And would you recommend it? I've decided to get one and so far my only two requirements seem to be:
1. It should work with OpenVPN
2. It should support SOCKS5 (Proxy)
PIA, Nord, Mullvad, ZorroVPN, ProtonVPN look promising. On the other hand, SigaVPN is based on a not-for-profit model so I was not sure about it. What is your personal preference?
PIA (Private Internet Access) and am a happy customer for 3rd year running.
Why do I choose them? Besides the ease of use over multiple platforms, they are the only VPN (I am aware of) that has held up in court that they do not store any logs when asked to handover personal information.
PIA's offer and their policy on retention might be good, but they're still a US company and they still tried to smear several other VPN companies (including ProtonVPN).
Their clients are also messy memoryleaky electron apps with outdated chromium embedded.
The stupid fight they had with ProtonVPN and NordVPN did it for me.
Reddit mods had to close some threads because the people copypasting PIAs (mostly baseless) allegations under every comment even slightly positive about either ProtonVPN or NordVPN were getting out of hand.
Any idea where the bottleneck was there? CPU use? Protocol latency? I'd be interested to see some test results around that if you know of any that have been published.
A little anecdotal information: some years ago I did a CPU-load test with OpenVPN on a diminutive Atom-based netbook as the client, and it maxed out at around 95mbit/s on a 100mbit/s network (actually a gbit network, but the netbook only had a 100mbit NIC itself) while just doing simple bulk transfers.
>It is easily possible to saturate a 100 Mbps network using an OpenVPN tunnel. The throughput of the tunnel will be very close to the throughput of regular network interface. On gigabit networks and faster this is not so easy to achieve. This page explains how to increase the throughput of a VPN tunnel to near-linespeed for a 1 Gbps network.
I think the protocol just wasn't designed for such high speeds.
It certainly doesn't use multiple cores for a single connection, though I've never tested (or reviewed the code) to see if it does manage to spread the computational load of multiple connections over more CPU resource.
I've not read the above linked article in detail (no time ATM) but there seems to be mention of offloading AES calculations to compatible hardware, so the bottleneck would appear to be CPU use.
Does using multiple cores on a single NIC actually speed up a network connection? If you're doing gigabit with 1500 byte packets, you get 12 ms to encrypt and process each packet -- I'd expect any cross-CPU synchronization to easily blow through that.
If the bottleneck is encryption speed, then you can definitely improve perf by spreading packets across the cores. Inter-core synch isn’t that expensive, and 12us is 24000 cycles on a 2GHz CPU. cmpxchg costs ~20 cycles (https://stackoverflow.com/questions/4187914/average-latency-...).
PS. And you don’t need to submit/receive packets to NIC one by one, either; those things support DMA scatter/gather.
Earlier you claim you will only ever hit ~300Mbit, but then you link to an article where the author hit 885Mbit throughput after tweaking a few settings and ensuring OpenSSL was using AES-NI.
PFSense on a cheapish high clockspeed server will easily get there. Total cost about a grand, a bit more if you want to use a low power no fan solution.
I would like to know a bit more about this as well.
I often play online multiplayer games, my main issue with using a vpn full time would be the performance impact here.
I'm also curious if PIA has a way where if I launch certain apps, it would pause itself while that application is running? Or some way to automate on/off state of the VPN.
I doubt it would affect your speed much. How often are you able to utilise 1Gbps anyway?
Sure in theory you'd see a slow down, but given that most of the sites and service you use aren't able to deliver 1Gbps to you directly, the decrease in speed is most likely lower than you'd think.
Yeah it looks like an android figure so PIA would use some new designs for sure to stand out in the market a bit. Their website also looks bit too clip-art fakey. Otherwise good service and been using it also
I use Algo[1] on a variety of VPS providers. It supports IPSec, but I only use Wireguard through it. Supporting OpenVPN is an explicit anti-goal for Algo[2].
I generally strongly recommend against using VPN providers on false advertisement grounds -- VPNs fundamentally cannot provide strong anonymity properties, but that doesn't stop many providers from listing anonymity as a selling point. In terms of the property VPNs can provide (privacy), you're better off maintaining as much control as possible over the service: you don't want to be tied to someone else's weak cipher or insecure protocol choices.
FD: I work for the company that made Algo, but have nothing to do with its development.
I just ran into a case where I needed a VPN for a short lived task. Ally bank blocks creation of time deposit accounts while in a foreign country, despite me already having an account with them.
Takes less than 10 minutes to setup a VPN with algo on DO and I just shut it down after my task was done. Cost me $0.02. The support for Wireguard + OSX Wireguard App is perfect and super easy.
For simple usages like this, you can also create an SSH socks proxy with one SSH command, and then configure your browser to use a local port as a socks proxy.
Does not require any software installed on the server, and the whole setup should be quicker then configuring VPN server and client.
Also, an HTTP proxy is a couple steps more to setup, but will allow you to use command line tools on the client, not just the browser. The majority of command line tools support http_proxy and https_proxy environment variables.
An easy and pretty secure way to setup an HTTP proxy is:
1. Install tinyproxy.
2. Configure it to listen only on localhost and start it.
3. SSH port forward localhost:8888 from your server. For example to the same port on your client.
4. Configure your clients to use localhost:8888 as a proxy.
Of course there are alternatives like this and thank you for sharing, but in my eyes, this actually requires significantly more work and mental thought. Spinning up a droplet on DO and opening the config file in wireguard is literally executing one command and doesn't require touching my browser configuration. Takes a couple more clicks to just delete the droplet. Done.
> That's not part of the threat model for 99.999999% of VPN users though.
You're right, and that's why it's not my primary objection. At the end of the day, the majority of VPN providers are still advertising themselves as anonymity services. This is patently false and dangerous to consumers.
I've used Streisand for a couple of years now with good result (running on a couple of Digital Ocean $5/mo instances). It takes a bit of setting up on new devices initially, but once done, is super smooth and easy to use.
Man, I love Wireguard; fast, stable and it doesnt destroy battery life. I only wish nixos didn't mess with configs, but I will fully admit that it is a very niche problem.
This might sound dumb. But, I use ProtonVPN because Mozilla partnered with them and I place trust in Mozilla’s ability to make a more informed choice than I can make — largely due to their access to information and on hand knowledge and expertise.
As much as I would like to support Mozilla, connecting to protonvpn.com with Firefox 65.0.1 throws me an insecure site error:
Your connection is not secure
The owner of protonvpn.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
Have you messed with your certs? It should be absolutely fine. I read over the weekend that some people were distrusting QuoVadis because or something or other to do with DarkMatter? I don't really understand too much about it, but proton use QuoVadis[0] so you'll get improper SSL for their sites if you did that.
No, but.... The above error was from my office. When connecting to ProtonVPN's website via a VPN, there is no error. Seems like it could be a certificate configuration error with the network I'm using, which is odd because it's a University and I've not seen that error anywhere else I regularly visit.
So.. IT that manages the certs and the gateway, use a MIMT 'attack' to decrypt all your traffic, scan/read it, and then encrypt it again to send it out to the wilderness of the Internet. This is what the browser is messaging. Notifying you that "something is wrong with the connection. Browser is not sure what exactly, thus pointing the finger on the certificate.
Perhaps someone can explain the above with more technical terms, but in a nutshell, our companies, on our corporate desktops/laptops sniff through each and every bit and byte that goes in and out of our machines.
A commom workardound "permanent accept this exception" (or similar wording) makes the browser to stop complaining about this breach of privacy.
The reason this warning will appear in Firefox is that it does not use the OS certificate store and it uses a built-in store. The corporate MitM cert will have been added to the OS root cert store so other browsers will trust it but it probably hasn't been added to the Firefox one.
>So.. IT that manages the certs and the gateway, use a MIMT 'attack' to decrypt all your traffic, scan/read it, and then encrypt it again to send it out to the wilderness of the Internet.
Yup, typically referred to as "SSL Inspection" by the companies that produce products to monitor SSL traffic. Normally this is accompanied by controlling the clients and pushing a cert into their browser to avoid the warning messages.
if your office firewall blocks a site secured with ssl, you will see an error message something like this. Do you have an aggressive firewall? If so, it's probably being blocked. Try from a different connection (like a coffee shop or home) and see what the result is.
I use ProtonVPN (and ProtonMail) for business but I haven't been that impressed so far. For personal use (e.g. BBC abroad) I just use OpenVPN on a Raspberry Pi.
I'd definitely be interested in a guide on how to set up a proxy on a free-tier cloud hosting site. Finding that ProtonVPN does not let me watch content I legally pay for if I'm in a different region...
Let me remind everyone that ProtonVPN is the only VPN service publicly available I know of that owns even a small portion of their own hardware and data center.
I trust the (more than not at all) regulated space of ISPs in my country more than I do the unregulated space of people running VPNs out of their basements. It's important to be clear: you're just moving trust from one entity (your ISP) to another (the company / human who runs the VPN). It's not clear to me why the VPN people are more trustworthy than ISPs.
> It's not clear to me why the VPN people are more trustworthy than ISPs.
In my country, the UK, ISPs are legally required to retain logs of customer activity for 12 months. A VPN has no such legal requirement.
So while I can't be 100% sure that my VPN is monitoring me, I can be 100% sure my ISP is. Additionally, my VPN has a financial incentive not to log customer data, or at the very least, not to be caught doing it.
(I'm currently using IVPN (https://www.ivpn.net/). It's on the more expensive side, though that isn't necessarily a bad thing, and it supports multihop over OpenVPN, and the experimental Wireguard protocol.)
+1 for IVPN...I've been using it for more than a year. I use both the client and openvpn versions. A heads up...in the whack a mole back and forth amazon, netflix, etc. will not allow you to connect from IVPN known IP addresses. That's not an issue for me, I'm not using it to get around country restrictions but if you do plan to do that IVPN may not be your best bet.
> It's not clear to me why the VPN people are more trustworthy than ISPs.
Surely it's because it is their business model.
ISP's have been proven to snoop and inject into traffic. They sell your data to those that have money. This is a breach of your privacy.
On the other hand if a VPN provider were caught doing that, it would be abandoned by it's customers overnight. It is the primary risk to the business.
With VPN services I have a choice, but with an ISP they hold most of the cards (I can leave them once my contract is up). ISP's take your trust and abuse it, VPN's have to earn it.
Where I live, I've never heard of ISP's doing this. Actually, they have been nothing but good so far. It might help that 1Gbit is a commodity here. You can't really get anything slower than 500Mbit. There's also enough competition to force them to innovate.
I don't neccesarily trust them, but they haven't done anything "evil" or questionable yet.
It's interesting that you paint ISPs, which have been constantly and repeatedly caught collaborating with governments, selling your data to advertisers, intruding in your communications, infringing your privacy, etc., it's interesting that you paint them as professional regulated companies, while VPN providers with credentials as "running in someone's basement".
"interesting", used in this context, implies that I am perhaps a shadowy figure in the nefarious employ of "big ISP". Would that it were so simple!
My opinion is not that ISPs are correctly regulated, or even well regulated, but that they have more than zero amounts of regulation applied to them. They also tend to be larger and slower to do things like collapse and rename themselves. This leads them, in my mind, to be better than a VPN company by default.
By default, mind: certain people may have certain use cases that propel a VPN over an ISP. For example, I am friends with people who live in countries that need VPNs to bypass ISPs controlled by dictatorships / corrupt regimes (I'm being intentionally vague here). However, that is not most people, and IMO VPNs being more private than the average ISP is an illusion.
I will echo the point that someone else made elsewhere in the thread. Due to the laws in my country of residence, I know for a fact that my ISP is 100% spying on me. So if there is a nonzero chance that my VPN provider isn't selling me out, I'm already better off. Furthermore, my VPN has no incentive to do that. I already pay them 10$ a month, why would they want to risk it all for pennies more? They aren't in a police state jurisdiction like the UK or Australia, so they don't have by law to turn in stuff to the police at their will.
PS: By "interesting" I did not mean "paid shill", like you seemed to assume.
If by countries you mean the west end of europe and north america then yes, 5 eyes is a comparatively shitty indictment of those countries regard for their citizen's privacy.
You're ignoring continents worth of countries and billions of people to get there though.
Bit late reply. And yes, UK and NZ are part of the five eyes. I'm a UK resident. My ISP is a small start up that has started less than a few years ago. One of the few companies that provide residential 1gbps. You'd expect such a company to at least act good and snoop etc. I still refuse to trust my ISP. All ISPs are legally required to retain all user activity for a while. As someone already mentioned, I can't be 100% sure my VPN isn't spying on me, but I can be 100% sure my ISP is. I'd rather risk the former.
Hyperbole aside, if I ever ran up against sites that were blocked then sure: you could then get a VPN to solve that problem. Similarly, if I gave a shit about using content that is licenced differently in different countries (if I wanted the US netflix or whatever) then a VPN could be useful there as well.
That's got nothing to do with privacy particularly, which is the direction my opinion is coming from (rightly or wrongly).
The first question you should ask is why you want a VPN.
Because I believe many people newer ask this question and have some vague idea about "it somehow improves security and/or privacy". In most situations this likely isn't true. You add an additional attack vector and you centralize your communication to a single point.
100% this. VPN marketing appears to have really gotten to people, everyone's always asking about it.
Real reasons I can see to use a VPN service
1) You want your traffic to reliably egress in that country. i.e. I live in New Zealand but to access some Australian TV on demand, I need to "appear" in Australia.
2) Errr, I can't think of any others.
If you are really trying to hide your traffic from your ISP:
1) Change ISP
2) If that's not possible, buy a cheap VPS and run OpenVPN/Wireguard on it and egress your traffic via it. Disable all logging etc.
i.e. Unless you need traffic to egress via a particular place and you don't care about someone you don't know seeing your traffic, buy a VPN service. If you DO care about your privacy really, buy a VPS service in the country you want it to egress.
For some of us, we live in jurisdictions where all ISPs are legally required to keep all metadata for all connections. (In tinpot pseudo democracies with governments who fail to understand technology but pass intrusive laws governing it anyway, then declare "The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.")
In that case, a few bucks per month is a pretty good deal - it won't protect me if the NSA or any of their FVEYs friends get curious about me specifically, but it _will_ protect me against all my internet metadata getting bulk collected by my ISP and handed over to "national security" relevant agencies, such as local councils, dog catchers, and the taxi commission (yes, those agencies really do request and gain access to ISP metadata!)
I can and have run my own VPN (and VPN-like) endpoints on cheapo vpses, but it's worth my while/time to pay FSecure/Freedome, to do that for me.
Did you just describe Australia as a ‘tinpot pseudo democracy’?
Not that this is a high point in Australian politics with the game of musical chairs that is going on.
I’ve just never heard someone living there be so down on it.
So to me this filters down to:
You care about your privacy and not have your (meta) data gathered up, but you don't care enough about it ensure that you're really protected, you just hope you are by piping your data off somewhere else, even though the place you're piping it to might also be doing the dirty you.
I do understand your point, which is (correct me if i'm wrong) that you trust FSecure/Freedome to be taking care of your privacy correctly and not just reselling your metadata back to your country of origin etc.
Perhaps I am being a pedantic, grumpy old man though. Because now I think about it, even if we all run our own VPSes there's no way to vet the VPS provider doesn't just tap your egress traffic too.
I'd say you are "appropriately grumpy and pedantic".
From my perspective, my ISP is untrustworthy because it's legally required to be where I live. At least FSecure are not subject to that law, and are business-wise and give me a choice of endpoints that are outside of the jurisdiction of that law. They _might_ be collecting and on-selling that metadata, but I believe they are not. I 100% _know_ my ISP (and all my alternative choices for an ISP) are. So using them is a win.
Even if FSecure turn out to be evil - they'll be doing it for different reasons to my ISP (profit motive vs being compelled by local Australian laws), so the nature of my exposure there is different - and so far as I can see, smaller.
I strongly suspect the NSA _are_ tapping the egress of every commercial VPN provider and every commercial VPS provider. But if my adversary ever becomes the NSA I'm fucked, and I accept that.
If the local taxi commission or dog catcher go asking my ISP for my metadata records - even though I don't own a dog or a taxi license, I feel happier knowing my ISP can only tell them "Don't know, sorry. Here's a bunch of encrypted connections to various VPN endpoints around the globe."
Also - it's not so much about " … don't care enough about it ensure that you're really protected … ", but more like "One of my concerns is getting drive-by exploited because my data appeared in a huge dump of randomly breached metadata, rather than anybody targeting me specifically", and it's worth a few bucks a month to stop worrying so much about that. Being "really protected" is not possible (when the ultimate end-of-level boss fight is with the NSA), and getting even _close_ to that becomes exponentially expensive. 60EUR a year for Freedome on my phones/tablet/laptops and not having to do any ongoing maintenance or upgrading or weekend sysadmin work - is a good value deal for me. I don't think there's a significant improvement I can make to my protection in this area for less than an order of magnitude more money and two orders of magnitude more fucking around. I don't think I'm prepared to expend either of those for some incremental improvement in my privacy... If I were an illegal international arms dealer or a trafficker of cocaine by the tonne, I'd without doubt spend more money and effort there ;-)
Be careful with that assumption. Many, many VPN vendors actually sell their user data even if they advertise otherwise. They can also be far harder to penalize than ISPs, especially if they're outside the US/EU.
Part of me thinks "I don't care. If Facebook or Google or Experian or Equifax or whoever it's work a buck to wants to pay my VPN provider for my metadata - that's kinda bad, but possibly not as bad as being part of a great big juicy pile of government compelled metadata retention records at my ISP which can be easily accessed by random government agencies or evil actors working in government agencies with very little oversight."
I suspect my data leaking through profit motive from a VPN company specifically selected to be in a far away country is much less likely to fall into the hands of an internet troll or griefer, a disgruntled ex employee or partner, or a vindictive neighbour - than the trove of ISP metadata that can quite likely be readily accessed by bribing or blackmailing some random low-level government employee locally...
Why do you think it would be discovered at all? Unless the downstream customer buying the data makes it public, nobody will know. And by operating outside of the EU, you can't really be checked. So nobody who knows what's going on has any incentive to make the arrangement known.
1) Protect against logging and data retention laws
2) Avoid ISP legal universal blocking regimes
3) Shop for and compare cheaper prices: many places implement what we call the 'australia' tax, artificially inflate the prices when they see we're shopping from an Australian location. This is independent of actual tax collection issues.
4) Torrent: Australian's frequently access shows via torrenting still because our licensing/supply regime gives us a vastly sub-standard catalogue, and you can't access individual shows without signing up to full carrier packages, and we can't sign up to the international carrier's catalogue
5) Avoid data-shaping/non-net-neutral policies
6) Easy International and Geo-IP Testing
7) Logging onto services in public places via public wifi or access points
8) Accessing services during international travel
9) Accessing media explicitly geo-blocked in our country
Your solution (i believe) additionally doesn't meet the criteria of being able to egress from multiple countries/sources, nor does it cover the users who don't want the extra step of setting up the VPS.
I haven't checked, but i'm guessing a VPS comes at a far higher price for less (out of the box VPN specific features) than a specialised VPN provider.
True, if you want to egress multiple countries a VPN provider that lets you do that is a good solution. It's too late to update my original post, sadly.
What about traffic aggregation? Correct me if I'm wrong on this but as far as I understood it, VPN services forward multiple users' requests from a single IP address, disabling website owners to track you using your address.
If you are not too worried about privacy and just want to appear in another country or get around your cafe's system blocking some pages, I use hotspotshield.com or occasionally hideme.com in their free forms. Hotspotshield is actually quite handy. I just had to use it to access https://www.privateinternetaccess.com/ as Pret a Manger had decided that deserve blocking for some reason. Hideme seems kinda unreliable but works sometimes.
I don't know if I get the whole privacy thing - if you're just browsing HN etc like me why bother and if you want to do criminal stuff I gather it's better to use a completely separate machine with no personal info on. Or someone said Tails OS.
Regarding the whole privacy thing - this is the "If you've got nothing to hide, you've got nothing to fear" argument. There's plenty of information around on the arguments for and against [0].
>1) Change ISP 2) If that's not possible, buy a cheap VPS and run OpenVPN/Wireguard on it and egress your traffic via it. Disable all logging etc.
Streisand (https://github.com/StreisandEffect/streisand) is another option. It has the benefit of running on your own VPS (or bare metal if you want) and it is extremely user-friendly to set up and use.
Communication is already centralized for many people, even when you factor in cell and home internet, often without much alternative. When they've got you locked in like that, they can get away with just about anything: tracking; selling data; hi-jacking your connection for their own interests; blocking anything that goes against their interests; cooperating directly with MPAA, RIAA; etc. There's not much you can do about it.
If a VPN get's caught doing any of that, even if they're remotley suspected, switching is less painful than switching any other online service I can think of. Their motives are as clear as can be with an internet service.
> switching is less painful than switching any other online service I can think of.
I'd even say in many cases switching is possible. It isn't always possible to switch your ISP. Or in my case I can, but all other providers cap at 20Mbps in my town (which is fairly common).
If you're in the States, you probably are better off trusting reputable VPN provider than your local ISP. Especially because your communications are already centralized on that point and there's a long history of them being less than trustworthy.
IMHO, the only valid use-case for one of these VPN services is to hide your traffic from your ISP. Perhaps there's a small improvement in terms of your privacy (the VPN service has less incentive to sell your traffic data than your ISP). But if security is your primary concern, I think you will have to look elsewhere.
My laptop moves between ISPs (mine, my parents', my friends', my workplace's). Using a VPN restricts the number of companies able to intercept my traffic.
Circumventing Geoblocking or other censirshop is a good reason to use VPNs.
"Somethingsomething I believe it's more secure but I can't exactly explain why" is not.
Mullvad, because it has a good interface for port forwarding, and I kinda like the fact that it supports wireguard. It's also fast and reliable (but so are many of the others), and apparently has good privacy.
I've previously used AirVPN, which was great except for not having any servers near me, and ExpressVPN, which was great except for not having such a good interface for port forwarding (and also it's the most expensive of the ones I like).
PIA failed to answer a question that I sent in using their web support form (they didn't even say that they'd received it but couldn't answer it).
I used to use Mullvad but switched to AirVPN. Mullvad was extremely slow in the US (under 25mbps most times) where I have found AirVPN to be able to reach ~750mbps. They also publish the congestion on their servers which is very handy for reaching high speeds.
You may be interested in reading the discussion on Wireguard mailing list with Mullvad representative[1], where he voiced some security issues with particular use case of using Wireguard as a VPN provider (tl/dr: no identity hiding forward secrecy and no dynamic IP address assignment out of the box).
As for personal applications, in-kernel wireguard-dkms is my default VPN solution day and night.
Not exactly what the GP asked, but there’s also Wireguard in the iOS[0] and Mac App Stores[1].
Wireguard from the Mac App Store works successfully with Little Snitch (per-app firewall) and comes with a menubar icon that shows connectivity and allows quick switching. With the commandline-based version of Wireguard (installed from homebrew or wherever), Little Snitch sees all traffic as originating from the wireguard-go process. This is because the App Store version makes use of MacOS’s new network extension API, and Apple has only made that available to apps distributed through the App Store.
Just an expression of speech :). On Linux and macOS, I use the native stuff, on iOS I use the app the Wireguard team produced. I believe they've produced an Android app too.
The claim that Wireguard has not had a security audit is false[1][2]. It's based on the extremely robust Noise protocol framework, it has a formally verified Tamarin security model and two of the most well-known cryptographers in the world have personally reviewed it with no significant findings.
Wireguard also does not do any of the logging claimed by that article by default. I know this because I maintain Wireguard VPN instances on baremetal and public cloud. This strikes me as a misunderstanding of what Jason wrote on the mailing list about Blind Operator Mode[3].
I stopped reading that article after I saw these two (glaring) inaccuracies. Either someone has a vendetta against Wireguard or they seriously misunderstand the protocol's security and default behavior.
________________
>Wireguard also does not do any of the logging claimed by that article by default
It might not do the logging, but it still maintains state about which IP has connected using which key, and when the client last sent a handshake.
I have no idea how persistent this information is, but i can see from my Ubnt router, running WireGuard, that clients that haven't connected in weeks are still present in the Wg command status.
It's not an issue for me, but if you were trying to hide information, that information is a pretty bit smoking gun. It directly ties your IP to the VPN IP.
Assuming the rest of the VPN network is using shared IP addresses, and still maintains no logging, it might not be enough to prove that you're the one behind whatever they are searching for.
Then again, not all countries care that much about the "innocent until proven guilty" principle.
My favorite is IVPN. It's true that I've written stuff for them. But that's in part because I've known the CEO, Nick Pestel, for several years. And to the extent that I trust anyone, I trust him. But also, they're one of the older VPN services, and one of the first to accept Bitcoin. And their apps are well designed.
I also like AirVPN, Mullvad and PIA a lot. I don't know anyone there personally, but they're all strong privacy advocates.
I'm concerned about relationships between Tesonet and NordVPN and ProtonVPN. So I wouldn't use them.
Thanks for introducing me to IVPN. Seems like a good VPN, uses WireGuard.
Can you elaborate on the problem with the relationship between Tesonet, NordVPN and ProtonVPN. Also does your problem with ProtonVPN extend to protonmail? Should I be considering switching to a new email?
There's an old HN thread about it. Basically, the ProtonMail and PIA CEOs got in a catfight, and traded accusations. I don't recall what PIA was accused of. Maybe connections with China? But I've seen nothing more about that.
The PIA CEO basically claimed that Tesonet operated ProtonVPN for the ProtonMail team. And then additional articles appeared, detailing the connections. And adding NordVPN to the mix.
But many of their HN posts were deleted. And much of the other online coverage disappeared, presumably because of pressure from NordVPN and/or ProtonVPN. But I found caches for three of them.[0,1,2]
Maybe it's all bullshit. But it leaves me suspicious. And I gotta say that ProtonVPN's responses seemed evasive.
There might really be nothing to it, as the Proton* people claim. Or at least, just a somewhat iffy roll-out of their VPN, using Tesonet staff.
But on the other hand, I gather that Mozilla has picked ProtonVPN for its integrated VPN testing. And they seem competent and privacy-friendly.
Also, whatever they did with ProtonVPN, there's no reason to believe that there's anything wrong with ProtonMail. That's arguably their core competency. And they arguably brought in Tesonet because VPNs were not part of their core competency.
If you are migrating away from a centralized email provider you should move to a personal domain. That way you won't be trapped by any service in the future. There are numerous companies[0] that you can point your domain to and they will handle everything else. This costs a bit of money but it means that you will be the customer rather than the product.
[0] I use migadu.com but fastmail.com seems to be very popular with the HN crowd.
I recently switched to IVPN from Nord (a month or so ago), and I'm very glad I did. Great interface, and it never goes down.
NordVPN is always advertising their massive server network, but I was always getting booted off and having connection problems. I rarely have these problems with IVPN.
Just FYI, but "massive server network" often means a bunch of VPS in a few data centers. With devious cross-AS announcements to make servers geolocate as desired. It's easy to discover the truth, by using numerous ping and traceroute probes, and doing triangulation.
(3) REFERENCE -- look up any VPN you're considering here before using it (there are mistakes in this table, e.g., encrypt.me was named cloak but the specs don’t match).
It's insanely easy to set up a new box (I use linode right now but it works with a bunch of cloud providers) and it works well for my mobile devices too.
I like the fact that it's my own server and I am the only person with a copy of the encryption keys.
Also, I have a buddy who is in a middle-eastern country where using a VPN is illegal who was unable to use any other VPN service but had no issue connecting to and using my Streisand box.
I'm using Freedome, which requires special software (best I can tell). I'm using it because it's made by F-Secure, and I know the F-Secure people from a long time ago.
They have a large commercial business that would get seriously Kaperskied if it turned out they were knowingly doing anything wrong, and I've decided that that's the kind of incentive I want in a VPN provider.
F-Secure Oyj is a Finnish company. Due to cultural and societal standards, Finns take their work and product very seriously. If anyone or anything was shady and put peoples’ privacy at risk, the company would be shutdown immediately. It would be on the Finnish news for decades. ;)
The US government made it clear they thought Kaspersky software was a security risk, as they were a little too close to the Kremlin. True or otherwise, it'd be an almighty brave Western CIO who bought Kaspersky software moving forward.
It doesn’t support OpenVPN, but I’ll leave a plug for the Outline VPN from Jigsaw (Alphabet). [0]
It’s similar in concept to Algo, in that you deploy your own VPN server on a VPS rather than use a hosted service. However, it provides a polished desktop app for deploying the server, and walks you through creating a VPS on DigitalOcean very easily.
This is incredibly helpful, because most folks I’ve helped with VPN setups are not comfortable aren’t handy with a CLI, and I’ve been able to walk more than one person through setting Outline up very easily.
I'm glad to see Jigsaw tackling the UX side of things, but some caveats about shadowsocks (the protocol backing Outline): it's an encrypted proxy, not a VPN, and there are some open questions about weaknesses (not necessarily flaws) in its design[1].
I think easy-to-manage platforms like Outline will probably be the future, but I'm not convinced that shadowsocks is the right foundation.
Everyone has an ISP – even the VPN and VPS providers and the websites you visit – have ISPs. Most governments regulate their ISPs to monitor and censor.
To comply with these regulations, ISPs deploy appliance/boxes that can do packet inspection and blocking. It used to be IP blocking and DNS blocking.
As silicon became faster, these boxes have become more powerful. They can operate at multiple 100Gbps+ packet header scale and not just L3/L4, but also L7 packet headers (a.k.a deep packet inspection). Both of my ISPs (home and mobile) do this.
These same appliance companies sell data monetisation solutions to collect and sell metadata – usually done indirectly by a sister entity.
These boxes can also inject ads directly into plain http pages and manipulate DNS responses to do the same nefarious thing. In fact this clickjacking injection is the thing that turned me towards VPNs.
While the VPN solves the clickjacking injection problem, I’m fully aware of the fact that my VPS provider’s ISP maybe logging and selling all the metadata.
Even with https or TLS connections the domain name is revealed in plain text during connection setup. ESNI solves this problem, but no browser supports it by default yet. Other metadata collected usually includes – time, location, connection protocol fingerprinting to uniquely identify devices (TV, phones, laptops etc) behind customer IP address, frequency of access, bytes transferred per connection etc.
The real danger is this – as adtech evolves the lines are blurred between plain advertisement vs personalised experiences and targeted digital brainwashing.
Election manipulations, shifting the sentiments (distributed lobbying) in favor of desired outcomes, addictive spending - these become just natural evolution/extensions of this ad tech. With ISPs data mining and selling to invisible companies we won't be cognizant of this manipulation.
Box in a basement. A friend in the states provided one for me and I'm happy. It does what it needs to do (AKA encrypts traffic on public networks and lets me get to the US only stuff). It's also undetectable compared to commercial VPNs, because the number of people using it is very small and services think it's just a household.
I offer my server to some friends and family in the military who want access to stuff from home. I often wonder how their activity shapes what the collection companies think of my household. Do they think 20 people live here? Do they think the household income is that of many adults?
Also, it would be really cool if there was a P2P exchange for services like this. With Netflix et al blocking IPs from VPNs and VPSs there must be a large market for VPNs egressing from residential IPs.
Long time ExpressVPN user here too, switched from BoxVPN which was slow and unreliable. ExpressVPN on the other hand has been well worth the cost. As mentioned by others, their software is A+ and stays out of the way for the most part. I don't use it to stream netflix while traveling, so that's never been a problem for me. I'm on a gigabit network at home and have found that the throughput speed is pretty good...beyond satisfactory for sure. I don't plan on switching.
I like it as well, but Netflix blocks it much more than a year ago...it's a shame, because I travel a lot, and changing country means that I can't finish a series that I was watching in another country
I too use ExpressVPN - `expressvpn list` gives you a list of all VPN servers in all countries, not all of them are blocked. Support has been helpful (< 5 minutes reply time in an Australian Saturday night) in ferreting out one that works, even though back then the support person stated that they focus on keeping US servers unblocked.
Netflix blocks majority of VPN but in contrast Spectrum/Brighthouse is in long-term fight with Sling Tv and they block them unless you use VPN. So you win some you lose some.
ExpressVPN has been great to me and I continue to fail finding bad news about them. They dont offer any discounts tho and Im on $99/year plan but I was tempted to get NordVPN for half thatprice. I gave up on setting up their stone-age designed router software and came back to Express. Express has amazing software for N7000 router series and it allows me to exclude iPad that I use to watch Netflix while rest of network continues to be secure. So with their router software and $99/year you have unlimited amount of devices covered. Speed is amazing too and number of servers avail is very hight. Honestly I feel its worth double the proce I would pay for Nord, as I put it in my company costs anyways ;)
also use expressvpn, close to 4 years now, it’s typically quite stable and i live shanghai, the updates are quite frequent, i suppose it’s to circumvent or make the service more available and the locations are plentiful. the cost is pretty high, 99 usd a year, but if you refer enough users, there’s a 20 usd discount.
the speeds are not great, but it just maybe because i’m in china, i couldnt watch hbo go or stream netflix at the time, i use it generally for programming.
Been using Ghostifi for about three months now. You’re the sole user of the VPN, and you get root access to the VPS that it’s built on.
You may ask “how is this different than just running my own vps”, and the answer is the ability to redeploy to another region with no downtime and push of a button. I love that feature and use it often.
Because you’re on your own VPS, so far in my experience, I’ve never even noticed I’m connected to a VPN. It’s blazing fast. I cancelled my PIA account and moved over entirely.
I used a few over the years. Boleh, Nord, PIA, etc.
One day I woke up and realised I do not know who runs those companies. For example, Nord is registered in Panama, a country where declaring company ownership is not mandatory. Why should I trust them with my data?
After a little digging I found that Proton is the only VPN provider whose owners have put their names and reputations on the the line. The only one.
It doesn't mean I trust them 100%. But if someone is willing to put their face on their website, I'd say it gives them an extra incentive to do their job right.
I use NordVPN, largely because they were recommended by a friend. But I only really use them to reach sites blocked by my ISP. So I find it really useful to use their Firefox plugin which doesn't affect other applications I'm running at the same time.
I switched to Nord from Private Internet Access because their apps looked nicer. I regret it entirely. NordVPN has been noticeably less stable, slower, and their apps aren't actually that nice to use, and can be slow and buggy. PIA looks a bit "programmer art" but it's far better.
What client were you using when you were using PIA? The UI was drastically improved with the release of the new client in January and you may like it a lot more.
I personally use Freedome to get around geo-based blocking or when using open Wi-Fis.
I also have a self-hosted OpenVPN-server running at home, which I occasionally use for open Wi-Fi networks or getting around content blocking on some networks.
For day-to-day usage, I don't use a VPN. I place some trust on my ISP (both mobile and wired) to carry my traffic.
If you use something like sshuttle, you can use any arbitrary VPS. If you insist on openVPN, however, you can always:
$ sudo apt install openVPN
and run your own VPN instance.
But then again, openVPN requires an excessive amount of configuration, in order to achieve something as menial as a key exchange. The silly thing is that it does not achieve more than what "ssh-copy-id" does, without all the silly ceremonies.
By the way, commercial VPN services also tend to be more expensive than renting your own VPS, which you can nowadays even rent by the hour, if you want to.
In other words, OpenVPN is a service for people who do not know what they are doing. The problem with that is, that their security strategy will ultimately not work either. Paying money to an OpenVPN provider will not make any difference to the problem.
"If you use something like sshuttle, you can use any arbitrary VPS..."
If I may expand this a bit - you can use any system anywhere that you have an ssh login to. There is no server side software requirement - you just need to have a login and the "server" needs to have python installed.
It's really a fantastic VPN model and I recommend looking into it.
There's a website[0] that goes into detail comparing different providers. This used to be a shared spreadsheet but the author chose to turn it into a website. I still have the old spreadsheet if anyone wants it (from 2016?).
I was looking for a reasonably priced VPN not based in the 5 eyes territory, and I came to iVPN as the best solution for my criteria and at $110 per year.
Sent iVPN an email a few weeks back if they'd check all my requirements:
- Wireguard in Switzerland
- IPv6 /64 subnet
- No bandwidth penalty
Now they can only fill the last point, if they ever get all three they'll get a lifelong customer out of me.
What I now have is Mullvad for IPv4 for their Swiss servers and good bandwidth, AzireVPN for their /64 IPv6 subnet. Both are running on my router, but I'd be happy to have only one provider.
There's no silver bullet. It all depends on why you need VPN.
Personally I use it for privacy (I don't trust any ISP in the country and especially local government). I host my own VPN on a virtual node outside country (even outside continent). It makes the connection a bit slower, than without any tunnels, but I got used to it. Also I have to pay extra efforts to maintain it, but that's the privacy cost.
Moreover, with own server it's possible to achieve things which are usually unavailable with paid VPN services. E.g. run openvpn through ssl/ssh tunnel or something similar. Or use just ssh tunnel or anything like that. It helps to mask the traffic and ease your life in case of question from some people.
Depending on your country popular services might be simply unavailable and you'd need at least couple of them at the same time to ensure connection redundancy. Also (depending on what you're doing and local laws) you might have a hard time explaining your country secret agency why you're paying vpn proxy company, while explanation for hosting service might save a lot of time for you (and avoid additional questions). But that's (hopefully) extreme cases.
Also you receive static IP in case with hosting. But you might rotate it as often as you want by just recreating the machine.
But also keep in mind, that some services ban popular hosting (and VPN) providers IP ranges.
This. I've been an AirVPN customer for over three years. They have the right combination of locations, Tier 1 technical savvy, OpenVPN support, price, configurability, and, above all, privacy.
Providers I went through before settling on AirVPN: vpn.ht, IPVanish, PIA, Astrill and PureVPN.
I agree. I've been using airvpn with pfsense for a while now. The connection is reliable, I can have multiple connections to multiple regions, and it's simple to route an entire vlan out of a particular VPN.
A dedicated server at the Warsaw Hackerspace, which is its own LIR/ISP (AS204880) and has a BGP session to the local IX and an upstream mix.
I highly recommend running your own VPN endpoint on at least a VPS/cloud instance somewhere. Such address blocks are used by tons of other users at immense traffic levels, and as such your traffic is much less likely to be intercepted by the provider itself.
I doubt the scale of the data being intercepted is much concern for the hyperscale providers. AWS already has a customer-facing service that monitors for connections to its own "watchlist", I'd be surprised if all traffic isn't monitored in the same way.
I run https://github.com/jawj/IKEv2-setup on a $2.50/mo Vultr server and it's been great for my whole family. Blazing fast, the connection survives IP changes (e.g. switching from cellular to Wifi), and it works in China.
I used https://encrypt.me and really liked their client. To be honest, I didn’t know a whole lot about them, but that wasn’t a primary concern factor at the time.. it was who I was vpn-ing to be unseen that drove me to a vpn at the time.
I was a customer when they were called Cloak & were just 3 guys writing some of the best Mac & iPhone software. They had the best customer service I've ever experienced (Dave spent a lot of time helping me with some weird networking issues related to MacPostFactor on an outdated Mac), and with my business clients we used to talk about Cloak as the kind of company we aspired to work with - genuine, trustworthy & talented people.
The founders have since sold the company (hence the rename to Encrypt.Me), and it now has Windows & Android versions. But as they've grown & the founders left, it's lost a bit of that small indie / Jerry Maguire feel where you knew all the developers & customer support team by name. It's still good, just feels like your favorite underground band has gone mainstream.
I use them for hotel/cafe WiFi protection & testing how my website looks from overseas. They're not a service for seeding torrents etc. I'm glad they try to keep their network clean, makes it better & more reliable for legit business users like myself.
Since my main use for a VPN is to access things in the UK from the UK, I use a Raspberry Pi which I left hidden behind the TV in my parents' living room, running things including OpenVPN. Their upload bandwidth isn't great, so I try to avoid loading it during the day - one useful effect of being in a very different timezone!
I also setup OpenVPN access on my mum's laptop, so she can access things in the UK when she's traveling...
Bandwidth costs and blocking of known IP blocks makes a VPS-based solution not so attractive to me. I do have a couple of 'lifetime' accounts with random VPN providers as a backup. I also have the OpenVPN client running in a docker container on my PC with a SOCKS server in front of it, for flexibility.
I'm going to link here the site [1] I found while researching the same topic several months ago. I was overwhelmed by information available and in the end I didn't choose any option. Seems like all providers have pros and cons and I didn't have any specific use case to weight in on the decision.
The person running it provided a number of detailed comparisons of various VPN providers here [2].
Personally, I just use OpenVPN on one of my DigitalOcean instances. I don't place a lot of reliance on a VPN for privacy (disabling JS, using Firefox's tracking protection, blocking third-party cookies, and avoiding most any social media sites are my main defenses), but I've heard fairly good stuff about Streisand if you're looking to set up at a new IP and datacenter more frequently.
One thing that's often missed is making sure you configure your local firewall to disallow all non-VPN traffic, such as startup/network initialization info.
I read about a project, widely deployed, where people install special router software in their homes for instance. And that they got better availability than "plain" internet. Sadly, I did not bookmark it, because I thought I would remember the name or terms to google it up again.
Anyone know what I'm talking about? It would compensate for instance censored web sites, or routing table errors at the ISP, and route/tunnel the traffic through one of your peers in the project. Damn, I don't think I dreamed this up.
I use NordVPN. I've been using it for a few months, and I'm happy with it. It has a lot to offer. Also, to others reading this, do you think NordVPN is bad? I've heard some say PIA is better, but didn't explain as to why.
I also have another smaller VPN called CrypticVPN. They have a lifetime plan and a small amount of servers, but they also allow port forwarding.
I also made a openVPN server with a cheap VPS, and I'm just toying with it really.
Mullvad + WireGuard, works exceedingly well across my phone and my Linux laptop.
One of the benefits of WG is that it's extremely performant and I can set my own DNS within the config (a Pi-Hole hosted at DigitalOcean for adblocking).
As WG isn't available for Windows just yet, I use OpenVPN's native binary on my Windows machine; Mullvad offers .ovpn files in the same way as they offer .conf files for WG.
Mullvad also requires no PII when signing up, so ensure that you securely store your account number.
I’m curious to know about use cases. I recently started thinking about anonymizing my web activity because a few minutes after I searched for a particular make/model vehicle, my wife saw an ad for it on Facebook. It seems like this is IP-based tracking, since I was searching in Firefox Focus (and she doesn’t get car ads in general).
Would a VPN help with this? I’ve tried using Tor (through Brave), but I run into tons of captchas and many sites won’t load at all.
A VPN won't solve the problem entirely, but it can help (because you share a public IP with many other users of that VPN service).
Of course it's crucial you pick a vpn provider you trust, that won't sell your data etc.
There are many other ways of tracking though, first of all browser cookies and cache, but also browser fingerprinting.
So, with these methods, you can even be tracked/uniquely identified while using a VPN.
Been using PureVPN for 1+ year and it works great so far. The connection speed is decent, the app is easy to use, and their live chat support is on point.
Fulfills all your requirements too. OpenVPN can be used directly with the app and can be manually configured on other platforms. The SOCKS5 (Proxy) comes with their Chrome/Firefox extension which can be also be used on Windows, MAC, and Linux except for mobile devices.
Mullvad and NordVPN. Mullvad because they support WireGuard. NordVPN I'm transitioning away from since Mullvad is significantly better. With both I needed Linux support and both deliver that in spades. Not a fan of the performance of OpenVPN anymore after getting a taste of Wireguard. Mullvad is likely one of the more privacy focused services - although YMMV with any of them.
I'm not particularly well informed here but I currently use https://github.com/StreisandEffect with a standard VPS provider to give me a nice VPN + tor bridge. I'm interested to know what the pros/cons of this approach are. The setup is fairly straightforward and pain free.
The only reason I use a VPN is to shift my traffic to make it look like it's coming from another country. Only for traffic that I don't care about getting sniffed. I close everything I can before activating it.
Like a few have commented here, I just use openVPN on a DigitalOcean instance. I thought of just paying for a service, but decided that set-it-up-once and paying for an instance is good enough for me. After all, in my view, the purpose of a VPN is not to send traffic to some host which I don't have control of. I can "trust", but trust != control.
I recently answered this in another thread[0]: I'm using Wireguard in combination with Pi-Hole on a cheap VPS as a VPN on my iPhone, it's blazingly fast and super stable. Will be trying this on my Mac as well now.
I've been using NordVPN for a few years now and I like it. They recently added some optional adblocking via vpn which is a nice option when I am off my own network. I've considered PIA, but I don't like that they're based in the USA, and Nord has frequent deals where you can get a few years of service for stupid cheap discounts.
I tried a server of a certain free VPN via OpenVPN and since it did not support tunneling traffic through their own servers for IPv6 requests, my friend told me to disable IPv6 on my adapter's settings. Now ipleak.net doesn't detect my location. Was it a smart thing to do?
Unless you're using a VPN service that provides its own IPv6 address, as well as an IPv4 address, it's crucial that you disable IPv6 and/or use a firewall to block IPv6 traffic.
Or at least, it is if your ISP provides IPv6 service. If it does, and the VPN both routes IPv6 and doesn't push its own IPv6 address, IPv6-capable websites will see a global IPv6 address that's owned by your ISP.
I've done the same but for a proxy I needed to circumvent geofencing restrictions. I got a local(non-US) VPS provider and installed squid on it. I found it more affordable than the paid services out there and it's immensely better than free options that are prone to abuse and are rendered essentially unusable.
For day to day browsing: None.
For occasional VPN requirements without a serious privacy concern (bypassing geoblocks etc): The free service provided with one of my Usenet providers.
If I have an actual need for privacy, I'd fire up a cheap VPS somewhere and deploy a VPN server, then dispose of it afterwards.
Along these lines, I recently switched from OpenVPN running on a (powerful) server in my home (primarily a NAS) to WireGuard running directly on my gateway (Unifi Security Gateway by Ubiquiti). Despite running on far less capable hardware, WireGuard is magnitudes faster. Not only that but setting up WG was perfectly intuitive. I highly, highly recommend it.
I create one on AWS with CloudFormation as needed. It's not the cheapest option overall but for intermittent use, it's far cheaper than paying a monthly subscription.
Also, if you pay your AWS bills using an Amazon Prime credit card, you get 5% back. (just checked on my cc)
There is alternative option beside VPN, which is shadowSocket, you can search keyword SSR, it works very well, in order to use it, you need to rent a VPS (about $10 per year), which is used to deploy SSR service. it is more secure than VPN I think.
NordVPN. As a basic user who would like to have access the web via VPN on mobile and desktop, NordVPN fulfills my needs. I would say that the desktop client is a bit buggy (sometimes logs my username out for no reason). iOS client is solid.
For personal use I use ExpressVPN because it's rock solid with simple setup and UX. For work we setup our own OpenVPN server in a cloud vm. ExpressVPN covers both your requirements with a little extra setup.
Nord has worked quite well for me for the last couple of months. It's easy to use and has plenty of servers to choose from. I guess I can recommend it even though I haven't tried other vpn services.
I just VPN using Wireguard to my own home. I only care about the security part ( when using public/work wifi ), not the privacy one, so I'm ok with that and having access to my LAN network is nice.
Why do I choose them? Besides the ease of use over multiple platforms, they are the only VPN (I am aware of) that has held up in court that they do not store any logs when asked to handover personal information.
Sources:
[1] https://torrentfreak.com/private-internet-access-no-logging-...
[2] https://www.scribd.com/doc/303226103/Fake-bomb-threat-arrest