Hacker News new | past | comments | ask | show | jobs | submit login
Do you need a VPN? (blog.mozilla.org)
969 points by thesumofall on Oct 30, 2017 | hide | past | favorite | 479 comments

Grew up in China (moved to Australia since early 2008) where GFW is in place and getting overwhelmingly powerful, I've been through multiple stages to cross the `great wall`, SSH Dynamic Forwarding, PPTP, OpenVPN and now IPsec (strongSwan). The GFW has evolved so much (capable of massive scale MITM attack, DNS spoofing, traffic sniffing etc. you'll be amazed how capable the GFW is - of course courtesy of the team behind it) that it makes increasingly more difficult for people to access the real Internet.

I've ditched PPTP (not safe any more) and shifted to IPsec (IKEv2 + RSA with X509, IKEv1 + PSK + XAUTH) as it is being used by a lot of MNCs - can't killall. The GFW has developed technique to detect OpenVPN well and it is easily blocked so I don't use it at all. Over the past few years many home brewed protocols emerge - e.g. shadowsocks and variants and many others (I've never used any of them).

The best thing to do with VPN is that to understand the basics of the VPN solution of choice, try to install and configure from scratch on VPS and use that as your main protection (encapsulation) while using public Wi-Fi or untrusted network. There's been many good discussions on how to do this on HN.

NOTE: I am maintaining around 10 strongSwan powered IPsec VPN and 2 OpenVPN to help family members and close friends to access the real Internet (have to keep a low-profile though). Funny though, my networking skills evolved with GFW.

I was in China this year and found it surprising that it's as powerful as it is. Consequently, I also found out how powerful not having the entire internet is. The amount of information/sites I wasn't able to access due to it not being accessible at all; or "accessible" but never fully downloadable (i.e. javascript not able to download fully, other assets blocking actual content from being loaded) was staggering.

Coupled with the official cable TV service, which is amusingly abbreviated CCTV[1], and other state-controlled media, it's an eye-opening thing to see (more blatant) information control in action.

[1] https://en.wikipedia.org/wiki/China_Central_Television

> The amount of information/sites I wasn't able to access due to it not being accessible at all; or "accessible" but never fully downloadable (i.e. javascript not able to download fully, other assets blocking actual content from being loaded) was staggering.

Can you read Chinese? I ask because if not, the experience of people who can might be very different.

I'm completely against the censorship; I just wonder how effectively they implement it.

Not OP, but I suppose that people only reading Chinese in China won't notice this much, because most (all?) of what they find is inside the Great Firewall and thus under control (direct or indirect) of the Chinese government. But that's exactly as intended.

Because GFW (maybe accidentally) blocked quite a few CDNs, that influenced many other 'not-on-list' sites overseas to download their assets properly.

VPN and SSH or other public (detectable) protocols are goner for very long time now. I don't understand why you guys still trying to use it.

In China, you may need to use one (Or multiple) of following:

https://github.com/shadowsocks https://github.com/v2ray https://github.com/XX-net https://github.com/ginuerzh/gost

And +https://github.com/gfwlist/gfwlist for automatic proxy switch.

Those applications may require a dedicated server or VPS to run. Once you set it up, it will act like a relay between you and the host you want to access (So that server or VPS must located outside GFW's shadow. And you better set it up and get it well tested before you move to China).

If you don't want to setup a server all by yourself, you can use Lantern or Psiphon, but they are considered not safe as you don't have any control once data leaves your machine.

I personally use Shadowsocks + my own one made with Golang. Both of them works very good for me. Some people may had problem with Shadowsocks but cause of those problems remain a myth.

I was in China a couple months ago and ExpressVPN worked fine for me, are they actually using their own custom protocol?

ExpressVPN is the only one afaik that is allowed by the Chinese government. You can assume that it is actually not "private".

When I was in China last April, SSTP worked fine (though long-lived connections tend to become slower over time, and then need a few minutes of cool down before being usable again). Most Chinese people I met were using shadowsocks.

Many friends indicated Express was down almost an entire week surrounding the big meetings. Not as reliable as it once was. Or so they say

Doesn't matter if it's not "private" if you have certified encryption though, right?

I think his assertion is that as it is "allowed" by China's government that they somehow have access to the keys (or the VPN provider is keeping a buffer of the traffic and has an arrangement to provide it to relevant government agencies upon request).

I have no experience with ExpressVPN, so I can't help you with that.

But in a vlog I've watched on Youtube, the host of that vlog said "Over the last coupe of days, ALL the VPN is been very difficult to use". So, I guess that includes ExpressVPN.

Here is the video if you interested: https://www.youtube.com/watch?v=EuEdYvQmVFg (5:20)

Im in china at the moment using expressvpn (been using it for a year by now) and since about two weeks only three server locations work well (Hong Kong, Tokyo, Los Angeles). Some others work off an on. Before that most locations worked and some of them, Taiwan for example, used to be very fast. Its still usable for streaming and surfing but I'm afraid the end is near. I think sometime in the future one will have to go with shadow socks and or similar protocols/solutions but until then expressvpn is quite convenient (mobile client, router with expressvpn client).

Maybe. Vypr VPN has an own "Chameleon" protocol. Maybe Express has it's own

Hijacking the top comment to link to something I wrote recently.

As someone who owns and works and knows the ins and outs of an ISP and had the 'pleasure' to deal with many 3-word government organization, I can't help but feel that many people think privacy exist in some form and using VPN somehow makes you immune.

Please learn to understand double-speak. If the FBI says they are having a hard time cracking smart-phones or some kind of encryption, understand that they actually want you to use that security because they have figured out how to get around it.

I may sound like an alarmist, but it isn't intentional - because the government is much much more powerful in terms of resources they can throw at a problem - if they can't crack something they will find a way to intimidate someone to install a backdoor for them while completely denying it in public. This happens ALL the time. Most of us just don't know about it.


"Please learn to understand double-speak. If the FBI says they are having a hard time cracking smart-phones or some kind of encryption, understand that they actually want you to use that security because they have figured out how to get around it."

Do you have any evidence, or is this just speculation? I can buy that governments have access to zero-day exploits; I don't buy that every form of encryption they complain about has been secretly been broken.

Infosec 101: if it truly is a problem for you, you don't tell anyone.

I just went to Shanghai, bought a local SIM card and installed any VPN app from the App Store on my phone (I used "HexaTech"). Had no problems at all with it, even with the free tier. I was kind of surprised how easy it was to get through the GFW

Being in China now, I can say that just because it works doesn't mean that it's great. I think the government has demonstrated multiple times that they can block and throttle VPN connections at the flick of a switch. If one works, it's because of the government's mercy, not because of some circumvention team's ingenuity. That's my final conclusion. Yes, new methods might break through those times the switch gets turned on to block, but those new methods get blocked eventually too. It's an arms race where one side has near unlimited funding.

The most terrible fact about GFW is that it makes people forget they have a chance to access the other part of internet. Most netizens here don't even have a idea to cross it.

Remember that Chinese people who do it are subject to attracting negative government attention; they face much more risk, even it works.

The amount of censorship varies by province; I wouldn't be surprised if it is easier in Shanghai than in other parts of China.

I'm in Beijing. After ExpressVPN was down a friend of mine recommended to give a try for NordVPN as Astrill looks like China's government VPN which logs everything. And I was surprised - Nord works significantly and costs just over 3 bucks.

When I was in China for 6 months I just wrapped my OpenVPN in a regular TCP tunnel with stunnel https://www.stunnel.org/index.html

Was slow, but it worked.

I will be traveling to China in a couple of days and was ignorantly hoping my OpenVPN-based VPN would work.

Do you recommend that I set up strongSwan?

Another option is roaming on a foreign SIM card - this usually bypasses the GFW quite effectively; roaming is effectively a VPN back to the home provider, and there seems to be some whitelist for these roaming tunnels. The providers probably provide surveillance access to the Chinese govt, but you will not have trouble accessing Google and other blocked sites, and any VPN you like should work fine through a roaming SIM.

Whether you can find one with reasonable data rates in China is probably the main question.

Two that I have used with great success are Kyivstar from Ukraine and China Unicom HK (note it must be HK, not mainland China). Others may be listed at [0].

[0] http://prepaid-data-sim-card.wikia.com/

I can confirm that the foreign SIM card override works from my experience a couple of years ago.

My T-Mobile had free international roaming baked in at 2G speeds. Unlike the US however, most foreign carriers in developed Asian nations (China/Korea) don't support 2G fallback, so I had free 3G everywhere.

It was pretty much like using the American internet.

Try to change the default port 1194 to something else (e.g. 443) - this may not help as the GFW has the ability to detect OpenVPN specific traffic.

If it is only for yourself and traffic is very little, it may survive the period of your stay in China. Nobody I know in mainland runs OpenVPN any more so I cannot really prove that, sigh...

That trick no longer works at all, to my knowledge. The GFW is wise to it.

That's why Tor had to implement HTTPS-like fake traffic padding in its obfsproxy modules, which also need to keep evolving...

I used PIA with relative success. The caveats being:

1. DNS resolution may not work, so you'll need to find a way to resolve the domain name (i.e. hk.privateinternetaccess.com) to IPs for your config.

2. Even if you get an IP it may not work all the time. You will have to keep resolving the domain name for another IP (or maybe just look at all the DNS records?).

EDIT: I should mention I used PIA's PPTP (yes, it's discouraged but it worked for my purposes) and L2TP configurations just fine.

Set up Shadowsocks. (OpenVPN won't work regardless of port and choice of udp/tcp, unless you tunnel it through obfsproxy or similar.)

A few months ago, I went to Shanghai. Before going to China, I setup the Shadownsock on my server. My 4G network is roaming SIM card. I can surf on Google Map over my SIM card without any proxy or VPN. To prevent from sniffing, I always connect to the network via OpenVPN with non default port.

In hotel, the Wi-Fi network cannot connect to many sites. Sometimes, I can connect the Internet via OpenVPN, but, Shadowsocks is more stable.

Just use Psiphon or ShadowsocksR, you will be fine, don't use a cliche old VPN.

If your VPN server is used by many users it tends to be detected and blocked by GFW. In case you found managing shadowsocks servers cumbersome, you may want to check out https://foxshadowsocks.com They manage shadowsocks servers for you and allow you to move servers across regions (to get a new IP).

I still believe some of the loopholes are intentional left alone by the government.

With China being such a manufacturing powerhouse, I can imagine loopholes are essential to keep international business and trade in order.

International companies can apply for VPN which allows them to legally use one. They need to attest that it will be used for business purposes; this should sensibly part of the negotiation process when investing and establishing a presence.

I'm not sure about VPNs? As I understand, it's corporate lines to overseas that's allowed. That's what we use, we lease bandwidth on a major submarine cable that goes to California and sign a contract that says we won't be using it to break laws, and Vvv we tell our employees to only use it for work.

The data has to get from office to submarine cable, VPN is needed. When logging in from home, I need to select the end-point of the VPN, so I'm pretty sure it is a VPN. This is common with any country - connecting to the corporate network must be via VPN (unless the corporate is crazy and in violation of many laws disclosing customer data).

Nope, ISP gives us fiber that goes from our PoP in Shenzhen to Guangzhou to Hong Kong (roundabout way because they have no fiber direct from Shenzhen to Hong Kong), and somewhere down the line, it hooks up with the submarine cable. No VPN at all.

It is not encrypted?

If it is a loophole it is not legitimate. To keep business and trade IN ORDER it would be legal. I think some of the loopholes are “honeypot” just to capture potential intelligence.

Can you use SSH? If so, can you SSH tunnel?

Furthermore, if ExpressVPN is allowed, could you connect to that and inner-tunnel to your own VPN?

SSH Dynamic forwarding (ssh -D) to do application-level port forwarding and configure browser to use remote host to do DNS lookup was 1 of the earliest techniques to bypass the GFW and was countered by the GFW long time ago. The wall can easily detect non-administrative SSH traffic and block it. So I won't recommend using it, it is not reliable.

When evaluating a VPN service for trustworthiness, I always look at what their webpage loads in terms of tracking scripts.

Basically, if you offer me the service to protect my IP address and don't even have the decency to let me inform myself about your offering without handing over my IP address to Google et al., then I'm not using your service.

Unfortunately, VPN providers collectively don't seem to be aware of this presentation layer, so it's neigh impossible to find one which doesn't violate privacy here.

So far, I've found exactly two: azirevpn.com and airvpn.org

They load in Piwik, which I'm okay with.

These two providers also check a lot of other boxes for me, but yeah, it's still just two providers after hours of research, so if anyone knows any other VPN providers with privacy-respecting webpages, please do tell.

> I always look at what their webpage loads in terms of tracking scripts.

Note that this is also one of the criteria in the Vpn comparison chart: https://docs.google.com/spreadsheets/d/1L72gHJ5bTq0Djljz0P-N...

by https://thatoneprivacysite.net/

Which itself is hosted on Google Docs. Does not compute, does it?

I mean, sorry if I sound rude and thanks for trying to help, but yeah, I'm not clicking on that link.

It is the first time I have ever encounter a philosophy close to mine about this subject.

Check out my VPN service, DataBuster[0]. I made the VPN only for myself at the beginning but my friends requested the features and it became a viable product.

The only "tracking" I do on the main page is a passive analysis of Apache logs made with Piwik, so there is no visible JS tracking code or third-party tracker.

[0] https://databuster.net

That’s fantastic! My only suggestion would be to not require JavaScript for the page to load any text at all.

I’m interested in the technology behind the service; any details you can provide?

Yes, I provide some details in a blog article: https://stan.sh/posts/building-a-distributed-vpn-service

The underlying technology used is from Algo VPN, a well-acclaimed open source VPN solution. https://github.com/trailofbits/algo

Loyal customer of AIRvpn here. No complaints here

Been using it for about a year now and I am quite happy with it! Recommended it to a few friends, works great on Linux.

Why does this matter for anyone not doing something that would attract the attention of a government agency? If you're running illegal weapons, sure. But if you're just trying to connect to your company's server or prevent Comcast from seeing your search history, this shouldn't matter. It reminds me of the recent uproar over Facebook supposedly listening though the mic at all times. It sounds like a severe lack of appreciation for how much data we leak at any given moment.

What I mean is that just by reading this thread, we've all been added to whatever VPN user list the (insert bad guy name here) has set up. From there it's just simple data mining. One of the easiest ways to link user to VPN service might be through tracking scripts, but that's not specific to the VPN sites. Presumably your're researching which VPN and then reading more on specific VPNs as you narrow down your choice. Then you want to be "anonymous" so you search for bitcoin info. Then you suddenly stop searching for bitcoin and VPN info. So, you have the data from all those searches (specific breadcrumbs), the length of time searched (length of time correlated to how serious and educated you are about the topic), the time the searches stopped (correlated to VPN subscription start), your previous un-anonymized topics of interest that led to the search for VPNs, the exit nodes of the VPN you probably chose, etc. That's on top of all the physical variables - when you're likely to be awake, schedule of connections, location, etc.

I would argue that just having a tracking script on the VPN provider's website is a drop in the bucket, even from a legal perspective - it's better to have a preponderance of evidence. You're not giving 'them' any more information than they'd already need for a search warrant, which is the real danger threshold for this conversation.

It's conflating an annoyance with a threat.

ProtonVPN (same team as ProtonMail) appears to load no external trackers.

I'm itching to set one up as a side project...

Be cautious of the potential legal headaches, register it as a limited liability company, and host away from your place of residence (so police don't raid your home).

Even if you're entirely above board your users may not. Child porn, illegal substances, gambling, stalking/bullying, fake emergency calls, bomb threats, and so on. Your users are just waiting in the wings to place you into law enforcement's crosshairs.

If I opened a VPN I'd spend 10% on equipment and the other 90% on lawyers, fraud prevention, and liability insurance.

This is good advice. I had to deal with crap like this just from running a high traffic message board. Not OP, but I want to do this as a side project just for myself though.

IVPN loads only typekit.net in Linux/Firefox.

windscribe.com is another one.

Windscribe.com appears to be behind Cloudflare, which means that they allow a third party to MITM https connections to their site. I would not trust their service.

I always ask this on the VPN threads here, and don't feel like I get a solid answer (I'm not particularly well-versed on the topic so I'm genuinely curious and would love to be corrected).

If I go to Bob's website on my computer without any VPN, and Bob wants to find me, all he would need to do is get my IP, call my ISP with a warrant, and then get my information.

If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions. Then he calls the VPN company, and asks them to associate the IP and specific browser sessions with me. In that case a) the VPN really does store logs even though they advertise they don't, so they're able to associate me with my activity, or b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.

It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?

So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?

If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users? Wouldn't it be easier for Bob to call AWS with a warrant and get your account info than mess with some offshore VPN provider?

So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?

The downside in a nutshell: "Researchers recently tested 300 free VPN apps on Google Play and found that nearly 40 percent installed malware or malvertising on users’ machines."

"Bob" very likely doesn't know you even exist and doesn't care. The downside of VPNs is that many VPN hosting companies are even less trustworthy than "Bob" and do care who you are. An unscrupulous VPN provider can MitM your connections, harvest anything you give the VPN's app privilege to see (probably a lot), etc.

Step one of security is to understand the threat you want to defend against and make sure your defense against that is (a) adequate, (b) appropriate, and (c) not compromising you in other ways.

Well, never use free VPNs!

Also, don't choose a VPN based on some online review. Most of those are basically paid advertising. Either "pay if you want a good review" or "pay more for highter rank", or stuff by independent affiliates, who get paid for referrals.

Better, choose VPNs that have been recommended by consensus in relevant communities. Torrent users. Wilders. Me ;) And by the way, I do consult for IVPN, but my opinions are otherwise unbiased.

And then you have stuff like AV companies' VPNs for which you pay AND your data gets sold.

(Basically, all AV companies listed on stock market sell your data.)

well, I've suspected that. But can you point to evidence?

I wrote a post last summer for IVPN's blog. Bottom line, AhnLab and Emsisoft seemed to be the only commercial ones that don't share data.

AhnLab: “AhnLab will not collect any personal information other than [data collected during software use] and will not disclose such data to any third party.”

Emsisoft: “Any information we collect from you is only used by us to serve you better. Your information is never given to a third party.”

What is your opinion on PrivateInternetAccess?

They've been recommended by a lot because they recently backed up their claims of no logging (FBI asked them for data, and they couldn't provide it). You'll see that they are ranked pretty high on this list, where there are some breakdowns. They are pretty cheap and popular too. Popular helps by making associations more difficult. That is seeing a VPN server accessed page X and that you were accessing the VPN server at said time. A college student was connected to a bomb threat by this method, being he was the only one on campus to be using TOR at the time the bomb threat was made (from TOR). You'll be fine with any VPN that is relatively popular and doesn't do any tracking.

A relevant detail to that story is that he admitted his guilt under questioning. Had he continued to deny any involvement, they would not have been able to prove that he was sending the bomb threat, as it could have been from someone who wasn't on campus.

Very true. But there have been several instances of cases like this. And this thing doesn't matter if your VPN logs or not[+]. But what I was trying to point out is that these types of access collisions are important to understand. And why I don't think people should roll their own VPN.

[+] I'm not trying advocate crime here or advising how to avoid it. Just trying to bring to light a vulnerability.

> And why I don't think people should roll their own VPN.

People who are interested in not being identified probably shouldn't. But there are good security reasons to potentially do so.

Criminals are great examples, because their OPSEC failures are often detailed in court records, reported in the media, and discussed online. One of my articles on IVPN's website uses several such OPSEC failures (Silk Road, Sheep Marketplace, etc) as examples.

It's also worth noting that PIA supports several free software projects.

Or, to phrase it differently: PIA outright bought a great number of previously community-run projects, and is concentrating power.

Freenode and Snoonet, two major IRC networks, are now owned by them.

Enough. You do this on every mention of PIA and you have been told to stop or get banned [0]. I don't know why you are on this crusade when there is not even the slightest hint of wrongdoing [1] so please, easy on the conspiracy theories.

Disclaimer: Happy PIA customer.

[0] https://news.ycombinator.com/item?id=14911509

[1] https://news.ycombinator.com/item?id=14911915

It's not about conspiracy theories, but about concentration of power.

If control of PIA — for whatever reason, and be it that Andrew Lee dies and his heirs sell it, or that he can't finance it anymore, or that a three-letter agency forces him to — ends up in the wrong hands, then also all of Freenode and Snoonet end up under control of that entity.

It's not that I don't trust PIA, but that I fear that PIA itself may end up in the wrong hands.

And I'm not on a crusade against PIA — I won't complain about their donations without requirement to advertise in return to projects such as KDE, with a transparent funding process.

But I am on a crusade against centralizing any services, be it killing XMPP federation (thanks, Google), be it pushing a "secure" Messenger that is bound to a single social graph and server infrastructure controlled by one group in the US (thanks, Moxie), or be it a single compsny gaining significant control over several major IRC networks, clients, libraries, and over Matrix at the same time.

No matter the intentions, how good they may be.

Wow, what's going on there? :/ Case of sour grapes for that user?

My only beef is I thought PIA would be a kickass gig to work at. Alas, never heard back from my resume. They post in the monthly thread.

Still interested, if any of you PIA people are watching :D

(not the person you were responding to)

To be honest, my only problem with them is their customer service. And their phone app. My connection is half speed on my phone. :( They also have some strange problems with the linux app (which I wish they would open source). Otherwise I'm really happy with them.

Have you tried using a standard OpenVPN client (on your phone, on Linux, etc.) with PIA profiles?

I actually haven't. I will try later and report back. But I have a 60/30 connection (down/up) and am getting 26/5, after messing with settings (which strangely is using TCP instead of UDP). And yes, this is under 5G, and I've tried multiple servers.

As for the Linux side, their app just needed some better instructions on their site, and then works fine. So I'm not really upset on that, just had to argue with tech support for awhile to get transferred to somebody that knew what I was talking about.

Just discovered - you can get a 63% off a 2-year subscription in (presumably) the next 24 hours https://stacksocial.com/sales/private-internet-access-vpn-2-...

Ha ha ... that's an affiliate link ;)

Oops, sorry :(

Yes, and interestingly, the Freenode staff had previously disabled Tor access to the Freenode network for over a year or so because of "attacks" which they claimed they could not handle. This was a pretty flimsy excuse once I finally found someone that knew the technical details, and though I chased the "right" people down several times to ask why Tor access had not been enabled, I never got a good answer. Cue PIA taking over Freenode, and within a couple of weeks, Tor access to Freenode was once more enabled. I've been a happy PIA customer for some years now, but that left such a huge and positive impression on me. I'm not completely sure the two things are simply correlated, but after talking to all those Freenode staffers over the years about it, I can't imagine it wasn't pushed by PIA.

I was actually primarily talking about their donation to the Krita Foundation [1], but yeah, it's good to be aware of the above, even if thus far I haven't seen anything nefarious from them.

[1] - https://krita.org/en/item/krita-foundation-update

"A college student was connected to a bomb threat by this method"

This is why we can't have nice things...

I'd use them. They're among the least expensive. And they don't seem to retain logs or detailed access records, based on testimony to a US court. But that was about an exit in the US, where there's no legal requirement for VPNs to log. Where there are such legal requirements, maybe they (or any other VPN) would retain and produce logs.

When I checked in mid 2016, their custom Windows client leaked while the VPN was reconnecting after uplink interruption. But then, only six of the 29 VPNs that I tested didn't leak: AirVPN, FrootVPN, IVPN, Mullvad, Perfect Privacy and SlickVPN. Strangely, FrootVPN didn't leak using open-source OpenVPN, suggesting that they're doing something unusual at the networking level. PIA's OS X client didn't leak, however.

They do tend to oversell their servers, however. So you'll often get less throughput than with AirVPN, IVPN or Mullvad.

I've been very happy with PIA. It's cheap with minimal impact to my bandwidth. The concern is that, like all VPNs, we are trusting them not to keep logs. PIA claims that they proved in court that they do not keep logs because they provided no useful data to an FBI request. There's a debate over whether this proves they don't keep logs or not here:


Is this semantics? I am uncertain. I do think that it's in PIA's best commercial interests not to keep logs. It's the core of their business model. The moment a PIA customer's identity is revealed through them is the moment they lose all business.

I think they're good, but there are some downsides. Sometimes traffic can really slow down because they're _too_ big.

Another issue is, all their IPs are well known. When browsing while connected to them, you can run into a lot of issues: captchas, blocked sites, etc.

The other day I was accidentally connected and made a purchase. What a giant headache. My purchase was flagged and blocked and it took a lot of my time to call the company and get it cleared up.

A few weeks back I ran in to the same issue with accidentally making a purchase while connected to PIA. Mine was also flagged and I had to jump through several hoops to prove I made the purchase. It was a pain but I completely understand why that happened and I'm still very happy with PIA.

I will mention that while it doesn't magically fix slow speed issues, they have the ability to report a slow server through the app (on Windows, I can't attest to any others). You just right click the icon in the notification tray and click "Send Slow Speed Complaint." They do add more servers in areas that are overloaded.

I've used PrivateInternetAccess, they are trustworthy, but US based so count on them rolling on you if someone has a good reason to be interested in you.

Well, they apparently didn't roll for a US court, in a case involving harassment, as I recall. Would they roll for the NSA? How would they handle a NSL? I have no clue. Their founder has said that, although he lives in the US, none of their server admins do.

I don't use PIA, but one advantage of them is you can use a Starbucks or Target gift card to pay. Buy the gift card with cash then there is no trail.

>"Buy the gift card with cash then there is no trail."

Until it's important-enough for them to track down the card, figure out when it was bought, go over the security footage of who was buying at the time, extract footage of you buying it. They can then extract your face and match against a DB. Or perhaps see what car you enter into, and extract its license-plate.

Heck, even if they don't have that, they can ask the cell-phone companies to see which phone-numbers were connecting to the nearest tower during that period. That already narrows down the list to say, 1000 people?

We're almost there. All the technology is already in place, and the only thing stopping it from happening is consolidation.

I have been pleased with their service. It wasn't much hassle to set up, particularly. Was certainly a little trickier on my linux machine.

I find the speed has almost been completely acceptable. I have had only a handful of times where it seemed sluggish and bogged down.

I know there is a some question of whether they can truly be trusted? Do they truly not keep logs? And they are US based which are all things to consider. I weighed those factors against the customer reviews, price, and simplicity of their service, and I think my choice has served me well. Their rates are dirt cheap for what seems to be a reliable service.

Would you recommend IVPN?

Well, of course I would! They're one of the oldest. Except for the the first generation, anyway, such as Anonymizer (now basically owned by the CIA) and Cryptohippie (still very cool, but very expensive).

And they have great clients for Windows, OS X and iOS. I've found a few others that are just as leak-free.[0] However, the data there are old, and just about all VPN services have improved their clients. What's most relevant about the site is the testing protocol. There's more about that in an IVPN guide.[1]

I also recommend AirVPN, Mullvad and PIA. But not necessarily for their clients. I mean, IVPN doesn't have a custom Linux client. So in many cases, you need firewall rules. And you need to make sure that you're not using an ISP-assigned DNS server with the VPN.

0) https://vpntesting.info/

1) https://www.ivpn.net/privacy-guides/how-to-perform-a-vpn-lea...

The great thing about Mullvad is you can use OpenVPN instead of their client if you want. And those guys really know what they are doing.

Even better, with Mullvad you can now use WireGuard instead of OpenVPN, for considerably better performance and possibly better security. I've configured my EdgeRouter Lite to route all wifi traffic on my default home network through WireGuard for a couple of weeks and it has worked very well.


You can use open-source OpenVPN with any VPN service that offers OpenVPN connectivity. You can also use AirVPN's client Eddie, which has a pretty decent built-in firewall.

Just adding another vote for Mullvad. Tried a few others, have had the best luck with Mullvad (bandwidth, # of servers, rock-solid connection, etc.)

I use OpenVPN to connect to PIA both on my Linux machines and Android.

Same applies to IVPN, FWIW.

My VPN activities run on a old Windows box, and I did not want to trust the VPN clients to not fail and blast my data in the open for a day or two before I noticed. I ended up writing a SafeVPN Windows service that kills processes within 30 seconds of VPN failure.

I used PIA for a couple of years without issue, but then it went into some kind of decline for me, always driving network traffic to zero after a few hours. After changing hardware and reinstalling the OS with no effect, I finally tried AirVPN and things went back to normal. AirVPN is a bit more expensive, but their client is light years ahead of the PIA client.

It's better to use Windows Firewall, because blocking is virtually instant. Basically, you set LAN as a private network, and the VPN as a public network. For LAN, you allow connections only to the VPN server(s) that you use, plus a DNS server that's not associated with your ISP. You can also allow connections to other LAN devices, if you like. For the VPN, you allow all output, but only input for established connections.

Can you point to a writeup of how to do this?

The only step beyond this that I have seen is a recommendation to use OpenBSD as a firewall in a virtual machine.

No, sorry. I used to know a URL, but ... And most of your search hits will feature application-level blocking, which seems silly to me. Also, I don't use Windows much anymore. And I've forgotten the specifics.

But. It's basically what I described. For public VPN network, just use the default (all output, only established input). For private LAN, deny all output and input, and allow output to selected IP addresses (VPN and DNS servers).

Thanks for taking the time to reply. It seems like this would be worth a write-up!

Perhaps something like this can be scripted; if it becomes polished enough it could be recommended as a part of every VPN setup.

Interesting feature of Windows firewall, thanks. As the AirVPN client connects, it checks several hundred servers for the lightest load, so for that default behavior, I don't know which IPs to configure locally.

Well, the AirVPN client in Windows has its own firewall, which I didn't manage to make leak.

Various sites on the internet (e.g. Reddit, piracy sites, etc) will recommend either PIA and/or Torguard over anything else.

That's because PIA and Torguard are willing to outbid others to get that ranking :) Or so I've heard.

That's why you generally ignore online reviews.

Well my Torguard license is expiring soon. Who would you personally recommend instead?

AirVPN, IVPN, Mullvad or PIA. They've all been around for several years, and focus on privacy. And I've never heard anything bad about any of them. PIA is the least expensive, and IVPN costs the most. AirVPN and IVPN are probably the fastest. IVPN and Mullvad probably have the best technical expertise.

Or just DIY if you're just a regular Joe or Jane, it's quick, cheap, and easier than most assume.

I’m curious about your DIY solution and what that involves.

Algo is quite easy to install and run

Why do you think that just because a VPN isn't free, it won't ALSO sell you out on the other side?

Basically how much they have to lose.

Say for instance there are two vpn services. Both have a 100,000 users. One makes $1,000 a year off of advertising, and the other makes $1,000,000 a year($9/month). Now both are approached by a nefarious gentleman who offers them $20,000 a year to harvest their user's information. But every year there is a 25% chance people find out and your service is shut down.

Who takes the deal? Maybe the free guy, but very few people would risk a 1M/year revenue stream to make a little extra cash, but someone might risks a much smaller revenue stream for a comparatively bigger payoff.

That's not what was said. "Free VPNs are not to be trusted" does not imply "All paid VPNs can be trusted".

But to flip that around, what about adding payment into the mix has any bearing at all on the trustworthiness of a VPN provider?

Payment means there may be a viable business model other than sharing private information. Realistically I don't know how you can ever be sure, but I'd absolutely never trust a free VPN service.

It's not so much that they couldn't sell you out, but that if word got around that they had, it would be bad for business.

Everytime you turn around we heart of another free VPN selling data. How else do they stay in business.

Why not just use a trusted solution like openvpn and only use providers who provide openvpn servers? That immediately gets rid of one half of your problem; and as for the other half, vpn services that allow for connections via openvpn are likely to be more trustworthy. In addition, the vpn company can't MitM connections which are already on an encrypted channel outside of the vpn conneciton.

> use providers who provide openvpn servers

how can you prove what the provider is using? people can lie

This suggestion is intended to solve the "free VPN app installs malware" problem and not solve the "VPN provider who actually logs/is in league with govt/MPAA/etc" problem.

Indeed. Threat models are crucial here.

OpenVPN is a protocol. If the VPN provider supports it, you set it up in your own client that supports OpenVPN. Using a VPN provider that requires you use some proprietary app is madness.

I recently signed up for such a service, in order to get my Nintendo Switch online for multiplayer gaming. My home internet connections sub-let from the landlord and could be considered semi-hostile -- not able to connect to peers on the Switch due to triple NAT, and I suspect some QoS throttling as well. The VPN solves my routing problems, but if anyone has a suggestion for another option here I'm all ears.

It is irrelevant what software the provider is using as long as they use the openvpn protocol. This will be obvious to anyone who tries to connect using openvpn.

Can you explain further, how can you be sure things weren't aded to the software?

When you use a VPN service that supports openvpn, you:

a) Install OpenVPN yourself (open source)

b) Download an OpenVPN profile from the VPN company

c) Configure OpenVPN with the profile

Specifically, you don't have to install any binary software from the company itself.

To the client side or the server side? On the client side, you should download the code from a location you trust. On the server side, it is irrelevant if something is added to the software for the attack we are discussing.

You can use your own OpenVPN client.

Isn't openvpn kind of a hack and a IKEv2/IPSEC based strongswan solution to prefer?

It's arguably no more a "hack" than TLS is one. Right?

Re OpenVPN vs IKEv2/IPSec, this IVPN FAQ seems accurate.[0] But then, I helped edit it, so I'm biased. Still, if anyone can point to inaccuracies, I'll recommend fixing them :) The major weakness is pre-shared IKE keys.

On the other hand, I get from IVPN that the IPSEC implementation in iOS is very secure.

0) https://www.ivpn.net/knowledgebase/160/Is-using-L2TPorIPSec-...

Don't see why you're getting downvoted. From a user standpoint, IKEv2 doesn't require a secondary client and integrates with most major OS better.

For example: It's way easier for a client to install a mobileconfig to ios that supports on demand VPN than it is to have them download and configure openvpn. Fairly set and forget.

IKE is a nightmare to admin, only for Cisco level bureaucracies.

OpenVPN protocol is sorta weird (I wrote a clean room client and server impl). But IPSec stuff is such a pain to deal with that it is not worth it despite it having better OS integration.

>So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?

Rarely addressed: VPN CLIENT ISOLATION.

The majority of us sit behind a NAT'd address range provided by our physical router, thus isolating our machines via a hardware router / firewall from our ISP. When you connect via a VPN, you are not automatically isolated from other client-peers on that VPN and must implicitly trust the VPN provider has properly configured client isolation. You can do testing, like firing up Wireshark and listening for broadcast traffic or simply by trying to nmap other hosts on the network, however, whatever you find could change with a configuration setting at any time.

Exactly my thoughts;

One way to further "secure" this would be to run the VPN client on a hardware router like pfSense (instead of directly on your laptop) and block all incoming connections on the vpn client tunnel interface?

A disadvantage of this method would be that the WIFI signal from your Laptop to the router is no longer secured by the Vpn...

That's how I do VPN. I have my ISP connected router, then a DMZ network with my test servers & three routers: 1) guest, 2) main, 3) VPN. I then use a virtual LAN from (2) to (3) over a virtual interface on (2) to connect to (3) which is NAT'd. Honestly though, the whole advice of "get a VPN to be secure" is ridiculous because it can end up exposing you far more than what you were previously, especially if you are running a VPN client on a host that is running a media client / server like Plex, Kodi, WinAmp, iTunes (Bonjour), etc. If you are a developer and using The Fiddler, Charles Proxy, or the Burp Suite, then there's an easy route to the rest of your internal network. I know the first time I was on a VPN and saw someone on the VPN come through my interception proxy it freaked me out enough to instantly understand the dangers of VPN services.

It's more effective to block what you want on your host firewall and not rely on the the network to keep you safe.

"Processing in hardware", meaning application specific hardware acceleration, is a not a plus in security related things: it's not safer, and it doesn't exist in most boxes, and it's often impossible to field upgrade when bugs are found. It's done to speed things up/lower cost at large scale, but that's irrelevant for consumer/small office gear.

>It's more effective to block what you want on your host firewall and not rely on the the network to keep you safe.

I agree and am a big fan of host firewalls and host intrusion prevention systems, however, they must of course cover the VPN tunnel in their scope. In many cases they do not.

It is a configuration option, for sure. But I've never even heard of a VPN service that put multiple clients on the same subnet. It'd be a security nightmare. And I can't imagine what the advantage to the provider would be.

Another downside:

Recently the Federal Government sent out a malware to certain persona of interest. That malware played a higher pitch sound than can be heard by the human ear. They were able to track that person and identify them because they heard the sound on the computer's microphone. TOR or VPN can stop this.

Without a source to corroborate, the tinfoil hat factor is extremely high with this one

I slightly agree. However, these days it seems more and more that "thing elite spy agency does to track terrorist" is on about a 6 months to 1 year lead on "thing startup does to target ads."

Wouldn’t even surprise me if it was the other way around either.

Some of the brightest minds of this generation are working on ad tech.


Angelheaded hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery of night, indeed.

Interesting thanks

Sorry here is the source:


It appears to have happened already

Wow, now 44.1kHz sound cards should be very desirable

> A team of researchers from the Brunswick Technical University in Germany discovered [234] Android apps that employ ultrasonic tracking beacons to track users and their nearby environment.


My tinfoil hat is spinning!

Ability and motive...

Are they able to do this? Yes, for sure.

Are they willing to this? For terrorists or maffia bosses, no doubt. For smaller fish? Maybe they can't be bothered. Or maybe they can.

Once it's productized, it's probably easy to reuse.

Technically, but maybe not bureaucratically.

Here is a source, but no „malware“ but ads, the line gets more and more blurry


I'm surprised a computer speaker has the frequency response to play an inaudible tone.

Tested my kids - they could hear an alleged 21khz tone out of laptop speakers. The actual level of the tone doesn't matter - it was above my level of hearing. Wasn't a double blind, but they told me when it started and stopped based on a bash script with random intervals.

I'm 20 but I can still hear 20 khz, albeit not very well.

I could when I was 20, did a proper hearing test when I joined my company. 15.625khz was very noticeable - I scoffed at the old timers who couldn't hear it.

I can no longer hear it. Still I can hear 1khz, so that's what's important.

Most wouldn’t, I’d imagine OP is referring to a mobile device, look at Androids dev docs they recommend sticking to 44.1khz, which we know does fail into the range of human hearing with its 22khz reproduction, albeit fewer people. I’d suspect the person being spied on would become suspicious upon many children they encounter and even more dogs fleeing from their direction.

If they were able to gain access to a person's microphone doesn't that mean they are already compromised?

> TOR or VPN can stop this.

You're saying that the persons of interest in this case were identified and targeted only based on an IP address and not based on some other aspect of their online activity?

Wasn't this how they caught the Silk Road guy? Ross Ulbricht? They played a loud noise from his computer in a public area, as I recall.

that is not how they caught him. They used a correlation attack. He was stupid and posted something using his personal email on stackoverflow about setting up tor website and processing bitcoin transactions. He then used a linked account to advertise silk road a few times. This made him a prime suspect. They followed him for weeks and watched that every time dread pirate roberts logged in and posted on silk road he was sitting in a cafe or library on his computer connected to a vpn. This was enough for them to get a search warrant and they found all the other evidence they needed to convict him on his laptop

Do you have a source for that? I've never heard it before.

Nevermind, they chatted with him, but that was to ensure that he was logged in to SR before grabbing his laptop in an unencrypted state, not to identify him: https://www.wired.co/2015/01/silk-road-trial-undercover-dhs-...

> That malware played a higher pitch sound than can be heard by the human ear.

That should be "... can not be heard ..." right?

Also, do you have a link with more details.

No, it's right as-is.

Ah I think I read the "higher" as "high" and misunderstood it.

That still doesn't really make sense. I think you misread "than" as "that".

"a higher sound than can be heard" or "played a sound, which cannot be heard due to its pitch"

would both work, but your interpretation isn't correct.

Not really an answer to any of the questions you asked, but I'll provide my perspective.

I don't use a VPN to hide my identity from the websites I'm connecting to. I use a VPN to hide the websites I'm connecting to from my ISP.

Residential ISPs in the UK are supposed to log a bunch of internet stuff (not clear exactly what), which is then made available warrant-free to over 40 government departments, including for purposes obviously unrelated to "national security" (not that that would make it OK), e.g. HMRC and the Food Standards Agency


Additionally, I use a DigitalOcean VM and run OpenVPN myself, I don't get a service from a VPN company.

> I use a DigitalOcean VM and run OpenVPN

I've been looking to do the same recently, do you use Digital Ocean Droplets? If so, how have you found the experience?

I've been using DO for my VPN needs and it's been a very good experience. You can start a 5$ Ubuntu droplet, which is more than enough to host OpenVPN, and then configure your VPN manually. Check here :


Or you can do it the easy way (but you won't learn as much) and run a bash script to configure everything automagically :


I just tried that but on my VPS the 'tun' device was not enabled and the automagic script died. Seems that is not easy to fix on a VPS depending on your provider. Thanks for the tip though.

Not the OP and I don't use DO specifically, but I've found using a VPS provider to be a more or less painless VPN experience. Providers like DO, OVH, and Vultr have scripts for easy one-click OpenVPN setup, or you can roll your own if you don't trust their scripts (though if that's the case maybe you don't trust the VPS provider at all...)

That said, always verify that the tunnel is operating correctly before assuming it is and taking off. I've found on more than one instance that the OpenVPN client was misconfigured and seemed to connect, yet my IP was still being reported as my ISP's.

I did notice the Vultr OpenVPN deploy has license restrictions of two clients.

I think that's an OpenVPN restriction, not a Vultr specific restriction. You have to pay for a commercial license if you want multiple connections with OpenVPN.

It's a bit trickier (and more time consuming) to set up than I initially imagined but not at all undoable. A lot of tutorials are bit out of date or conflicting so it wasn't quite as easy as just following a recipe.

I didn't use DO but an even cheaper host and set up VPN at router using DD-WRT.

Occasionally I have to turn it off at router as certain sites/ services recognize the datacenter IP but not all that often.

Main reason I set it up is I use a small local ISP and know the owners and no need to have them watching net traffic.

The settings on both ends have to match perfectly. Don't forget to set DNS for openVPN also.

Unfortunatly, you lose access to certain sites, like Netflix, who block cloud IP ranges.

NordVPN works mostly reliably with Netflix.

Add to that many shopping sites (Best Buy for instance), deal sites, ticket buying sites, hotel/airline sites, heck, even my state's offender tracking system blocks the handful of VPS services I've tried.

You lose those with any VPN provider I've tried.

airVPN has this problem, unfortunately.

I have a device through which I netflix on which I do not do other personal browsing.

Quite a shame though, but nothing netflix can do about that. :-(

They could use billing address or something else to establish your location instead of your ip.

VPNs aren't a defense against subpoenas or warrants, they're a defense against ISPs scraping your connections and selling them to advertisers.

No advertiser is going to come after your VPN provider asking for logs, and even if they did your VPN provider is going to tell them to get fucked anyway. Again, unless the advertiser in question happens to be the federal government and they have a subpoena or a warrant, no VPN provider is going to give you logs to help you associate a user, I have no idea why you would even think that.

If you don't want traffic from users on the VPN you are free to block them (Netflix does this) but nobody is going to give logs over to a random webmaster to help deanonymize users.

If you want to remove the VPN provider from the question entirely (many of them are on the shady side), you can use Algo to automatically deploy a Digital Ocean droplet or Linode instance to relay your connections for you. However this doesn't fundamentally change anything - if someone comes after you with a warrant or a subpoena, then Digital Ocean/Linode is going to give you up.


This is not exactly a difficult concept to understand so if you have asked this question repeatedly and still aren't satisfied with the answer, perhaps you should look inward.

>VPNs aren't a defense against subpoenas or warrants

They absolutely are for a huge number of people. Why do you think so many VPN's advertise the fact that they don't keep logs? I imagine far (_far_) more people use VPN services as a way to evade copyright holders than as a mechanism to avoid marketers (most people don't give two craps about the latter issue.)

BTW, was the snarky bit at the end really necessary?

> VPNs aren't a defense against subpoenas or warrants, they're a defense against ISPs scraping your connections and selling them to advertisers.

Some VPNs imply this when they claim they don't keep logs on their users.

> they're a defense against ISPs scraping your connections and selling them to advertisers.

isn't SSL supposed to do that? At most an ISP ought to only be able to sniff the domain.

> ISPs scraping your connections and selling them to advertisers.

Sell what exactly?, the domains you visit because with SSL that is all what they know.

There are lots of problems you see in practice which are not discussed often....

* Inability to send mail though a mail program

* Daily disconnections of VPN service

* Captchas and other verification/friction when using services (eg youtube, amazon etc)

* Some services may believe you are in a different country incorrectly, meaning you have to force them to use the right location, or be happy with it being wrong

* Some services will not work at all (for example purchasing through apple)

* Paid streaming services – like netflix, hbo go and amazon streaming will likely not work at all

* You may not be able to port tunnel traffic inside the VPN

And of course you have to trust the provider. For example PureVPN claims 'no logs' but it seems that isn't the case...


There is a lot of friction in using a VPN. Which makes the idea, often proposed by technical people that if you are worried about privacy - 'just get a VPN' either naive or disingenuous. That said even with the friction it is worth the cost and hassle IMHO.

In practice you have to have a way to flip on and off VPN on some machines/devices.

There is more discussion on this here...


(edit: fix formatting)

Sure, adversaries could pressure VPN providers for logs, account information, help tracing traffic, etc. So you pick VPN services that have been in business for several years, are well known and recommended in relevant communities, and have no history of giving up their customers. There's a recent relevant thread on Wilders: https://www.wilderssecurity.com/threads/purevpn-keeping-logs...

Even so, it's prudent to assume that your VPN provider logs, works with your adversaries, etc. Just like the Tor project assumes that any particular relay may be malicious. So Tor clients create three-relay circuits, to distribute the risk. And one can do the same with VPN services. I'm currently working through a nested VPN chain, using servers from multiple providers. I use pfSense VMs as VPN gateways, and workstation VMs. It's also easy to add Whonix to the mix, so I can use Tor through nested VPN chains.

You're assuming that private parties have the ability to get warrants or subpoenas to get information from your ISP. They do not.

If "Bob" wants to know who you are when you visit his website, he doesn't have any options to get that information. If "Bob" thinks you are violating his copyright rights, he can file a DMCA complaint against you. If "Bob" doesn't want people from Iceland to access his site, he can try to filter based on IP range.

VPNs do three things: 1. obscure your identity 2. obscure your location 3. prevent local inspection of your network traffic.

How effective that "obscurity" is depends on who wants to know and why.

Speed, in terms of bandwidth and latency. I consistently get slower speeds using a VPN. Granted, I'm using Google Fiber so I have symmetric gigabit, but there is a downside to it, depending on your use case.

I'm in the same boat as well. I'm not in the US but I do have symmetric gigabit as well. I've been using EC2/DO boxes to setup VPNs for me, but they hardly ever come close to my home speed.

This is usually due to the ec2/do instances being the cheapest or second cheapest with bad CPUs and overcrowding.

You're also only guaranteed gigabit speeds on the higher tier instances. I'd be interested in what you get using iperf3 between EC2 and your home connection.

Did you try HMA? I had amazing speed with them.

Tried them out yesterday and they give about 10% of my Internet speed on any server. So my 400 Mpbs connection slowed down to 40 Mbps, which is a pretty rough drop. And I haven't been able to find an OpenVPN connection that could handle more than that 40 Mbps.

No, I was using PIA, I might try them out though, thanks.

PIA is cool because it works seemlessly with your phone as well. It used to be you had to have some special access to get it to work with a provider like Verizon, but it works flawlessly now.

Was there any point to this comment other than humblebragging about your fiber connection?

It's a legitimate point to consider. I've set up my home router with Tomato by Shibby, which allows routing all traffic over a VPN link. I was finding the router couldn't keep up with a 50 Mbps link. Granted, these routers aren't designed with that use case in mind. But, running a VPN link all the time on mobile devices kills battery very quickly, so setting up the link on the router is preferable. Consequently, I don't route all traffic over the VPN, which is suboptimal.

I put a 2nd router behind my regular router and switch the gateway, on devices I want to use the VPN, to this 2nd router. Benefits: 1. allow devices to use non-vpn friendly sites 2. Keeps everyone on the same subnet so the VPN is not in the way for local file transfers. 3. main router not overburdened by VPN software

Tomato allows selective routing, both by destination and by device, so that's helpful. Your setup definitely avoids some of the overhead mine has. But, really, I'd just like the little ARM processor in my R7000 to be able to keep up so I can saturate my link. I'm not familiar with ARM's ISA all that much, but it seems an AES-NI equivalent would be really nice to have.

There's no catching him, he's behind 80 proxies.

VPNs protect you from snooping by 3rd parties on the way to Bob's site, such as your ISP, anyone on your network, or anyone on any of the intervening nodes between you and Bob's.

If you don't want Bob to identify you then yeah you need more than just VPN such as ad blockers, disabling cookies, and more.

Depends on what you mean by VPN but the let-me-bittorrent ones don't get you confidentiality (or integrity) to web sites you visit, past your immediate ISP.

I've been using one pretty consistently ever since the legislation passed allowing ISPs to sell your browsing history. I generally don't have any problems with it, but that isn't to say it is not problematic:

* Connection issues are really annoying. At home it is manageable, but reconnecting to a different wifi network with a phone introduces a delay that sometimes lasts minutes before it becomes functional again

* Some websites make you enter captchas in order to use them, probably due to VPN abuse by malicious users. Others outright block traffic to any detectable VPN traffic.

* It is slower in general, but the worst case slowness seems much worse and more common. Unavoidable really, you're introducing another potential point of failure.

* Useful LAN functions (like *.local domains) become non-functional

> Useful LAN functions (like .local domains) become non-functional

Is that true if you 1. disable the "force all DNS traffic over VPN" setting, but then 2. have a local resolver (e.g. dnsmasq) that resolves LAN domains but forwards all other traffic to a DNS server on an IP that will end up routed through the VPN?

I'm not sure if your methods would fix the issue but you can get around it if your router supports acting as a VPN client. After you configure the connection it becomes invisible to all your lan clients and you can use all of your local network goodies.

Do you happen to have a link to the legislation you mention?


Congress removed FCC regs. that would have prevented it. ISPs have been claiming both the regulation is unneeded but that they won't sell your data.

Googling this gives you lots of links: "isp sell browsing history"

Here's arstechnica: https://arstechnica.com/information-technology/2017/03/how-i...

>b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.

>It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?

I'm not sure how you made this jump. If the provider doesn't have logs, Bob can't find you. The end.

No-log providers can still very likely be compelled to start logging by a combination of the All Writs Act and NSLs.

I also couldn't understand his reasoning here, and I'm surprised you're the only one that pointed this out in this thread.

Is Bob a cop? Does he have probable cause that you were involved in criminal activity. I don't think you can just handwave "call my ISP with a warrant".

Chief on my mind would be the issue of trust. Your traffic is coming out of the VPN node unencrypted. They could snoop you, MITM you, basically anything. So, who do you trust more? Your ISP or a mysterious VPN service probably in Russia that you learned about yesterday?

I figure my ISP is quite likely to sell my data and do other unfriendly things. But I figure they are quite unlikely to attack my traffic and do other illegal things.

So I know of normal people using VPNs in the the UK for some or all of the reasons below:

1. They're blocking lots of torrent websites, using a VPN circumvents this

2. They're sending out letters to people saying "you're torrenting, stop". VPN stops this

3. Some ISPs throttle traffic to certain services and streaming sites, VPNs circumvent this

Think about it this way: What if your VPN operates in another country? It becomes an international issue if Bob wants your VPN to tell them who you are.

On the other hand, if your VPN operates in another country, some websites within your country may block you due to content licensing issues.

My favorite formula, in constructing nested VPN chains:

1) First VPN, that only my ISP and second VPN see: I choose one that's popular where I live, and commonly used for torrenting, and I have a torrent client up 24/7.

2) Second VPN, that only the first and third VPNs know about: I choose one that does business from a jurisdiction that isn't very friendly with my government and its friends.

3) Third VPN ...

4) Final exit VPN, that only the previous VPN and websites see: I choose one that doesn't attract too much attention. For Mirimir, that's IVPN, because I'm already so associated with it.

What is your favorite way to create VPN chains in Windows/Linux/OSX?

I mostly use VirtualBox, or VMware in Windows. pfSense VMs make great VPN gateways. VPN and pf setup are pretty easy with their webGUI. Debian VMs also make great VPN gateways, but setup is harder, and their disk footprint is greater.

I've thought about doing it all in one OS, with iptables or pf to control routing. It'd be lots lighter, but more fragile.

Another option, if you want more security against exploits, is Qubes. But the hardware requirements are far more restrictive, and the learning curve is steeper.

It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP

If the VPN is malicious or self-hosted.

If the servers and the company headquarters are located in a country not part of the "14 Eyes", and most importantly, host a lot of other traffic that is not you, there is obfuscation, legal barriers, and plausible deniability that you did not do what "they" are claiming you did.

> If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions.

Every TCP connection is uniquely represented by (src ip, src port, dst ip, dst port). Bob can provide all four of these, and a timestamp, to the VPN provider. The VPN provider can then resolve that to a specific user if they are logging connections.

in which case, if you can't trust 1 VPN, can't you jerry-rig a better VPN by daisy chaining several together, so that each VPN will have to be asked to sort through traffic?

Isn't that what TOR is all about?

You will sometimes face hassle authenticating with certain sites. Your VPN will trigger two-factor auth verification, or sometimes trigger an account lock-out or force password resets, etc.

Your VPN provider might not log. Or it might log and sell your internet activity. Of course, the same is true of your ISP, so you have to see who you trust more.

If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users

I believe there is the alternate option of setting up your own VPN .

Instead of using AWS, you could set it up on an additional router or on your PC/pi wherein you'd lose the advantage of anonymity amongst other users but your information is still encrypted to be acceptably safe.

Such a VPN that did keep logs would lose their entire business model if it broke that they kept logs - even if they kept logs (and why should they? That might always leak and kill their business) why should they help a third-party to them?

For me it’s not bob I don’t trust, it’s my ISP.

1. VPN Overview https://thatoneprivacysite.net/

2. oVPN.to is probably a good idea, as long as you are not based in China

3. Pay anonymously for the VPN. If it need to be really secure, only access VPN via TOR.

Verifiably VPN providers lie when they say they don't log:


Whether it's through negligence or ignorance or intentional lying, it's nearly impossible to not log user activity in some way.

And really, think about this: Even if you try really hard not to log, as a provider you're competing with thousands of forensic scientists who do nothing all day but figure out how to associate activity with the people who committed that activity.

And once a federal agency has identified your VPN traffic, every single thing you've done through that VPN provider is all wrapped up in one neat bundle for them to peruse.

Think of SSH as the secure networking swiss pocket knife but that it is free for everybody to use, learn and script with. Now think how someone could make money out of it. They can't. So they start creating an alternative, that is so complex and hard to understand, that no person alone can manage it, and even the best solutions are unreliable, expensive and corporate. This is something you can sell and argue well that you need a shitload of engineers to maintain. This is VPN.

What should you use if you're smart enough to come to HN for reading? SSH of course.

Do you mean you can use SSH for anonymous browsing? I genuinely don’t know how that works out, isn’t that just transfer the risk to the server you ssh into, so you end up having to trust the server? Do you have some links for reference?

SSH has a Socks compliant proxy built in. That said, you are right, you are basically shifting responsibility to the SSH server you are connecting to so you have to trust it the same way you would a VPN provider. As such, it’s essentially the exact same and so GP was clearly misguided.

You can provide the ssh server yourself. Which is not so hard. And security is something different than avoiding tracking. Avoiding tracking is very simply done by not using a centralized proxy which is maintained by someone else (like in VPN). When you are really under attack it's very different and in that case you couldn't trust VPN either. Even the VPN client would be a danger.

Though this can provide an extra level of defense against MITM, if you trust your personal connection to the internet less than the server's connection to the internet.

All SSH does is move your traffic to a different computer.

When it leaves that computer it's no longer encrypted.

It's not hard to look at unencrypted traffic leaving the computer you've SSH'd into and associate the traffic with the computer you've SSH'd in through.

> All SSH does is move your traffic to a different computer.

And browsing the internet over a VPN is different... how, exactly?

Not to mention incredibly limited IP support. You can forward a few specific ports, or use SOCKS, but that's about it.

Why is SOCKS limited? Just make whatever you want to send your traffic through proxy it through the SOCKS.

Indeed, ssh -D {port} is something I use heavily (to create a SOCKS5 connection to a remote server, effectively a VPN)

This assumes 'whatever you want to send traffic through' speaks SOCKS.. most things dont. Web yes, but not most other things.

> most things don’t

That’s entirely not true. If you’d said “some”, you’d be right, but “most” is categorically incorrect.

I guess you’ve never heard of TUN/TAP support in SSH?

Hm, do DNS queries go through an SSH tunnel?

Presumably so; when I've tried the SOCKS support built in to Firefox, I've noticed that sites that I have blackholed via my hosts file begin working again.

And VPN encrypts your traffic directly to Facebook? No. At some point it also leaves the VPN's network.

Umm. No.

Want to connect 2 lan's together and have full protocol binding and internal DNS support without mucking with 65535*N-nodes port forwardings?


not to mention 'vpn' isn't a product..

so your entire notion of 'making money out of it' makes no sense.

as for commercial: OpenVPN is great, free, and fairly simple to use.

While it’s not the right tool for the job, it is possible to connect two networks together using SSH as the secure transport. Many (most?) good network folks will recoil in horror though about tunneling TCP inside TCP.

Re Full network: How?, without additional software e.g. ppp+socat+ssh along with TUN/TAP or similar, or running a non standard SSH client/server and having various nonstandard utilities on both ends, which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'..

TCP/TCP is another point.. and a good one, yes.

> Re Full network: How?

These articles explain the concept, but it takes nothing but SSH & Linux (albeit it can work on macOS too with additional software):




I've seen it done before where it was fully transparent to both networks. This required the tunnel to be setup on the default gateway for both networks. Again, as mentioned before and you agreed too, this is not a solution I would ever want to see in production for a company I was at.

> which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'

Which I agree, it isn't simple, but I was replying to someone saying it wasn't possible, not that it is easy to do.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact