Hacker News new | past | comments | ask | show | jobs | submit login
VPS VPN – GhostiFi (ghostifi.net)
61 points by GordonS on Jan 16, 2019 | hide | past | favorite | 32 comments

I'm a little unclear why I would trust that there is no logging. With root access to the VPS, I'd be able to determine that the OpenVPN service on the VPS is not logging the connection between my device and the VPS, but I obviously don't have any access to the infrastructure beyond the VPS. My ISP might not be able to see my traffic, but the ISP of the VPS would, and I'd be just as identifiable if there are logs matching my dedicated IP to my account.

I don't have control what goes on outside the VPS, but root access is my proof to my customers that I am not logging. Certainly no VPS is the magic pill to internet security or anonymity.

> With root access to the VPS

And with root access to the VPS host, you can just extract private keys from the VPS ram and proxy the connection, logging it all the while..

so no, this claim is not tenable even at the VPS level.

This is what makes this no better than any other VPN service. I still need to completely trust that the provider is not watching me. Even with full hardware access, there could be an invisible sandbox or hardware DMA to some chip I can't see. There is no easy scalable solution to avoid this in a technical level. But you can be one anonymous user in a sea of many others and hope for the best, which is why I'd advise to go to a trusted mainstream VPN provider.

Yep. I have heard stories of people that setup a Streisand VPN on a digital ocean droplet, and then got sent DMCA letters for torrenting. Digital Ocean turned over their identity and banned their account.

If you're just doing it for privacy, then cool. If you're doing it to mask potentially illegal activity, don't. Use PIA or something like that.

I think it depends on threat model. If you’re looking to do anything illegal, probably no VPN is a good idea.

But if you care about privacy in general, a VPN is always a clear win. No VPN will ever be perfect. But for a VPN, this is pretty good with regards to security.

How is it a clear win if no VPN is perfect?

trust and safety teams generally do not turn over client info to DMCA complainants.

All depends on what you're doing and threat model.

Some may just be avoiding local isp surveillance. Some are just getting a vpn to access a site blocked on their country.

For what you said,it really matters what country it's in and who is hosting it. For example, switzerland and finland means no dmca cooperation (not easily at least). If the owner is publicly known and had a lot to lose outside of the vpn business in the event of a reputaional loss, that would be even more preferable (for me it's freedome or protonvpn due to the risk they take by associating it with f-secure and protonmail respectively)

No VPS ips are clean. They are all data center ips.

How can you claim no-logging if you are running on someone else's servers?

came to say this exactly. bye now.

Isn't one of the main selling points of VPN that you can't be tracked by IP adress when multiple people are using the same VPN server as you? GhostiFi can't provide that as far as I can tell.

(That is not to say it's bad, it's just a different threat model.)

It would be kinda cool to build something like this on top of https://github.com/Nyr/openvpn-install. It's a single script that generates the .ovpn client side files.

Well actually that is exactly what I did ... https://github.com/GhostiFi

For what it's worth, that project is abandoned, but development continues in this fork:


The project is NOT abandoned at all, please do not spread misinformation.

The fork is maintained by someone who lacks a basic understanding of networking, system administration and security. I'd suggest against using it.

How do you know it's been abandoned? (I don't see a note from the original maintainer, hence the question).

Not in the wayback machine or Google cache. Site is down in less than an hour after submission.

it's back online now, just my little server on DigitalOcean running this

HN hug of death?

didn't see the wave coming, I got it back online now

I wireguard to my lan. At least I kind of understand what lives on my lan as compared to public wifi.

so it’s... a vps

It's not just a VPS with OpenVPN installed, the main reason why I built it was to be able to click a button and migrate the server to a new location/IP address on demand. Since then I also added "Invisibility Mode" which tunnels VPN over HTTPS bypassing restrictive firewalls, and next I am working on adding pi-hole support to it :)

I don't see anything on "Invisibility Mode" on the GhostiFi website - can you explain a bit about this? Does it work with Windows clients?

> tunnels VPN over HTTPS bypassing restrictive firewalls

That is what I do at https://wormhole.network But I don't offer internet access through the VPN, it's purely a virtual network to interconnect your machines in a shared LAN space ( for now).

"which tunnels VPN over HTTPS bypassing restrictive firewalls,"

That's one of the reasons I recommend HTTPS-based approaches over things like Tor for anonymity. Makes things look like all the bland, harmless traffic out there. Smart move. :)

Tor supports pluggable transports, one of the most popular of which is meek - which makes your traffic look like Google or Azure CDN traffic over HTTPS[0]

Also Tor circuits are also just TLS[1]

[0] https://trac.torproject.org/projects/tor/wiki/doc/meek

[1] https://wiki.wireshark.org/Tor

Thanks for telling me about meek. I'll warn this might not block visibility at least for domestic TLA's. If they record metadata, they can just work backwards from exit nodes or known relays to whoever is connecting to them. That would map out most likely users of Tor. Then, they can apply whatever passive or active attacks they have. Most probably aren't running OpenBSD, HardenedBSD, QubesOS, etc. ;)

Still good for the many, many, other threats out there.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact