I've ditched PPTP (not safe any more) and shifted to IPsec (IKEv2 + RSA with X509, IKEv1 + PSK + XAUTH) as it is being used by a lot of MNCs - can't killall. The GFW has developed technique to detect OpenVPN well and it is easily blocked so I don't use it at all. Over the past few years many home brewed protocols emerge - e.g. shadowsocks and variants and many others (I've never used any of them).
The best thing to do with VPN is that to understand the basics of the VPN solution of choice, try to install and configure from scratch on VPS and use that as your main protection (encapsulation) while using public Wi-Fi or untrusted network. There's been many good discussions on how to do this on HN.
NOTE: I am maintaining around 10 strongSwan powered IPsec VPN and 2 OpenVPN to help family members and close friends to access the real Internet (have to keep a low-profile though). Funny though, my networking skills evolved with GFW.
Coupled with the official cable TV service, which is amusingly abbreviated CCTV, and other state-controlled media, it's an eye-opening thing to see (more blatant) information control in action.
Can you read Chinese? I ask because if not, the experience of people who can might be very different.
I'm completely against the censorship; I just wonder how effectively they implement it.
In China, you may need to use one (Or multiple) of following:
And +https://github.com/gfwlist/gfwlist for automatic proxy switch.
Those applications may require a dedicated server or VPS to run. Once you set it up, it will act like a relay between you and the host you want to access (So that server or VPS must located outside GFW's shadow. And you better set it up and get it well tested before you move to China).
If you don't want to setup a server all by yourself, you can use Lantern or Psiphon, but they are considered not safe as you don't have any control once data leaves your machine.
I personally use Shadowsocks + my own one made with Golang. Both of them works very good for me. Some people may had problem with Shadowsocks but cause of those problems remain a myth.
When I was in China last April, SSTP worked fine (though long-lived connections tend to become slower over time, and then need a few minutes of cool down before being usable again). Most Chinese people I met were using shadowsocks.
But in a vlog I've watched on Youtube, the host of that vlog said "Over the last coupe of days, ALL the VPN is been very difficult to use". So, I guess that includes ExpressVPN.
Here is the video if you interested: https://www.youtube.com/watch?v=EuEdYvQmVFg (5:20)
As someone who owns and works and knows the ins and outs of an ISP and had the 'pleasure' to deal with many 3-word government organization, I can't help but feel that many people think privacy exist in some form and using VPN somehow makes you immune.
Please learn to understand double-speak.
If the FBI says they are having a hard time cracking smart-phones or some kind of encryption, understand that they actually want you to use that security because they have figured out how to get around it.
I may sound like an alarmist, but it isn't intentional - because the government is much much more powerful in terms of resources they can throw at a problem - if they can't crack something they will find a way to intimidate someone to install a backdoor for them while completely denying it in public. This happens ALL the time. Most of us just don't know about it.
Do you have any evidence, or is this just speculation? I can buy that governments have access to zero-day exploits; I don't buy that every form of encryption they complain about has been secretly been broken.
Was slow, but it worked.
Do you recommend that I set up strongSwan?
Whether you can find one with reasonable data rates in China is probably the main question.
Two that I have used with great success are Kyivstar from Ukraine and China Unicom HK (note it must be HK, not mainland China). Others may be listed at .
My T-Mobile had free international roaming baked in at 2G speeds. Unlike the US however, most foreign carriers in developed Asian nations (China/Korea) don't support 2G fallback, so I had free 3G everywhere.
It was pretty much like using the American internet.
If it is only for yourself and traffic is very little, it may survive the period of your stay in China. Nobody I know in mainland runs OpenVPN any more so I cannot really prove that, sigh...
That's why Tor had to implement HTTPS-like fake traffic padding in its obfsproxy modules, which also need to keep evolving...
1. DNS resolution may not work, so you'll need to find a way to resolve the domain name (i.e. hk.privateinternetaccess.com) to IPs for your config.
2. Even if you get an IP it may not work all the time. You will have to keep resolving the domain name for another IP (or maybe just look at all the DNS records?).
EDIT: I should mention I used PIA's PPTP (yes, it's discouraged but it worked for my purposes) and L2TP configurations just fine.
In hotel, the Wi-Fi network cannot connect to many sites. Sometimes, I can connect the Internet via OpenVPN, but, Shadowsocks is more stable.
Furthermore, if ExpressVPN is allowed, could you connect to that and inner-tunnel to your own VPN?
Basically, if you offer me the service to protect my IP address and don't even have the decency to let me inform myself about your offering without handing over my IP address to Google et al., then I'm not using your service.
Unfortunately, VPN providers collectively don't seem to be aware of this presentation layer, so it's neigh impossible to find one which doesn't violate privacy here.
So far, I've found exactly two: azirevpn.com and airvpn.org
They load in Piwik, which I'm okay with.
These two providers also check a lot of other boxes for me, but yeah, it's still just two providers after hours of research, so if anyone knows any other VPN providers with privacy-respecting webpages, please do tell.
Note that this is also one of the criteria in the Vpn comparison chart: https://docs.google.com/spreadsheets/d/1L72gHJ5bTq0Djljz0P-N...
I mean, sorry if I sound rude and thanks for trying to help, but yeah, I'm not clicking on that link.
As for sorting out my threat vectors, I think you should sort out your threat vectors, if you don't consider the biggest data broker on the planet to be part of that.
But even if you yourself are entirely unaware of Google being a threat vector, I do think I made it abundantly clear in my initial comment that I don't want my IP address shared with Google, so then linking me to a Google webpage has got to either be a bad joke or so incredibly oblivious that I very much do think, it warrants a dick response.
What I know is that Google will store that data point indefinitely and will correlate it with a near-infinite number of other data points to generate conclusions about me. Whether those conclusions are right or wrong doesn't even matter.
They'll also make these data points and conclusions available to intelligence agencies around the world. Which might use it to damage me as part of the ongoing cyber war or if it's my own country's intelligence agency, then they might use it against me, in case I'm unpleasant for the reigning government.
I consider something safe when I know that it's safe, not when I don't know it to be unsafe.
Check out my VPN service, DataBuster. I made the VPN only for myself at the beginning but my friends requested the features and it became a viable product.
The only "tracking" I do on the main page is a passive analysis of Apache logs made with Piwik, so there is no visible JS tracking code or third-party tracker.
The underlying technology used is from Algo VPN, a well-acclaimed open source VPN solution. https://github.com/trailofbits/algo
What I mean is that just by reading this thread, we've all been added to whatever VPN user list the (insert bad guy name here) has set up. From there it's just simple data mining. One of the easiest ways to link user to VPN service might be through tracking scripts, but that's not specific to the VPN sites. Presumably your're researching which VPN and then reading more on specific VPNs as you narrow down your choice. Then you want to be "anonymous" so you search for bitcoin info. Then you suddenly stop searching for bitcoin and VPN info. So, you have the data from all those searches (specific breadcrumbs), the length of time searched (length of time correlated to how serious and educated you are about the topic), the time the searches stopped (correlated to VPN subscription start), your previous un-anonymized topics of interest that led to the search for VPNs, the exit nodes of the VPN you probably chose, etc. That's on top of all the physical variables - when you're likely to be awake, schedule of connections, location, etc.
I would argue that just having a tracking script on the VPN provider's website is a drop in the bucket, even from a legal perspective - it's better to have a preponderance of evidence. You're not giving 'them' any more information than they'd already need for a search warrant, which is the real danger threshold for this conversation.
It's conflating an annoyance with a threat.
Even if you're entirely above board your users may not. Child porn, illegal substances, gambling, stalking/bullying, fake emergency calls, bomb threats, and so on. Your users are just waiting in the wings to place you into law enforcement's crosshairs.
If I opened a VPN I'd spend 10% on equipment and the other 90% on lawyers, fraud prevention, and liability insurance.
If I go to Bob's website on my computer without any VPN, and Bob wants to find me, all he would need to do is get my IP, call my ISP with a warrant, and then get my information.
If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions. Then he calls the VPN company, and asks them to associate the IP and specific browser sessions with me. In that case a) the VPN really does store logs even though they advertise they don't, so they're able to associate me with my activity, or b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.
It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?
So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?
If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users? Wouldn't it be easier for Bob to call AWS with a warrant and get your account info than mess with some offshore VPN provider?
The downside in a nutshell:
"Researchers recently tested 300 free VPN apps on Google Play and found that nearly 40 percent installed malware or malvertising on users’ machines."
"Bob" very likely doesn't know you even exist and doesn't care. The downside of VPNs is that many VPN hosting companies are even less trustworthy than "Bob" and do care who you are. An unscrupulous VPN provider can MitM your connections, harvest anything you give the VPN's app privilege to see (probably a lot), etc.
Step one of security is to understand the threat you want to defend against and make sure your defense against that is (a) adequate, (b) appropriate, and (c) not compromising you in other ways.
Also, don't choose a VPN based on some online review. Most of those are basically paid advertising. Either "pay if you want a good review" or "pay more for highter rank", or stuff by independent affiliates, who get paid for referrals.
Better, choose VPNs that have been recommended by consensus in relevant communities. Torrent users. Wilders. Me ;) And by the way, I do consult for IVPN, but my opinions are otherwise unbiased.
(Basically, all AV companies listed on stock market sell your data.)
I wrote a post last summer for IVPN's blog. Bottom line, AhnLab and Emsisoft seemed to be the only commercial ones that don't share data.
AhnLab: “AhnLab will not collect any personal information other than [data collected during software use] and will not disclose such data to any third party.”
Emsisoft: “Any information we collect from you is only used by us to serve you better. Your information is never given to a third party.”
[+] I'm not trying advocate crime here or advising how to avoid it. Just trying to bring to light a vulnerability.
People who are interested in not being identified probably shouldn't. But there are good security reasons to potentially do so.
Freenode and Snoonet, two major IRC networks, are now owned by them.
Disclaimer: Happy PIA customer.
If control of PIA — for whatever reason, and be it that Andrew Lee dies and his heirs sell it, or that he can't finance it anymore, or that a three-letter agency forces him to — ends up in the wrong hands, then also all of Freenode and Snoonet end up under control of that entity.
It's not that I don't trust PIA, but that I fear that PIA itself may end up in the wrong hands.
And I'm not on a crusade against PIA — I won't complain about their donations without requirement to advertise in return to projects such as KDE, with a transparent funding process.
But I am on a crusade against centralizing any services, be it killing XMPP federation (thanks, Google), be it pushing a "secure" Messenger that is bound to a single social graph and server infrastructure controlled by one group in the US (thanks, Moxie), or be it a single compsny gaining significant control over several major IRC networks, clients, libraries, and over Matrix at the same time.
No matter the intentions, how good they may be.
My only beef is I thought PIA would be a kickass gig to work at. Alas, never heard back from my resume. They post in the monthly thread.
Still interested, if any of you PIA people are watching :D
To be honest, my only problem with them is their customer service. And their phone app. My connection is half speed on my phone. :( They also have some strange problems with the linux app (which I wish they would open source). Otherwise I'm really happy with them.
As for the Linux side, their app just needed some better instructions on their site, and then works fine. So I'm not really upset on that, just had to argue with tech support for awhile to get transferred to somebody that knew what I was talking about.
 - https://krita.org/en/item/krita-foundation-update
This is why we can't have nice things...
When I checked in mid 2016, their custom Windows client leaked while the VPN was reconnecting after uplink interruption. But then, only six of the 29 VPNs that I tested didn't leak: AirVPN, FrootVPN, IVPN, Mullvad, Perfect Privacy and SlickVPN. Strangely, FrootVPN didn't leak using open-source OpenVPN, suggesting that they're doing something unusual at the networking level. PIA's OS X client didn't leak, however.
They do tend to oversell their servers, however. So you'll often get less throughput than with AirVPN, IVPN or Mullvad.
Is this semantics? I am uncertain. I do think that it's in PIA's best commercial interests not to keep logs. It's the core of their business model. The moment a PIA customer's identity is revealed through them is the moment they lose all business.
Another issue is, all their IPs are well known. When browsing while connected to them, you can run into a lot of issues: captchas, blocked sites, etc.
The other day I was accidentally connected and made a purchase. What a giant headache. My purchase was flagged and blocked and it took a lot of my time to call the company and get it cleared up.
I will mention that while it doesn't magically fix slow speed issues, they have the ability to report a slow server through the app (on Windows, I can't attest to any others). You just right click the icon in the notification tray and click "Send Slow Speed Complaint." They do add more servers in areas that are overloaded.
Until it's important-enough for them to track down the card, figure out when it was bought, go over the security footage of who was buying at the time, extract footage of you buying it. They can then extract your face and match against a DB. Or perhaps see what car you enter into, and extract its license-plate.
Heck, even if they don't have that, they can ask the cell-phone companies to see which phone-numbers were connecting to the nearest tower during that period. That already narrows down the list to say, 1000 people?
We're almost there. All the technology is already in place, and the only thing stopping it from happening is consolidation.
I find the speed has almost been completely acceptable. I have had only a handful of times where it seemed sluggish and bogged down.
I know there is a some question of whether they can truly be trusted? Do they truly not keep logs? And they are US based which are all things to consider. I weighed those factors against the customer reviews, price, and simplicity of their service, and I think my choice has served me well. Their rates are dirt cheap for what seems to be a reliable service.
And they have great clients for Windows, OS X and iOS. I've found a few others that are just as leak-free. However, the data there are old, and just about all VPN services have improved their clients. What's most relevant about the site is the testing protocol. There's more about that in an IVPN guide.
I also recommend AirVPN, Mullvad and PIA. But not necessarily for their clients. I mean, IVPN doesn't have a custom Linux client. So in many cases, you need firewall rules. And you need to make sure that you're not using an ISP-assigned DNS server with the VPN.
I used PIA for a couple of years without issue, but then it went into some kind of decline for me, always driving network traffic to zero after a few hours. After changing hardware and reinstalling the OS with no effect, I finally tried AirVPN and things went back to normal. AirVPN is a bit more expensive, but their client is light years ahead of the PIA client.
The only step beyond this that I have seen is a recommendation to use OpenBSD as a firewall in a virtual machine.
But. It's basically what I described. For public VPN network, just use the default (all output, only established input). For private LAN, deny all output and input, and allow output to selected IP addresses (VPN and DNS servers).
Perhaps something like this can be scripted; if it becomes polished enough it could be recommended as a part of every VPN setup.
That's why you generally ignore online reviews.
Say for instance there are two vpn services. Both have a 100,000 users. One makes $1,000 a year off of advertising, and the other makes $1,000,000 a year($9/month). Now both are approached by a nefarious gentleman who offers them $20,000 a year to harvest their user's information. But every year there is a 25% chance people find out and your service is shut down.
Who takes the deal? Maybe the free guy, but very few people would risk a 1M/year revenue stream to make a little extra cash, but someone might risks a much smaller revenue stream for a comparatively bigger payoff.
how can you prove what the provider is using? people can lie
I recently signed up for such a service, in order to get my Nintendo Switch online for multiplayer gaming. My home internet connections sub-let from the landlord and could be considered semi-hostile -- not able to connect to peers on the Switch due to triple NAT, and I suspect some QoS throttling as well. The VPN solves my routing problems, but if anyone has a suggestion for another option here I'm all ears.
a) Install OpenVPN yourself (open source)
b) Download an OpenVPN profile from the VPN company
c) Configure OpenVPN with the profile
Specifically, you don't have to install any binary software from the company itself.
Re OpenVPN vs IKEv2/IPSec, this IVPN FAQ seems accurate. But then, I helped edit it, so I'm biased. Still, if anyone can point to inaccuracies, I'll recommend fixing them :) The major weakness is pre-shared IKE keys.
On the other hand, I get from IVPN that the IPSEC implementation in iOS is very secure.
For example: It's way easier for a client to install a mobileconfig to ios that supports on demand VPN than it is to have them download and configure openvpn. Fairly set and forget.
Rarely addressed: VPN CLIENT ISOLATION.
The majority of us sit behind a NAT'd address range provided by our physical router, thus isolating our machines via a hardware router / firewall from our ISP. When you connect via a VPN, you are not automatically isolated from other client-peers on that VPN and must implicitly trust the VPN provider has properly configured client isolation. You can do testing, like firing up Wireshark and listening for broadcast traffic or simply by trying to nmap other hosts on the network, however, whatever you find could change with a configuration setting at any time.
One way to further "secure" this would be to run the VPN client on a hardware router like pfSense (instead of directly on your laptop) and block all incoming connections on the vpn client tunnel interface?
A disadvantage of this method would be that the WIFI signal from your Laptop to the router is no longer secured by the Vpn...
"Processing in hardware", meaning application specific hardware acceleration, is a not a plus in security related things: it's not safer, and it doesn't exist in most boxes, and it's often impossible to field upgrade when bugs are found. It's done to speed things up/lower cost at large scale, but that's irrelevant for consumer/small office gear.
I agree and am a big fan of host firewalls and host intrusion prevention systems, however, they must of course cover the VPN tunnel in their scope. In many cases they do not.
Recently the Federal Government sent out a malware to certain persona of interest. That malware played a higher pitch sound than can be heard by the human ear. They were able to track that person and identify them because they heard the sound on the computer's microphone. TOR or VPN can stop this.
Some of the brightest minds of this generation are working on ad tech.
It appears to have happened already
My tinfoil hat is spinning!
Are they able to do this? Yes, for sure.
Are they willing to this? For terrorists or maffia bosses, no doubt. For smaller fish? Maybe they can't be bothered. Or maybe they can.
I can no longer hear it. Still I can hear 1khz, so that's what's important.
You're saying that the persons of interest in this case were identified and targeted only based on an IP address and not based on some other aspect of their online activity?
That should be "... can not be heard ..." right?
Also, do you have a link with more details.
would both work, but your interpretation isn't correct.
I don't use a VPN to hide my identity from the websites I'm connecting to. I use a VPN to hide the websites I'm connecting to from my ISP.
Residential ISPs in the UK are supposed to log a bunch of internet stuff (not clear exactly what), which is then made available warrant-free to over 40 government departments, including for purposes obviously unrelated to "national security" (not that that would make it OK), e.g. HMRC and the Food Standards Agency
Additionally, I use a DigitalOcean VM and run OpenVPN myself, I don't get a service from a VPN company.
I've been looking to do the same recently, do you use Digital Ocean Droplets? If so, how have you found the experience?
Or you can do it the easy way (but you won't learn as much) and run a bash script to configure everything automagically :
That said, always verify that the tunnel is operating correctly before assuming it is and taking off. I've found on more than one instance that the OpenVPN client was misconfigured and seemed to connect, yet my IP was still being reported as my ISP's.
I didn't use DO but an even cheaper host and set up VPN at router using DD-WRT.
Occasionally I have to turn it off at router as certain sites/ services recognize the datacenter IP but not all that often.
Main reason I set it up is I use a small local ISP and know the owners and no need to have them watching net traffic.
The settings on both ends have to match perfectly. Don't forget to set DNS for openVPN also.
I have a device through which I netflix on which I do not do other personal browsing.
Quite a shame though, but nothing netflix can do about that. :-(
No advertiser is going to come after your VPN provider asking for logs, and even if they did your VPN provider is going to tell them to get fucked anyway. Again, unless the advertiser in question happens to be the federal government and they have a subpoena or a warrant, no VPN provider is going to give you logs to help you associate a user, I have no idea why you would even think that.
If you don't want traffic from users on the VPN you are free to block them (Netflix does this) but nobody is going to give logs over to a random webmaster to help deanonymize users.
If you want to remove the VPN provider from the question entirely (many of them are on the shady side), you can use Algo to automatically deploy a Digital Ocean droplet or Linode instance to relay your connections for you. However this doesn't fundamentally change anything - if someone comes after you with a warrant or a subpoena, then Digital Ocean/Linode is going to give you up.
This is not exactly a difficult concept to understand so if you have asked this question repeatedly and still aren't satisfied with the answer, perhaps you should look inward.
They absolutely are for a huge number of people. Why do you think so many VPN's advertise the fact that they don't keep logs? I imagine far (_far_) more people use VPN services as a way to evade copyright holders than as a mechanism to avoid marketers (most people don't give two craps about the latter issue.)
BTW, was the snarky bit at the end really necessary?
Some VPNs imply this when they claim they don't keep logs on their users.
isn't SSL supposed to do that? At most an ISP ought to only be able to sniff the domain.
Sell what exactly?, the domains you visit because with SSL that is all what they know.
* Inability to send mail though a mail program
* Daily disconnections of VPN service
* Captchas and other verification/friction when using services (eg youtube, amazon etc)
* Some services may believe you are in a different country incorrectly, meaning you have to force them to use the right location, or be happy with it being wrong
* Some services will not work at all (for example purchasing through apple)
* Paid streaming services – like netflix, hbo go and amazon streaming will likely not work at all
* You may not be able to port tunnel traffic inside the VPN
And of course you have to trust the provider. For example PureVPN claims 'no logs' but it seems that isn't the case...
There is a lot of friction in using a VPN. Which makes the idea, often proposed by technical people that if you are worried about privacy - 'just get a VPN' either naive or disingenuous. That said even with the friction it is worth the cost and hassle IMHO.
In practice you have to have a way to flip on and off VPN on some machines/devices.
There is more discussion on this here...
(edit: fix formatting)
Even so, it's prudent to assume that your VPN provider logs, works with your adversaries, etc. Just like the Tor project assumes that any particular relay may be malicious. So Tor clients create three-relay circuits, to distribute the risk. And one can do the same with VPN services. I'm currently working through a nested VPN chain, using servers from multiple providers. I use pfSense VMs as VPN gateways, and workstation VMs. It's also easy to add Whonix to the mix, so I can use Tor through nested VPN chains.
If "Bob" wants to know who you are when you visit his website, he doesn't have any options to get that information. If "Bob" thinks you are violating his copyright rights, he can file a DMCA complaint against you. If "Bob" doesn't want people from Iceland to access his site, he can try to filter based on IP range.
VPNs do three things: 1. obscure your identity 2. obscure your location 3. prevent local inspection of your network traffic.
How effective that "obscurity" is depends on who wants to know and why.
This is usually due to the ec2/do instances being the cheapest or second cheapest with bad CPUs and overcrowding.
If you don't want Bob to identify you then yeah you need more than just VPN such as ad blockers, disabling cookies, and more.
2. oVPN.to is probably a good idea, as long as you are not based in China
3. Pay anonymously for the VPN. If it need to be really secure, only access VPN via TOR.
* Connection issues are really annoying. At home it is manageable, but reconnecting to a different wifi network with a phone introduces a delay that sometimes lasts minutes before it becomes functional again
* Some websites make you enter captchas in order to use them, probably due to VPN abuse by malicious users. Others outright block traffic to any detectable VPN traffic.
* It is slower in general, but the worst case slowness seems much worse and more common. Unavoidable really, you're introducing another potential point of failure.
* Useful LAN functions (like *.local domains) become non-functional
Is that true if you 1. disable the "force all DNS traffic over VPN" setting, but then 2. have a local resolver (e.g. dnsmasq) that resolves LAN domains but forwards all other traffic to a DNS server on an IP that will end up routed through the VPN?
Congress removed FCC regs. that would have prevented it. ISPs have been claiming both the regulation is unneeded but that they won't sell your data.
Here's arstechnica: https://arstechnica.com/information-technology/2017/03/how-i...
>It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?
I'm not sure how you made this jump. If the provider doesn't have logs, Bob can't find you. The end.
I figure my ISP is quite likely to sell my data and do other unfriendly things. But I figure they are quite unlikely to attack my traffic and do other illegal things.
1. They're blocking lots of torrent websites, using a VPN circumvents this
2. They're sending out letters to people saying "you're torrenting, stop". VPN stops this
3. Some ISPs throttle traffic to certain services and streaming sites, VPNs circumvent this
On the other hand, if your VPN operates in another country, some websites within your country may block you due to content licensing issues.
1) First VPN, that only my ISP and second VPN see: I choose one that's popular where I live, and commonly used for torrenting, and I have a torrent client up 24/7.
2) Second VPN, that only the first and third VPNs know about: I choose one that does business from a jurisdiction that isn't very friendly with my government and its friends.
3) Third VPN ...
4) Final exit VPN, that only the previous VPN and websites see: I choose one that doesn't attract too much attention. For Mirimir, that's IVPN, because I'm already so associated with it.
I've thought about doing it all in one OS, with iptables or pf to control routing. It'd be lots lighter, but more fragile.
If the VPN is malicious or self-hosted.
If the servers and the company headquarters are located in a country not part of the "14 Eyes", and most importantly, host a lot of other traffic that is not you, there is obfuscation, legal barriers, and plausible deniability that you did not do what "they" are claiming you did.
Every TCP connection is uniquely represented by (src ip, src port, dst ip, dst port). Bob can provide all four of these, and a timestamp, to the VPN provider. The VPN provider can then resolve that to a specific user if they are logging connections.
I believe there is the alternate option of setting up your own VPN .
Instead of using AWS, you could set it up on an additional router or on your PC/pi wherein you'd lose the advantage of anonymity amongst other users but your information is still encrypted to be acceptably safe.
Whether it's through negligence or ignorance or intentional lying, it's nearly impossible to not log user activity in some way.
And really, think about this: Even if you try really hard not to log, as a provider you're competing with thousands of forensic scientists who do nothing all day but figure out how to associate activity with the people who committed that activity.
And once a federal agency has identified your VPN traffic, every single thing you've done through that VPN provider is all wrapped up in one neat bundle for them to peruse.
What should you use if you're smart enough to come to HN for reading? SSH of course.
When it leaves that computer it's no longer encrypted.
It's not hard to look at unencrypted traffic leaving the computer you've SSH'd into and associate the traffic with the computer you've SSH'd in through.
And browsing the internet over a VPN is different... how, exactly?
That’s entirely not true. If you’d said “some”, you’d be right, but “most” is categorically incorrect.
Want to connect 2 lan's together and have full protocol binding and internal DNS support without mucking with 65535*N-nodes port forwardings?
not to mention 'vpn' isn't a product..
so your entire notion of 'making money out of it' makes no sense.
as for commercial: OpenVPN is great, free, and fairly simple to use.
TCP/TCP is another point.. and a good one, yes.
These articles explain the concept, but it takes nothing but SSH & Linux (albeit it can work on macOS too with additional software):
I've seen it done before where it was fully transparent to both networks. This required the tunnel to be setup on the default gateway for both networks. Again, as mentioned before and you agreed too, this is not a solution I would ever want to see in production for a company I was at.
> which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'
Which I agree, it isn't simple, but I was replying to someone saying it wasn't possible, not that it is easy to do.