Hacker News new | comments | ask | show | jobs | submit login
Ask HN: What is it like to run a VPN as a business?
151 points by hazz99 4 months ago | hide | past | web | favorite | 92 comments

I'm going to set up my own VPN on some cloud hosting provider, and I'm toying with the idea of turning it into a small business.

Is there anything I need to know beforehand? Is it really that easy, or are there legal issues I need to handle?



I should note that I know this is an extremely saturated market - I'm not aiming to build a hyper successful business, but moreso to manage a small public VPN as an ideological side-project. Anything above breaking even I'd consider a bonus.

The fact that it is easy to set up a VPN does make this more competitive but that doesn’t mean you can’t build a business. Think about who your customers will be. Is there an underserved niche that you can reach? It might take a HN reader 10 minutes to set up a VPN but my mom wouldn’t be able to figure it out if you gave her 10 months.

My battle plan for assessing whether or not I would pursued this would be the following:

1. Who is my target market?

2. How big is that market?

3. How will you reach that market?

4. How can you test whether or not you can reach that market before getting fully invested?

5. Test out several ways to reach your market. Try changing the niche and marketing plan until you can find some positive signals.

6. Analyze the data and make an educated guess whether this is worth your time or if you would enjoy doing something else more.

As far as legal issues, I don’t have any good advice but talk to a lawyer. Look at some terms of use of existing VPNs. Find out where you are liable and try to mitigate your risks the best you can.

If you ever want to brainstorm some ideas hit me up at my email on my profile.

Adding an example of a niche: Those who wish to crawl Google/Bing/Amazon/Youtube results for SEO analysis around the world. You'd write a wrapper or other positive list of domains allowed through the proxy.

One very interesting niche that I recently learned about was providing a VPN with a "residential" IP block that could be used to geo-shift netflix viewing:


Apparently there are a lot of people who would like to watch "US Netflix" but cannot do so from their location.

That’s a good idea, but usually Netflix can blacklist domains faster then a VPN provider can acquire new “residential” blocks.

It's the main usage of VPN (as well as region locked mmos) for those who are not doing it for security.

The Consumer advocacy group here in Australia, CHOICE, specifically recommends using a VPN service to avoid geoblocking (https://www.choice.com.au/electronics-and-technology/interne...). So there is definitely a market for this type of service.

Plan to spend most of your time dealing with captchas and anti-scraping technology

Here you can purchase dedicated or semi dedicated proxy ip's. Easy to use with network request libraries.

By and large, people are interested in VPNs because they're vulnerable, in some way or another. By becoming a VPN provider, you become a "pinch point" for the connections of a number of vulnerable people.

That way, a hypothetical bad actor only needs to compromise one entity (you) in order to gain access those people who rely on you.

Aggregating vulnerability makes you a target, and puts your customers at risk - Especially when you're relying on third-party virtualisation providers for your infrastructure.

Very good point. OP should be ready to get heavily involved with legal proceedings, especially as they say it is for ideological reasons.

I would add, the potential to become a legal target. That is, receiving, fending off and complying with subpoenas and court orders.

Aye. I care slightly less about this from my perceived threat model (if you go into the business then you know what's coming to you, whereas your end users are a lot less likely to understand the risks) but it's still worth thinking about.

We offer VPN as a side thing to help our customers who are testing their websites from around the world. At the behest of some friends I added VPN as its own plan.

A choice you need to make really early on when you're offering a VPN is how much data you want to log. Eventually someone will do something on your service that pisses someone else off. That could be torrenting, spam, defrauding the elderly, etc. Ideally you, but more than likely your provider will receive an angry letter. Whether or not you've logged will choose what you can do next. If you're not logging, and unable to stop complaints from coming in your provider might turn you off completely, so you'll want to pick a provider known to pass letters on without caring.

I blogged about our choice (we log) here: https://wonderproxy.com/blog/our-vpn-what-we-log-and-why/

The successful companies appear to be run at least partially anonymously and based in tax havens. I figure that is because there is legal responsibility that they are trying to dodge.

People use vpn for illegal stuff, and the least worst is Netflix then p2p. P2p if you are a facilitator could land you in jail.

This. Had a lengthy discussion with a friend who has a friend where one works.

My theory was - why bot setup virtual VPN provider that all such companies could buy. After all it’s simple and rea grunt of work is marketing and legal.

Legally, these companies are setup somewhere in Caymans et al.

Being such a shady business by definition, I have extremely hard time trusting such services. It’s like the most obvious honeypot / trojan horse ever.

I'd be most worried about the legal liability, what happens if someone starts using your service to download or sell pirated movies or child porn? Whats your legal exposure?

Yeah this is my issue. I'm not too worried about it being a successful business (more like a small side project), but I don't have the resources to fight any legal claims.

If you don't have any resources to fight the legal claims you should not do it. You won't last very long because you can be sure that there will be some legal claims, valid or not. Even a frivolous claim will take resources to defend.

Whatever you decide, do NOT run this under your own name. Create an LLC or similar. Do not risk your home and personal assets over a side project. It's better to lose the LLC which should only hold this service than to lose your own personal assets.

- Do not run it in the US.

- Do not sell the service in the country you run it.

- Really, do not run it in the US.

What are good, non-US cloud providers? I only know of AWS/DO/Azure/Google - what are the go-to providers outside the states?

Hetzner or OVH in Europe.

Then you don't have the resources to run the business.

The technical side is pretty cheap compared to the legal manpower you need to protect your end users.

The most difficult part about VPN as a business is dealing with the people that use the VPN for illegal activity.

The authorities will come after you first. Most large providers are located in some small country like Panama so they can't be sued or jailed.

From a technical perspective, you're probably not breaking new ground here. The main things you'll need are ease-of-use and good marketing. There are existing companies that do this and make it fairly easy to get up and running, so you'll need to do the same. Perhaps start with a niche (e.g. easy setup on Ubuntu) and build from there. Still, your biggest hurdle is going to be that no one has heard of you, so make sure that you have a well designed landing page and think about who you'll market the product to.

One service I’d be willing to pay is intercontinental booster.

Living in NZ means you’ve got quite underprovisioned international pipe. 100mbps fibre realistically means 3mbps...

If a VPN could route you via their dedicated pipe...

You probably just need to find a vpn provider that provides vpn server located in NZ (should be plenty if you google it). By connecting to their NZ vpn server, you'll effectively used their international connection when accessing international sites instead of your isp's international pipe.

I ran a venture backed VPN company for many years (Spotflux). These days there are tons of huge players in the market, some of which have hundreds of millions of dollars in funding. Your challenges will be as many have stated the following:

1) Convincing providers to let you have VPN traffic on their networks. 2) Dealing with tons of DMCA complaints 3) Dealing with GDPR compliance in the EU 4) Maintaining compatibility for dozens of different user configurations and having apps in the mobile app stores 5) Dealing with credit card and payment fraud. 6) Dealing with law enforcement once you reach a certain scale (no, incorporating in whatever random island will not help you) 7) Maintaining constant uptime of your servers. When a user faces even a minute of downtime, their internet connection is now effectively broken and you are to blame. 8) Dealing with lots and lots of customer support issues and an endless mix of customer configurations which will have you ripping out your hair trying to resolve. 9) Constantly make sure your systems are secured from the latest exploits so you can guarantee privacy and safety of your users. 10) Maintaining a brand and a niche with mature marketing channels that keeps new users coming and paying for your service.

At the end of the day, its a very difficult company to run and its even harder to maintain profitability with so much competition.

One possible option is to sell VPN service to friends/family/acquaintances, for a price that is (clearly to them) cheaper than comparable commercial VPNs, in exchange for a promise to not do anything that would get you in legal trouble. You can trust the promise more than you could trust standard terms-of-service because you know them, and hopefully the lower price means they see it as you offering them something as a convenience from your side project instead of a "real" business and the problems of doing business with friends don't apply as much.

Just tell customers everything is logged and the logs are deleted on a rolling basis every year.

And the logs are stored encrypted offline. They move over a one-way link from main server somewhere else in case of a compromise. They're never shared except with law enforcement with a warrant per privacy policy and EULA.

Inspires more confidence if they're kept temporarily but heavily protected.

That won't sufficiently discourage folks who want to do potentially-illegal stuff from doing so - it will let you defend yourself in case of a legal incident, but the cost (in time, money, and happiness) of having to deal with a legal incident at all is pretty significant. It seems better to me to try to limit your users to people you believe are unlikely to trigger a legal incident, unless you're at the point where you can hire someone to deal with it for you.

I've also toyed with the idea of doing something like this, and would like to know more about this as well. Like you said, the technical side seems easy. I imagine handling legal issues is going to be the bulk of the work. How are you going to handle abuse reports? How are you going to handle requests from authorities asking to turn over user data? And most importantly: how much information about your users are you going to collect to make handling the legal issues easier?

> how much information about your users are you going to collect

Not collecting any data would be the obvious choice.

Which isn't legal in many parts of the world, especially if you take any kind of payment for your services.

If you don't collect data you can't give it to the authorities.

But you can still be asked for it, and you can still be required to appear in court over it

You're going into a heavily saturated market. Not to mention anyone technically savvy can set up their own VPN in 10 minutes on a cheap DO host or other provider.

I'd consider myself tech savvy and I happily pay for a VPN (PIA). I don't want to manage a node, and at $40/year it's about equal to what I'd pay otherwise.

I guess it takes an average HN reader 1 hour to setup a VPN. If the purpose is have a secured gateway for using public wifi, it serves the purpose. However, if you want to gain anonymity, it does not work since the node has a unique IP and only you are using this IP. You still need different users to use this VPN to gain anonymity.

Therefore, we could only choose one of the following: security or anonymity, but not both, unless you becomes your own VPN provider and serves some customers for anonymity.

An alternative is Tor, but a compromised exit node still leaks HTTP site.

So, if someone could solve this problem, it would be a big selling point. I am not sure if it is possible to share an IP between different VPN nodes without an untrusted gateway in front.

In my country, VPNs sometimes get blocked. Along with half of the AWS and other random stuff.

So I've set up my VPN and also pay for another third-party VPN service, having best (or worst) of both worlds.

My gateway host is private, and I've decided that if it gets detected, I'll add an obfs4 layer on top of it. (Luckily, that hadn't happened - and I'm moving to another country in about a week. But that's a different story.)

All my first VPN does, is merely routing the traffic to an upstream VPN provider. This way I get a private entry point but also enjoy some degree of anonymity as my "final" IP addresses are shared with lots of other users. (Well, I share my gateway VPN with a few close friends. Maybe that's borderline cheating on the upstream VPN, but I don't see a way to pay them for my network-sharing guests anyway.)

Oh, and I don't need to reconnect to switch regions. I just made myself a tiny web service that changes the routing table used by my TAP connection, so whenever something doesn't work from one region I just need to click on a flag icon.

> In my country, VPNs sometimes get blocked.

This is why I love* Tunnelbear's[0] GhostBear feature and it uses obfsproxy[1]. Very few VPN providers provide censorship circumvention like that

[0] https://www.tunnelbear.com/

[1] https://community.openvpn.net/openvpn/wiki/TrafficObfuscatio...

[*] No affiliation with Tunnelbear, just thought I would point out this feature

I ran this script on a node 2 years ago and haven't had to touch it since, it's been a fully-working, reliable VPN for my whole family for $2.50/mo and 10min of my time for initial setup: https://github.com/jawj/IKEv2-setup

I've been looking for something like this, thank you. Do you mind sharing what type of hosting you use, and what kind of VPN traffic it supports?

If you're interested in setting up your own VPN, take a look at streisand [0].

Also, running the VPN in a docker container is rather nice. There are a bunch of existing containers for that[1].

Oh, and if you're interested, Aruba Cloud [2] offers a 1 Core, 1GB ram VM in CZ and IT for 1 Euro/month. It comes with more than enough bandwidth for personal use.

[0]: https://github.com/hwdsl2/docker-ipsec-vpn-server

[1]: https://hub.docker.com/search/?isAutomated=0&isOfficial=0&pa...

[2]: https://www.arubacloud.com/

awesome, thank you.

Note that I've made a mistake with the first link. It should have been https://github.com/StreisandEffect/streisand

For $2.5, I guess it's Vultr.

vultr.com, and it's an IPSec tunnel, so it supports all traffic, not just HTTP.

A great niche to get into would be Internet censorship avoidance in countries where Internet freedom isn't a thing. As an expat living in China, I can tell you that there are only a few companies that do this successfully (among them Astrill and ExpressVPN).

Operating this kind of VPN comes with its own set of unique technical challenges, such as avoiding DNS poisoning and offering the best protocols to use. Spinning up a homebrew solution on DO just doesn't cut it as an end user, so we rely on companies like these to provide targeted solutions.

A VPN provider that can focus on avoiding common blocking techniques would be very valuable to a lot of people.

Be focused on a specific audience, because talking to consumers about security is very hard. First, I'd start with your friends.

The first questions they're going to ask is how can I trust you're not spying what I do. If you can convince your friends, then you can convince anybody.

Next is how do I use it / how does it work, that brings to make it as simple as possible. Minimal setup, no configuration, it just works.

Finally it's why should I use it. This can be "easy" because you can just look around the competition, see their messaging, find out which one you like better and copy it. Focus on benefits vs technical features and details. When consumers see something they don't understand, they leave.

I've never built a vpn, but I made a password manager (question 3 is relatively easy/understood), and now I'm making a security key (all these questions are proving to be pretty hard). Shameless plug, we're live on Kickstarter: https://solokeys.com/kickstarter

Your best bet, from an ideological perspective, is NOT a cloud hosting provider or a dedicated host, but buy rack space, and put your own servers in.

Control access to the machine/s.

This is more expensive, and not foolproof. But other hosting providers have so much access to track or log things, even if you don't want them to.

Anecdote: You can do this really cheap on the billing side and use WHMCS for billing/member management. Better than rolling your own, and it's pretty extensible.

VPN has a vast potential market in China, which has blocked most providers. I've used ExpressVPN for two years, and its connection is not always stable. I've also used the Lantern proxy with a premium account for a year. Somehow it didn't work most of the time. Maybe you can use more advanced technology and networking infrastructure to provide better service to such areas.

Surely from an ideological perspective, running a Tor relay node or two would provide about the same amount of fuzzies at much less risk?

most of the job will be technical support and finding the right server providers. marketing will be the limiting factor. it's pretty quiet legally, usually it doesn't go further than DMCA cease & desists, but you need to mind countries and what logs each requires you to store. see packetimpact.net maybe i can help you

How does this work in practice though? I had a DigitalOcean droplet setup with OpenVPN and they contacted me pretty quickly (within a week) with a bunch of DMCA notices (due to torrenting). I can imagine that this would be quite a frequent occurrence as a VPN operator and not necessarily something I would like to be dealing with.

The problem is that just like you're able to quickly run up a VPN on a cloud provider, I can do the same. There are plenty of drop in containers for this now and the barrier for entry is low. I think you're just opening yourself up for a world of legal pain and costs given what most people will use VPN services for.

Your saying that if you use a VPN you are up to something nefarious?

No, that's not what cube00 said. The HN guidelines ask you to assume good faith and eschew flamebait, please do so.

Apart from above suggestions, try provide wireguard support, if possible a shadowsock proxy as well.

I've had a similar idea. I am thinking of creating a service that would install OpenVPN for you on your own server, and send you an email with all the configuration details. Would that be useful, worthwhile doing?

You get consistent revenue from the NSA.

Try it and report back, I'm curious

how.. make fast money?

One of my "favorite" evil business models is Hola VPN (https://hola.org), a free browser VPN extension. Hola VPN users unknowingly become exit nodes for residential IP address proxies for sale at https://luminati.io.

As part of a company in the residential proxy space [1], I just wanted to point out that this type of proxy is used in a very different way than low-end VPNs. Residential proxies tend to much more expensive, and this results in them being used almost exclusively for legitimate business purposes. It's even a standard practice to go through a KYC process before obtaining access to residential proxies in order to ensure that they'll be used responsibly.

VPNs are often used for piracy, SPAM, and other nefarious purposes while residential proxies are primarily used to obtain access to data through web scraping. Large companies like Google are able to scrape the same sites without getting blocked already, and proxies help to level the playing field between innovative startups and established players. I can certainly understand the critique, but I strongly believe that the existence of residential proxies results in a lot more good than evil.

[1] - https://intoli.com

My critique is that Hola VPN users don't realize that they are peers, nor what that entails even if you were to use more direct language than the vague "share your idle resources with the community!" rhetoric on Hola VPN's homepage.

But since you brought it up, we both know residential proxies are especially attractive to bad actors and circumventors.

It's like how we're both capable of pitching Tor as the emancipator of the sanctioned journalist trying to publish the truth in the face of mortal danger. Yet 99% of Tor traffic to my websites is malicious despite our feel-good hypotheticals.

Of course, residential proxies are even better than Tor because a network can't just block the residential IP address space. ;)

Upvoted for realism, but I want to respond to this:

> It's like how we're both capable of pitching Tor as the emancipator of the sanctioned journalist trying to publish the truth in the face of mortal danger. Yet 99% of Tor traffic to my websites is malicious despite our feel-good hypotheticals.

Of course. That's the reality of freedom on the radical edges — bad actors need it more than pro-social actors. Many of us choose to support radical freedom(s) anyway because the capacity for anyone to act* freely is judged to outweigh the negative effects from bad actors.

*browse, post, etc.

Phrased a different way, the argument is that the benefit of the freedom for those incorrectly assessed to be bad actors outweighs the cost of the freedom for those correctly judged to be bad actors.

Yes, well-put.

Most users from third world countries can't distinguish between ads and content.

still loving that f5bot article, thank you sir

While this is correct and worthy of discussion, technically it doesn't really have anything to do with what the OP is asking. The way Hola/Luminati works is not a good template for understanding the VPN cottage industry more generally.

Relevant section of EULA: http://archive.is/n7wCB#selection-645.1-651.45

> In return for free usage of Hola Free VPN Proxy, Hola Fake GPS location and Hola Video Accelerator, you may be a peer on the Luminati network. By doing so you agree to have read and accepted the terms of service of the Luminati SDK SLA. You may opt out by becoming a premium user.

Whoa, as a luminati customer, I always wondered how they got these residential IPs. Now I know.

So, it's kinda like Tor, just that there's a free tier where you are an exit node, and a paid tier where you are not?

I dunno, I don't really see what's so very wrong about this, as long as it's communicated clearly.

as long as it's communicated clearly.

Exactly. It's not.

Thank you for mentioning it. Just removed it. Do you know of any good, non-expensive (VPN?) alternatives? I was using it to access Netflix in other languages for language learning purposes.

ProtonVPN has a free plan, I recommend it quite strongly. Netflix works on the server I use, though I'm not sure if it works for all servers. P2P traffic is not allowed on free servers.

Support is okay, not the fastest. Downtime is rare but not unheard of, they've been targeted with big DDoS attacks. Server options expanding but not in tons of countries. Most trustworthy and reputable service because it has a CEO you can actually put a name and a face to, and the history of Protonmail.

This is ironic given the connection between ProtonVPN and Hola/Luminati.

What are you referring to? The situation I found bits and pieces about didn't seem to amount to much of anthing. ProtonVPN was able to explain what happened to what I thought was a satisfactory degree [1].

I definitely don't trust NordVPN in particular, they advertise their "military grade encryption", and I have no clue who runs it.

[1] https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...

What other VPN would you trust? Mullvad, absolutely no clue who runs it. Private Internet Access had claims about logs proven in federal court at some point in the past, but I really still don't trust it.

Running your own VPN is one of the best options but you almost completely lose the relatively reasonable degree of anonymity that VPN providers serve to you. Depends on your objectives.

> ProtonVPN was able to explain what happened to what I thought was a satisfactory degree

ProtonVPN's explanation was extremely hardly believable[1].

> Mullvad, absolutely no clue who runs it.

It's clearly stated on Mullvad's homepage[2]:

> The legal entity operating Mullvad is Amagicom AB. [...] Amagicom is 100% owned by founders Fredrik Strömberg and Daniel Berntsson who are actively involved in the company. The rest of the team includes Robin Lövgren, Simon Andersson, Linus, Richard Mitra, Sanny Mitra, David Marby, Odd, Andrej Mihajlov, Janito Ferreira Filho, Elad Yarom and Jan Jonsson.

[1] https://news.ycombinator.com/item?id=17775554

[2] https://mullvad.net/en/

I thought the Reddit reply was thorough, though I can't speak to the claim by krn.

At the end of the day, I can't name many (if any) VPN providers that operate their own data center, which is extremely important since they all (including ProtonVPN) lease from the same companies. ProtonVPN does provide Secure Core though (routing traffic through certain countries to attempt to mitigate exit node threats), too.

I wasn't aware about Mullvad, thank you for pointing that out. I still have little clue who those people are, while Andy Yen has given a TED talk, so he has some public presence. I'm personally more inclined to trust them.

Actually, ProtonVPN does own the physical hardware and network for our secure core servers, which we fully operate and run ourselves. This is rather expensive to do, but it's the only way to be sure things are behaving as they should.

Why so? ProtonVPN explained the situation quite clearly though I don't understand why you wouldn't trust NordVPN. Just because they are advertising? Or 'military-grade encryption'? They aren't misleading really, even if it is a marketing gimmick. And who runs it... Well, it is a caveat with most of the VPNs. Because of the delicate nature of them (cybersecurity service, various jurisdictions and such), you don't really know. It is a matter of trust, more than anything. I know that I trust them more than my ISP, that's for sure.

Running your own VPN doesn't really anonymize you though. And like you said, depends what you want from the VPN really.

You should know who runs a VPN in my opinion if you're going to trust them. Private Internet Access you at least have a name at London Trust Media, but Andy Yen has a public presence.

I don't trust anyone who uses "military grade encryption", period, even though it is just a marketing ploy.

ProtonVPN has their own data center of some sort in Switzerland. All VPNs are leasing the same servers from Leaseweb and friends (even ProtonVPN). They say it's in an underground retired army bunker, which sounds good for physical security assuming that's really the case. You never know for sure, but it's better than the alternatives.

VPN companies are notoriously shady, and I only trust ProtonVPN. I believe their service in _some_ respects is a cut above the rest, and I am willing to deal with multi-day customer service responses, DDoS attacks, and the like because of that.

If it's (nearly) free, them you're the product

The only ones that I know with a good reputation are ipredator.se and Mullvad, though those aren't free.

I got a free VPN plan can share with you, in a very very low cost, and you can use it for 1-2 years, at least, reply me with your email, I will contact u.

> Hola works because it is a peer-to-peer network - you use the network and contribute to the network. To provide this service without charge to our community, Hola charges validated corporations for use of the network. For Hola users that do not want to be a peer in this network, we offer the Hola Premium service, which lets you only use the network, but not be a part of it

Seems quite knowing to me. That same FAQ page, which is very detailed, even provides an explanation of what permissions are used.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact