't get any additional privacy, the only way to really _guarantee_ that you get additional privacy is to use a solution that provides privacy by design rather than by policy.

I'm not looking for a guarantee. Probably getting additional privacy is good enough for me.

> I'm not looking for a guarantee. Probably getting additional privacy is good enough for me.

I think we can both agree that wasting your money on wishful thinking ("maybe provider doesn't log") instead of using free open-source privacy-by-design solutions is a bad idea.

I would certainly disagree with that.

The privacy-by-design solutions have their problems at well (ex: speed). It would be better to use them over VPN IF AND ONLY IF their features would be strictly equal.

As they are not, one simply calculates the expected value of both, taking into account the probability of the VPN actually logging the traffic (which should be low for VPNs with good reputation).

For some use cases, even a VPN that logs traffic would be a good idea. For instance in many countries if you download a torrent they will log your IP and try to identify you. IF you have a VPN, they won't even bother asking the provider the IP because it is just not worth it for something like that. If you were exchanging child porn on the other hand they will ask for it and take time to find you.

Not everybody needs the same guarantee of privacy or has the same risk if the privacy was to fail.

Your statement is the same as saying one should never invest in shares because the return is not known in advance, so you should just buy government bonds which are safe.

How do you not get any additional privacy?

As I mentioned using privacy by design solutions (Tor, i2p, ...)

Now you have to trust two ISPs: Yours and the VPN provider's.

You're thinking of these as Single Points of Failure, but they're not in parallel; they're in series.

Consider the attacker: a service you've visited that has your "outermost visible" IP, and wants to know who you are. From their perspective, it doesn't matter if your ISP is willing to give information freely, because they don't know who your ISP is until they've already gotten the information from your VPN provider. Each layer prevents the layer below it from being attacked, until it is removed.

Yes, a state actor could just ask "every ISP at once" to look at their logs of OpenVPN-protocol traffic and identify the packets that match the ones that arrived at the service. But state actors aren't the usual attacker profile, and require entirely different strategies (e.g. getting human "proxies" to use Internet cafes for you.)

Ignoring traffic analysis, you shouldn't have to trust your own ISP while using a VPN. Ignoring traffic analysis makes sense unless you're a high profile criminal, and it affects all low latency tools, including Tor.

Tor is basically a funnel into the DOJ and has been for quite some time:


They run massive PR campaigns with carefully structured press releases designed to convince the kind of people they want to detain that TOR is private and safe for any kind of activity.

Because of this people tend to get swole when you suggest that TOR is not any good for protecting your privacy because lots and lots of people have been arrested, tried and convicted after trying to use it to hide elicit activities.

The US government has made millions of dollars of investment into TOR:


Pretty much every time the US government is investing in something you can be certain that their intention is not to help you out.

AFAICT, in all current cases it isn't Tor itself that's been broken by the authorities. It's the client end that has been compromised; and in a way that isn't specific to Tor. Had these users been using a VPN without Tor, they could have been compromised in largely similar ways.

Please, find me a counter-example - because I haven't seen one.

Admittedly, one thing that has happened is that the authorities are able to target compromises in the Tor Browser specifically, rather than in a wider range of clients that non-Tor VPN users might use. But they're probably more vulnerable than the Tor Browser is anyway.

It's important to consider here that the average person using TOR is not a network administrator.

And that they'll follow the instructions that come with the TOR browser and assume that it's safe.

So when I say that TOR isn't safe, I mean that it isn't safe as it's presented.

Saying that TOR isn't safe if you know what you're doing is like selling someone a car with no seatbelts and then telling them well if you knew what you were doing you'd install seat belts yourself and then the car would be safe.

> So when I say that TOR isn't safe, I mean that it isn't safe as it's presented.

Sure. But it is no more dangerous to use Tor on its own than it is to use a VPN privacy service on its own. So your claim that the US Government is enticing people into using Tor to entrap them is nothing more than an unsubstantiated conspiracy theory. It would be easier for governments if criminals didn't use Tor.

Chrome is arguably more 'secure' than the ESR Firefox that the Tor Browser is running on. If you are realistically concerned about this type of targeted attack, you should probably be browsing with Chrome isolated inside of Qubes/Whonix.

I meant colloquially. If you're not using your VPN 24/7, you have to trust both at different times.

You are of course correct. :)

My ISP is AT&T. I don't think there's much the VPN provider or their ISP could do to make things worse for me. The worst case scenario is that they are as bad as AT&T and there's a non-zero chance they are better.

That's a shallow analysis.

The worst case scenario is not just that they're as bad as AT&T. The worst case scenario is that they're as bad as AT&T and still provide a false sense of security.

Even if you're diligent, other users with your (ISP, VPN) provider pairing might not be, and they could be harmed as a result.

The comments security nerds make here on HN aren't one-on-one individualized consulting (n.b. that's paid work in my field), they're general advice for the public to refer to.

If you are tunneling all traffic through your ISP, seems to me you aren't trusting them all that much.

I feel like this is dated, because in 2017 this:

> You are on a known-hostile network

is true for every network in the USA. You can be sure they ae all being snooped on by 1. the ISP collecting traffic data for profit and 2: the gov. because they get it all anyways.

I think the most popular use case is torrenting which a VPN will help.

That isn't great privacy wise as it's still privacy by policy. The best way to torrent is to use i2p which - unlike Tor - encourages that activity. (Short tuto: the default Java i2p bundle already comes with I2PSnark, a torrent client. To download a torrent, search through known i2p trackers such as the Postman Tracker: http://tracker2.postman.i2p )

The content owner could still request your information from the VPN provider and the VPN provider might provide it (even if they say they won't). I think the main benefit is that there are so many individuals torrenting copyrighted material that aren't using VPNs that it means you aren't the "low hanging fruit" so you're considered not worth the effort by the content owners.

Yes, but there is a big difference between "this provider might be lying about not storing traffic, and they also might give the data to someone" and "this ISP is 100% storing traffic and routinely gives that data to others."

Why base your privacy on wishful thinking ("provider is probably not lying") instead of using privacy by design solutions? (e.g. i2p for torrenting)

Because privacy by policy is good enough for almost everyone.

> Because privacy by policy is good enough for almost everyone.

Source? And why would it be good enough when it has been shown time and time again that it's ineffective (example: DNT header)?

If you want to torrent, turn one of the low end boxes into a seedbox rather than a VPN server.

Even then, setting up your torrent client to use a proxy is just as simple and effective.

For now, I am running my own VPN on Linode. The only real benefit of this is now my traffic is mixed with non-similar traffic. The hope is that this makes it less valuable to monitor the contents of my traffic. Of course, this just security through obscurity, and nothing more than a half measure.

The internet is not designed for privacy, and privacy does not benefit the majority of commercial stakeholders of the internet. This is probably why most privacy solutions feel like shoving a square peg through a round hole. My personal feeling is that we should combat commercial bulk surveillance through legislative means.

Your last paragraph ignores the existence of many privacy by design solutions such as Tor or i2p. Yeah, they can't protect against a global passive adversary - as any other low latency anonymity system in existence, but that's totally different from saying that there's no way to have privacy on the Internet.

Tor is a solution for specific use cases. It does not address privacy on the internet in a general way. For example, if I use tor to browse facebook, I am logged into facebook and still just as trackable as I would be if I wasnt using tor.

> Tor is a solution for specific use cases. It does not address privacy on the internet in a general way. For example, if I use tor to browse facebook, I am logged into facebook and still just as trackable as I would be if I wasnt using tor.

No, at least now facebook may not know your exact location (especially if you use their onion service: https://www.facebookcorewwwi.onion/ ) and they can't track your activity outside of facebook. Of course, it doesn't solve - nor can any other anonymity system - the fact that you transmitted personally identifiable information with facebook.

A confusing, content-less, arbitrary recommendation against Linode with no clear justification or reasoning given anywhere in the tweet stack is obligatory? I'm confused. Are there any actual reasons not to use them?

His "recommendation" stems from a DDoS incident, and possibly, a hack.


I'm fairly new to whole world of increased internet privacy, so I'm curious of the benefits of using a VPN or Tor. I'm not a political activist or engaging in illegal activity, I just want my personal data being passed around as little as possible (preferably by spending little to no money to do so). Is using Tor worth the effort? What are the benefits? Or do I simply use Chrome and resign to my fate like nearly everybody else?

> Is using Tor worth the effort?


> What are the benefits?

Because of its 3-hop design, a non global passive adversary (GPA) would need to control both your entry node and the exit node to de-anonymize one of your Tor circuits. In addition, Tor circuits generally last for 10min only. Also using the Tor Browser you get stream isolation meaning that you get different Tor circuits for different websites.

You can also setup your own non-exit node and connect to it to ensure that no single point in your Tor circuit controls both the entry node and the exit node.

> a non global passive adversary (GPA) would need to control both your entry node and the exit node to de-anonymize one of your Tor circuits

That's not a benefit, that's a feature. A benefit involves a use-case. What does a person gain from not having their traffic de-anonymized? The described user is someone who doesn't have any particular activities they need to keep secret or risk jailtime. So, for them, what's an example of something that could happen differently in their real life if they used Tor vs. if they didn't?

(This wasn't a rhetorical question; there are such use-cases. I'm just commenting to prod you into zooming out a bit from "privacy is its own end" to thinking more about what regular people care about and how privacy helps them get it.)

For starters, don't use Chrome.

Chrome sends a whole lot of data to Google (and possibly to their data-sharing partners) such as, at the least, what sites you visit and how long you are on each. When combined with Analytics, cookies, profiling and whatever G services you use, and the fact that Chrome is a program (not a site) connecting that all, you have pretty much lost any legitimate hope to privacy before you begin. Use HTTPS everywhere is a no-brainer, as at least the middle steps won't see the data. IMO, using a commercial VPN is just not that difficult and the speed is close to native, so its a lot easier than TOR.

Basically it comes down to this: What you don't want people to know, you don't tell them. So if you don't want personal data floating around everywhere, don't tell them personal data.

Or just be a nice happy good citizen in the normal world. What you do in other worlds should then not be mixed with the normal word.

Most people I know want a VPN to pirate stuff without consequences. So I'd say, Tor would not cut it.

Tor is emphatically not meant for piracy, especially BitTorrent.

As I mentioned in another comment about using VPN for torrents:

> That isn't great privacy wise as it's still privacy by policy. The best way to torrent is to use i2p which - unlike Tor - encourages that activity. (Short tuto: the default Java i2p bundle already comes with I2PSnark, a torrent client. To download a torrent, search through known i2p trackers such as the Postman Tracker: http://tracker2.postman.i2p )

Unless stremio and other pop corn time like can work transparently with i2p, it won't help.

> Unless stremio and other pop corn time like can work transparently with i2p, it won't help.

What? i2p is a self-contained network and not really meant for clearnet browsing.

You need to look up what stremio (https://www.strem.io/) is and understand the value proposal for the casual non tech saavy end user. This is the face of torrenting now. Not magnet links. People don't know what a URL is anymore, don't expect them to understand a classic torrent client or i2P.

Since we're talking about it: what's the value proposition in creating an illegal service for non tech savvy end users?

I'm trying to figure out why they made this. They can't really run ads without ending up like the founder of TPB.

Regardless, it doesn't seem unreasonable to expect people to know what a magnet link is. When all you need to do is download transmission and click on a magnet link, people are fine with that.

You mentioned stremio and I respectably pointed out that it's not going to work over i2p for reasons mentioned above. I don't even see why you're mentioning it when we're talking about privacy.

My whole point is that people use VPN for torrenting so Tor would not help and i2P neither. What are you talking about ? Did you read the first post ?

> My whole point is that people use VPN for torrenting so Tor would not help and i2P neither.

My point was that I2P can help them since it's (a) torrent friendly, (b) has a bundled Torrent client (I2PSnark), (c) there are many eepsite torrent trackers such as: http://tracker2.postman.i2p

But they use stremio which doesn't work with i2p.

I don't know why anyone advocates using a VPN provider when it's so trivial to set up your own VPN now.

https://github.com/trailofbits/algo https://github.com/Angristan/OpenVPN-install

Either of these options, depending on your preferences (protip: use Algo, unless you're in a place that blocks IPSEC VPNs...It's cheap enough to have both available). This at least covers the basics of what they're talking about being snooped in the post. Then you don't have to worry about trusting the VPN provider (but you do have to worry about trusting your cloud provider).

If your threat model is different, you might want to be in a pool of users, but you can use the same service and solve this problem socially...

> I don't know why anyone advocates using a VPN provider when it's so trivial to set up your own VPN now.

..links to github repos...

You are blessed with technical skills and experience so this is trivial to you (and many people on HN), but there are tons of people out there for whom this is not a trivial task.

Agreed - 99% of people don't know how to understand whats in a github repo.

If you can get through the steps to sign up and use a VPN service, you can likely get through these with a bit more time invested and a helping hand.

> I don't know why anyone advocates using a VPN provider when it's so trivial to set up your own VPN now.

That won't give you any privacy as anyone who wants to de-anonymize its traffic can correlate the fact that you connect to it with your IP (asking the VPS provider for logs) and that you bought it (asking the VPS provider for your banking info).

But that's not really the threat model described when people are talking about their ISP snooping on what they do. A private VPN solves exactly that problem.

Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service). Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).

> But that's not really the threat model described when people are talking about their ISP snooping on what they do. A private VPN solves exactly that problem.

It only solves it against a particular ISP.

> Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service).

I completely agree, that's why I always maintain that only privacy by design solutions should be relied on (Tor and i2p for example).

> Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).

But they know the IP, so that's still identifiable information.

You can combine Tor and a VPN though, though you'll want to rotate through VPNs to avoid timing attacks.

Use of one doesn't exclude another.

> You can combine Tor and a VPN though, though you'll want to rotate through VPNs to avoid timing attacks.

I don't think that adds any privacy, setting up your own non-exit relay and connecting to it may significantly increase your privacy depending on your threat model (since then you can be sure that no single point in your Tor circuits controls both the entry node and exit node, and hence can't correlate your traffic. You're still vulnerable to a global passive adversary (GPA) of course).

For anyone who uses OSX and DigitalOcean, easily deploy your own personal VPN server with DNS adblocking running on DigitalOcean: https://github.com/dan-v/dosxvpn.

I heard a ton of sites block traffic coming from the AWS IP range, do you know if that's true?

I've been putting off setting one up for a while.

There are a small handful of sites that treat me like a spammer and make me go through extra hoops to sign in, but I have not found what you said to be the case.

A lot of folks are doing their automated testing with AWS systems and blocking those IPs would likely cause a lot of people some headaches.

The DNS blackhole that Algo by-default puts ad providers in causes me more problems than that, in all honesty, because occasionally I have to log into service like Hubspot that are blocked.

There sorely needs to be a corollary to net-neutrality, where websites cannot discriminate users based on the choice of their ISP/vpn/tor/vps/cloud-provider. I find it absurd that websites are even allowed to display a banner with phrasing like, "We detect that you are using a vpn. Disable it to view this site." Netflix, the champion of net neutrality, is the biggest offender in this area.

I sort of agree, but I believe Netflix is legally obligated to do this due to licenses/copyright laws that they have. So they probably have to put in some legally defined amount of effort into combating people "cheating" or working around the regional licenses. Their hands are tied.

That's my guess at least.

They optionally sign contracts which contain geo-fencing clauses. There’s no law that says content must be geo fenced, and that suspicion of proxy use, for any purpose must result in denial of service.

There's no law, but then there's no content, which Netflix needs to serve their users. Netflix is a business, not an entity set up to fight Internet freedom.

So before Netflix introduced a VPN ban, Netflix didn’t exist? Same for Amazon, Apple, etc. etc.?

No. Rights holders groups asked for it, and they said yes to increase their margins.

Sure. And if they said "no" to rights holders, rights holders would pull the licenses.

Whether the move increases Netflix or not - doesn't matter really. As long as they license someone else's content, they have to play by someone else's rules. If this play also increases Netflix's margins, so be it - all I care about is having access to movies.

You have an awful lot of certainty about the positions of both parties in these contract negotiations. It seems more likely to me that Netflix would simply have to pay more. I’m sure Netflix could pay less in exchange for the IP and email addresses of people watching in real-time, too, but that doesn’t mean it’s either inevitable or desirable.

I imagine that Netflix as a distribution platform may wield more power than you imagine.

I guess we'll agree to disagree. I'm pretty sure we can safely say that neither of us was privy to the contract negotiations between Netflix and studios. :)

Netflix unfortunately is tied to draconian region-specific content distribution agreements with some of the biggest content producing/owning companies in the world.

Don’t think they can ignore the VPNs without significant legal issues and potentially losin much of their content.

What's even more annoying is Netflix treating things like tunnelbroker.net as VPN's. I'm really tired of my ISP's lack of proper IPv6 connectivity, I was using tunnelbroker for a while but got tired of fighting to get Netflix working correctly.

Netflix had to crack down on VPN usage recently as people use them to bypass geographic content restrictions. Any suggestions on alternative options they could pursue? (Aside from somehow getting global broadcasting rights on their whole library)

They didn't have to do anything. Netflix is a paid service. You are paying for a service, which you are entitled to get. What geo-drm-moon-phase recipe they cook up is their problem. As a consumer who pays, you should see either a) content from your billing address, or b) content from the IP address. Or any superset of the two; but NOT a banner asking you to disable your vpn.

Netflix would LOVE to provide their whole catalogue to their whole subscriber base. They'd be crazy not to. The more content they can offer, the better their service, the more subscribers they'll get.

They block VPN's and other tools because their contracts with content providers say so.

It even says it right in their terms of use

    4.3. You may view the Netflix content primarily within the country in which you have established your account and only in geographic locations where we offer our service and have licensed such content. 
Netflix is in the tough position of needing to know where you are -now-. VPN's mess with that.

Don't get me wrong, requiring someone to disable a VPN to use the service is bullocks. But some services don't have much of an option. From what I understand Netflix is aggressively trying to obtain world-wide rights for their whole library, but until the old dog content producers get on board they'll have a rough time.

Netflix charges different amounts in different countries, which is why your subscription is tied to a geo.

Would they not be able to tie the location to the account? If, say, they register as a US user, an ip change from US, to France caused by VPN would leave little issue.

Correct me if I am wrong.

You're right, technically, but incorrect legally, because if you don't VPN and instead hop a plane to France, they just streamed US content to France. No-go.

They could be implementing blocking at the title level instead of on the whole site - so with a VPN I can't watch geofenced content but I can watch House of Cards, for instance.

Nitpick: Bitcoin, being a system where the history of all transactions is publicly available, is hardly an "anonymous" system. It is an additional level of separation from other forms of payment tagged with your credentials, and you can achieve anonymity if using it carefully, but it can't be treated by an anonymous option by default.

It took me years to find a VPN that accepted Monero. But I've been paying for Bitcoin priced VPNs using Monero through a service like Shapeshift or Changelly or XMR.to

I've been paying pretty much all bitcoin invoices that way for several years.

Blockchain sleuths would never be able to tell if a bitcoin transaction was just an exchange shuffling coins or if someone like me was actually on a different and opaque blockchain.

>> Blockchain sleuths would never be able to tell if a bitcoin transaction was just an exchange shuffling coins or if someone like me was actually on a different and opaque blockchain.

That depends on the nature of the investigation. Say they bust an illegal website and now have their subscriber records. If your bitcoin transactions match those of a subscriber to the website, they have more than enough info to come after you. With the website transaction records in one hand, and the public blockchain in the other, it would be trivial for an investigator to get a reasonable idea of who you are and where you live. Unless you spin up new accounts for each and every transaction, and mine your own coins, the public blockchain means they can identify patterns and make connections.

(I won't quibble on the technical definitions of reasonable suspicion. Suffice to say any such match will be enough to get a warrant and turn your life inside out.)

yeah, so when you pay with cryptocurrency there is no real information about you, now this is just the first part, and if we stopped there, you would be correct. But many sites use the address data necessary for credit card transactions and append that to your user profile, but sites that accept cryptocurrency do not because it is not necessary to complete payment or distinguish users.

so secondly the bitcoin transaction would have been executed by someone else, from a mixer. The mixer was instructed by my transaction to it from an opaque blockchain, as explained earlier. Your rebuttal implies you have never seen the differentiating features of Monero. It is a public blockchain, but transactions are not linked.

The transactions are not overtly linked but some simple detective work can make connections. Seeing the same number of bitcoins exiting one account and, within reasonable time, appearing in another is suggestive. See that happen many times, such as some sort of subscription to a service, and you can put 2 and 2 together.

Say they shut down an illegal website that subscribers paid 25$ for every month. If they see that your account paid out 25$/month, but stopped doing so when the website shut, then that's strong enough evidence for a warrant regardless of the exact path of transactions. That can be done via the blockchain far more easily than trying to gain access to bank records.

> Seeing the same number of bitcoins exiting one account and, within reasonable time, appearing in another is suggestive.

Will you just try using Monero before you say another word?

First, your assumption relies on having a nexus currency of Bitcoin to begin with, when Monero could easily be the base currency someone maintains a balance in. Monero has USD markets and has many default countermeasures towards linkability.

Second, your assumption relies on just not seeming to know how Monero works.

Third, I want to clarify that I'd be open to rebuttals if they actually acknowledged technology thats been around since 2014, but you are making rebuttals about rudimentary bitcoin mixers from 2012 when thats not even what we are talking about.

I'm not sure what you mean. Monero is completely anonymous, and sending through XMR.to can't be traced back to anything. Law enforcement officials just know that that user account got a payment, the Bitcoin blockchain has nothing more for them.

Great link from the EFF describing tor and https [0] click on the grey 'tor' and 'https' links to see what information is collected where and what can be viewed.

surprised this article does not mention tor? or has tor been abandoned as a tool for privacy?

[0] https://www.eff.org/pages/tor-and-https

I think tor is simply too slow and complicated to advertise as a tool to "regular people"

Encouraging people to use a VPN is much more likely to be effective

There are reasons why a VPN is great but not for privacy. A VPN is currently allowing me to work remotely would be one of them.

CiPHPerCoder provided a great link[0] in this discussion [1] that details a short list of a few reasons why VPN's are likely not what "regular people" who are concerned for privacy should be using.

that all being said, tools like tor have become much easier to use with setups like tails [2] which may have its own security issues but I'll agree that regular users may not be capable of using Qubes with Whonix.....yet

I think advocating for a VPN is actually harmful to the "regular user" not only in the fact it will not accomplish what they want, it will deepen their ignorance on how the internet works because they will think "its encrypted" "so I am secure."

I do have some concerns that tor is a tool that needs to be improved upon greatly to truly accomplish its goals but I am not aware of any projects that are doing so. Re metadata, fingerprinting, developers inserting backdoors etc.

[0] https://gist.github.com/joepie91/5a9909939e6ce7d09e29 [1] https://news.ycombinator.com/item?id=15585974 [2] https://tails.boum.org/

[edit:added concerns about tor]

> I do have some concerns that tor is a tool that needs to be improved upon greatly to truly accomplish its goals but I am not aware of any projects that are doing so. Re metadata, fingerprinting, developers inserting backdoors etc.

I always try to tell people about Tor's limitations, which are considerable. (I wrote the content for the EFF graphic that was linked above, and one goal was to show people things that aren't hidden by Tor — for example you can see an NSA agent in the graphic performing some kind of correlation attack between source and destination by monitoring the network at multiple points. Of course, the source of data for this doesn't have to be fiber optic taps, so other entities that can get source and destination data can correlate them too.)

Tor is doing work on all of the things that you mention: metadata, fingerprinting, and developers inserting backdoors. One could wish for more work and that it had happened longer ago, but all of those are active areas of concern and research for the Tor project.

>I wrote the content for the EFF graphic that was linked above

Thank you! I constantly share that link with people, I (and many others) appreciate your work!

I regret not going into software development, I wish those are projects I could contribute to, alas my closest work towards development is tinkering with linux etc .conf files to get home projects to work, which is not development at all.

Since I spend a lot of time these days helping people on


I can testify that the ability to help people tinker with Linux configuration files is something that continues to be in great demand. :-)

Thanks! I'll begin lurking

(Just to be clear, I mean that Tor is doing work to prevent developers from inserting backdoors.)

> I think tor is simply too slow and complicated to advertise as a tool to "regular people"

I know many people who use Tor daily for regular browsing - myself included. Yes, it's slower than not using Tor but that's expected from the 3-hop design.

I'm on Verizon so I don't get to choose if I need one. I have to use one on my phone at least.

They are still useful for lumping your traffic in with others for copyright infringement. Torrent clients offer the files for sharing while downloading.

They are still useful for some simple geo evasion as well.

They aren't a solution for every security issue at all. Tor is generally better to run from open wifi from a tails USB rather than from a VPN.

Also, many VPNs actually log things they can provide to the FBI even though they lie and say they don't. They can get a NSL and end up having to without being able to tell you that they did. Sometimes a NSL canary is used, but not always.

> I'm on Verizon so I don't get to choose if I need one.

Can you expand on that? I’m also on Verizon and feel like having a panic attack.

They throttle youtube and netflix now, which broke youtube with my VR headgear. :(

Also, the permacookie nonsense, and they are certainly data mining the crap out of everything you do.

I believe you are referring to the "perma-cookie"? (directed to all the confused replies)

Please feel free to correct me.


I'm not sure what you mean by "I don't get to choose if I need one". Both Android and iOS natively support VPNs, and most corporate phones are set up to connect to the corporate network securely via VPN - on many US carriers.

I think chisleu meant that they consider Verizon to be so untrustworthy that not getting a VPN is really not a viable choice to make. So chisleu doesn't get to choose whether to use a VPN or not.

Oh, I think I understand now. "I have to use one on my phone"


I've set up my own VPN using Streisand [https://github.com/StreisandEffect/streisand] & Google Compute Engine (Micro Instance). When you create an account on Google's Cloud, you get $300 (or used to at least). This instance type is big enough to handle the few devices I connect to it, fairly speedily too.

Is it not feasible that a warrant to Google instantly reveals your identity?

Without a doubt! I'm not too concerned because I'm using it within the USA to access my email, HN, and various other common websites while on public wifi.

Yup, hosting illegal content via a cloud provider is a good way to have your account shut down.

How long does those $300 last you?

The micro instance is (eligible to be) free https://cloud.google.com/free/ so the $300 is an extra (expires after 12 months)

Thanks mtmail! I've yet to pay a dime. I won't mind doing so once it expires though.

I'm surprised no one has mentioned Streisand, an open-source project that takes most (not all) of the effort out of setting up low-cost individual VPNs for yourself and your friends and family on a number of popular cloud services:


It takes a little bit of technical know-how (or bravery) to get started, but the setup process is dead-simple and you end up with a completely personal VPN with dozens of options that can work around a number of different situations. Best of all, it's entirely under your control. You can tear it down and start from scratch, or move to a new location or cloud provider easily. The docs are clear and easy to understand, and it's constantly being improved. It's a pretty remarkable project.

My issue with Streisand is that it spins up a dozen different services, of which I would like 1-2. Indeed, I then stumbled across Algo [1], which cited this as one of the motivating reasons for existing. It does 50% of what I'm after in setting up an IPSec VPN and does it all whilst generating my mobileconfigs.

Now all I need to do is manually set up a shadowsocks server and I'll be sorted. But I'd rather tackle that manually than also have the extra stuff streisand bundles in.

[1]: https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-th...

When running the streisand script it will now prompt you if you want to customize the install, allowing you to selectively choose which VPN daemons you want to run.

Oh thank you, that's wonderful news! I'll definitely look in to that if I have any frustrations with configuring SS myself. Even if I use Streisand for the SS side and Algo for the IPSec side, that would be a reasonable solution.

I spend 40 bucks or so on a Raspberry Pi, then installed these:

http://www.pivpn.io/ https://pi-hole.net/

Insanely easy to get running: plugged it in to my home router, and now I do all my remote browsing from my home network. I HIGHLY recommend it. I know it doesn't help with privacy, since you're using your home network, but I'm currently more concerned with WiFi hacks, pineapples, and the like.

Duckduckgo recently included "How to Choose a Good VPN" in their privacy newsletter - https://spreadprivacy.com/how-to-choose-a-vpn/

Looks like DDG recommends TunnelBear[1]. Any one have an experience with them? I'm always a bit skittish on free VPNs.


Its a nice user-friendly app, works well on all my stuff. Using it on linux took a bit of manual setup, but their instructions worked. I'm a customer, and I would recommend it. I outsourced my trust in them to DDG. Hopefully they didn't steer me wrong there.

Downside is that it basically only works per device. It doesn't run on any routers that I know, to get full coverage over your network traffic.

From the number of YouTube channels that promote them, I expect they must have a strong affiliate program. Just a possible bias to keep in mind...

User-friendly, but blocks port 22, so if you need SSH and can't change the port, try something else.

It seems like a promo link which gives you 500mb per month for free. You have to pay for unlimited data.

I wish a trustworthy organization with a history of privacy advocacy, like EFF or Mozilla, would create a subscription VPN service. I'd sign up immediately and their reputation would command a significant price premium.

I'd hand cash to Mozilla if THEY provided a VPN service.

Or if Amazon provides one I'd use that for sure.

Definitely Mozilla but why Amazon? They operate with vastly different values systems.

Both would inevitablely have to log.

Both would help with ISP selling data to advertisers level snooping and open WiFi network insecurity issues though.

I don't look to it as a foolproof solution, but I do see it as a way to make things a little bit harder for someone that's trying to track me.

The arguments here often sound similar to "experts" that complain about 2 factor auth: Sure, it's not perfect and there are better solutions in some cases, but it's still better than nothing for a lot of people.

I typically don't trust VPN providers, so I set up my own on AWS with this CloudFormation script. [0] It is almost effortless, takes 10 minutes and I can spin it up or spin it down without paying for a subscription, only AWS metered costs.

EDIT: another poster mentioned Algo [1]. This method requires a high degree of savvy and entails a higher level of difficulty, but looks much more configurable.

[0] https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-pr...

[1] https://github.com/trailofbits/algo

How often do you find that your AWS IP is blocked, or that you need to bypass a captcha? I would think that AWS would be a major source of scrapers and other traffic that a site might not want and might choose to block. I know that Cloudflare offers to block "suspicious" traffic, which would seem likely to include traffic coming from an AWS server rather than an ISP.

Surprisingly not often at all for the sites of interest to me. YMMV of course.

That sounds like a lot of trouble to go to every time you want an anonymized browsing session.

Inconvenient and cumbersome at best.

Which, the first or the second option? The first one entails a one-time 10 minute setup and you can leave the AWS instance running if you don't mind incurring a small ongoing EC2 fee.

Does this protect you from a warrant to Amazon revealing your identity?

No but this is not a problem for me since my use-case is more avoiding MITM attacks and safely using public Wifis.

Every VPN has an endpoint, and whether that endpoint is acceptable depends on your use case.

Another issue to look for in selecting a VPN is leaks, where network packets travel through the 'hostile' interface and not the VPN. Leaks can happen many ways, if I understand correctly (I did some reading on it recently but not my own research):

* Many VPNs use "split-tunneling': To save bandwidth, they route https traffic through the hostile network interface

* Some don't route other protocols via the VPN, for example, IPv6 and even DNS are sometimes excluded.

* If the VPN connection drops

* When the VPN connection is out of sync with the device's network connection (e.g., after the computer boots and before the VPN starts, or after the VPN is disconnected and before the computer shuts down).

This is a plug for my stuff, but a relevant plug nonetheless:

If you think you need a VPN, you probably need a good VPN protocol to go with it. Rather than using outdated legacy cruft like OpenVPN or IPsec, you might like WireGuard:


It's still in the early days, but the protocol is formally verified, the overall design has received academic review, the Linux implementation is maturing quite rapidly, and we'll soon have Mac and Windows clients available. Part of the WireGuard Protocol uses the Noise Protocol Framework from Trevor Perrin, of Signal Protocol fame.

I used Wireguard to connect multi datacenter nodes in a Kubernetes cluster recently and I recommend it. It works very well and is very simple compared to other VPN technologies. Thanks for your work. :)

Nice to hear! I'm mailing out stickers -- https://lists.zx2c4.com/pipermail/wireguard/2017-May/001338.... -- if you'd like to slap some on your server hardware...

Thanks. Sent you an email.

useful resource on selecting a VPN provider: https://thatoneprivacysite.net/vpn-section/

I recently setup on ZorroVPN after going through that list. It's a little on the pricier side (BlackVPN is another one I was considering with similar pricing), but the performance has been pretty good so far. They don't have their own client so you don't have to worry much about them installing junk on your machine. You can use one of the open source clients out there.

I always wonder about ProtonVPN (the ProtonMail people).

It's Swiss based so I assume there would be a decent amount of round trip latency, but for sheer privacy it seems like a solid company that goes the extra mile by locating itself for legal purposes.


I am debating whether I should go with them or not, as well. They do seem solid, but I have not heard any people mentioning them.

I have a paid account with Netflix/Hulu/HBO and I'd like to watch it when I'm travelling or when I'm working remotely from third world countries. That would be my sole use case. Can they stream without huge latency?

Regarding speed, I've been using ProtonVPN for around 4 months and It's much faster than other VPN providers I've used (TorGuard and PIA). It doesn't work with Netflix as Netflix blocks most VPNs.

I can't watch Netflix through ProtonVPN.

ProtonVPN is my first and only VPN - occasionally there are connection issues. Speed is not superb as far as I can tell but sufficient for most use cases. I tend to stick with them. No idea if they are better or worse. I chose them b/c with regards to privacy they seem trustworthy.

All the "you don't get privacy from a VPN" talk misses the variable of who you want privacy from. If you don't care about e2e privacy, but want a simple way, without using Tor, to keep websites from knowing your real IP, then VPNs are great.

Does anyone have a preference on what server the VPN connects to? For example, I'm using AirVPN, and you can select specific countries that you would like to allow the VPN to use. From there it just goes out and connects to the "recommended" server.

If I don't make any preference, it will connect me to a server in Canada. It's very fast, but a bit annoying because now I get all the Canadian search results in Google.

Is there any downside to using a VPN server in the same state or country that you are in?

BTW, I have been using AirVPN for a few days and really like it. Super minimal UI (which I like) and gets the job done. Also, I like that they accept BitCoin as payment if you so choose.

I started using BlackVPN about a month ago because the highly personalized ads all around the web got extremely unnerving. Having accounts with FB/AMZN type services means they'll never go away completely, but it's better than nothing.

I'm curious if anyone has any commentary on other providers worth looking into. BVPN is based in Hong Kong which has a strong history of pro-privacy AFAIK, and they claim to not even have the technical ability to keep logs of relevant info. Either way, I think I'd rather have some random Hong Kong company have my semi-anonymized info rather than my ISP.

I recommend nordvpn. I have been using it for a while now with great success. It's easy, fast, and private. They don't log and their hq is in Panama, so it's much harder to to get info out of them.

This is a sales page, not a objective discussion.

(a) There's not much you can do with VPN that you can't do with SSH (actually I can't think of anything). And SSH is much more configurable.

(b) To avoid tracking of your browsing it is not a smart idea to pipe all your browsing through the servers of one VPN provider. A smart way would be to split up browsing streams, not to combine them.

I'm very sceptical about Mozilla writing such an ad page and trying to sell it as a reasonable technical blog post.

> There's not much you can do with VPN that you can't do with SSH

For most end-users, there is nothing they can reasonably do with ssh.

Every end user that can't use ssh can't use VPN either. It's only a lucky coincidence if it works for a few for a limited period of time. It's just that many VPN Clients come with a very limited set of configuration and debugging output which makes the average grandma more confident because she doesn't know all the shit that happens underneath.

Everybody who is able to repair a bike though is also able to use SSH.

I guess the future is a ten-pack of cheap netbooks, a linux live CD, and free public wi-fi.

Access the internet, then smash the entire thing and throw it away and repeat.

Randomizing your MAC Address and using a live CD would not be enough for most cases?

I wouldn't think so with fingerprinting, intel ME and individual processor IDs and such.

I was just giving an extreme example for true anonymity now, something we just sort of had on the internet in the 90's.

When I travel to asia (manila), I notice not so much that there is a GFW type firewall preventing the connections, but rather that alot of web sites are just firewalling all of APNIC netblocks. So many web sites, in fact, that the quickest solution for me is to setup squid proxy on an IP in the US and generally everything works flawless after that.

I didn't read the article but I want to say that the solution is not VPNs. We can end up being like North Korea where VPNs are forbidden. The solution is to have educated voters who do not vote to showmens like Erdoğan or Trump. https://youtu.be/fLJBzhcSWTk

Learned recently: Opera includes a VPN for free.

Edit: Opera includes a "gratis" VPN, but definitely not for free. Just read the Privacy Terms. And they keep logs.

Has anyone else had success with SoftEther? [0] I've used it for a VPS-based VPN but would like to know if it is GFW capable. Have been impressed with the code of that project.

[0]: https://www.softether.org

For those looking to self-host, https://cloudron.io/store/io.cloudron.openvpn.html works great. I have used algo in the past and that works well too.

Some citations and good feedback on exact details with potential caveats in using various providers.


Also there's a very good VPN comparision matrix from "That One Privacy Site" https://thatoneprivacysite.net/vpn-comparison-chart/

Yes. It's not a panacea, but why not if you can DIY in less than five minutes for $5/month? https://github.com/jenh/sevenminutevpn

Yes you need a VPN, no you shouldn’t trust anyone with it. Run your own. It’s easy and less expensive.


If you are in China, please read this article. https://eikochow.gitbooks.io/vpn/content/

I urge people to fight this politically as well. We know from China that most technologies can be blocked or legislated against. If you want a future with more freedom and privacy, fight this politically.

If you’re after ultimate privacy and security, look for a service that accepts payment from anonymous services like Bitcoin.

Bitcoin can be tracked, use zcash? . Can't believe mozilla got this wrong.

If you work for a company, organization, agency or nation state which drives people to use VPNs, please think for a minute about what you do and what you could do for users in the future.

Thank you.

Are we going back into time where we can draw parallels between internet access through an online portal like AOL and now when we are accessing our internet through a VPN?

Actually i think the lay users access the "internet" via facebook (aka the "modern equivalent of AOL")...while non-lay users use VPNs. ;-)

Anyone knows a good OpenVPN client for Android? I have used both OpenVPN Connect and OpenVPN for Android but both get disconnected at random times, leaving me exposed.

I use OpenVPN Client. It works really well and supports autoconnect (including at boot) so that you don't need to worry about disconnects. The pro version even supports TAP without root. You can find the free version here: https://play.google.com/store/apps/details?id=it.colucciweb....

Does it worth it to create your own VPN with OpenVPN? I mean, if I do that, would be better than a good VPN service? Considering security, features, etc...?

You know what should be easier? Being able to just run a docker image on a VPS like DO and instantly have a DIY VPN server that you can spin up on demand.

How about WPA2/KRACK?

While the standard VPN pro/cons apply, if you have unpatched or unpatchable hardware it seems like a fairly compelling reason right now.

Ad Networks use multiple mechanisms to identify you: cookies, browser fingerprinting. Hiding behind a VPN will not make you invisible.

Be careful, Mozilla. When you blog about VPN's as Mozilla, you write from a position of authority. VPN's are a notoriously minefield of shady providers and false promises. You do not want to recommend CyberGhost to your followers, the find out in six months when they show up in a court order that, oops, CyberGhost actually logs a ton of stuff that can be subpoenaed.

Exercise caution. Do your research.

Did you even read the article?

For instance:

> Are VPNs truly private? Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?

> There are many, many VPN providers, and Mozilla can’t recommend any specific service.

Was it somehow unclear? Pretty clear to me at least.

But then they go on to mention several providers by name, with links.

Look, if you see such an article from a authority the authority is well aware of what they do to their name. They've built this authority with hard labor over years. So the chance is far over >67% that they are trying to cash out.

What happens when ISPs decide you need a "business" subscription plan to use a VPN?

Is there any way in which a VPN is superior to Tor, except possibly speed?

You might suspect that your Tor nodes are being run by FBI, but trust your VPN more.

It would be great if Mozilla ran a VPN service. :)

Yes, I need it my email:1187503962@qq.com

Thank god this isn't one of websites that just says NO in 144pt font.

Does anyone know of a way to scrape the web anonymously?

Yes, I need it

Im in china at the moment using expressvpn (been using it for a year by now) and since about two weeks only three server locations work well (Hong Kong, Tokyo, Los Angeles). Some others work off an on. Before that most locations worked and some of them, Taiwan for example, used to be very fast. Its still usable for streaming and surfing but I'm afraid the end is near. I think sometime in the future one will have to go with shadow socks and or similar protocols/solutions but until then expressvpn is quite convenient (mobile client, router with expressvpn client).

Is this another candidate for Betteridge's law [0]?

[0] https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headline...


I wish people would stop throwing this question at every headline that happens to have a question mark at the end of it. The headline here isn't clickbait, it's an attempt to answer a question that is pertinent to many.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact