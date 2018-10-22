1. It should work with OpenVPN
2. It should support SOCKS5 (Proxy)
PIA, Nord, Mullvad, ZorroVPN, ProtonVPN look promising. On the other hand, SigaVPN is based on a not-for-profit model so I was not sure about it. What is your personal preference?
Why do I choose them? Besides the ease of use over multiple platforms, they are the only VPN (I am aware of) that has held up in court that they do not store any logs when asked to handover personal information.
Sources:
[1] https://torrentfreak.com/private-internet-access-no-logging-...
[2] https://www.scribd.com/doc/303226103/Fake-bomb-threat-arrest
A Juniper SRX 320 that I have can only can reach about 500mbps.
https://blog.mozilla.org/futurereleases/2018/10/22/testing-n...
Your connection is not secure
The owner of protonvpn.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
Doesn't inspire confidence.
[0]https://old.reddit.com/r/firefox/comments/au7zcz/how_to_remo...
*disclaimer, I also work for ProtonMail so my use of ProtonVPN is more of a company perk, but one I enjoy.
Because I believe many people newer ask this question and have some vague idea about "it somehow improves security and/or privacy". In most situations this likely isn't true. You add an additional attack vector and you centralize your communication to a single point.
If a VPN get's caught doing any of that, even if they're remotley suspected, switching is less painful than switching any other online service I can think of. Their motives are as clear as can be with an internet service.
I'd even say in many cases switching is possible. It isn't always possible to switch your ISP. Or in my case I can, but all other providers cap at 20Mbps in my town (which is fairly common).
Real reasons I can see to use a VPN service
1) You want your traffic to reliably egress in that country. i.e. I live in New Zealand but to access some Australian TV on demand, I need to "appear" in Australia.
2) Errr, I can't think of any others.
If you are really trying to hide your traffic from your ISP:
1) Change ISP
2) If that's not possible, buy a cheap VPS and run OpenVPN/Wireguard on it and egress your traffic via it. Disable all logging etc.
i.e. Unless you need traffic to egress via a particular place and you don't care about someone you don't know seeing your traffic, buy a VPN service. If you DO care about your privacy really, buy a VPS service in the country you want it to egress.
In that case, a few bucks per month is a pretty good deal - it won't protect me if the NSA or any of their FVEYs friends get curious about me specifically, but it _will_ protect me against all my internet metadata getting bulk collected by my ISP and handed over to "national security" relevant agencies, such as local councils, dog catchers, and the taxi commission (yes, those agencies really do request and gain access to ISP metadata!)
I can and have run my own VPN (and VPN-like) endpoints on cheapo vpses, but it's worth my while/time to pay FSecure/Freedome, to do that for me.
I do understand your point, which is (correct me if i'm wrong) that you trust FSecure/Freedome to be taking care of your privacy correctly and not just reselling your metadata back to your country of origin etc.
Perhaps I am being a pedantic, grumpy old man though. Because now I think about it, even if we all run our own VPSes there's no way to vet the VPS provider doesn't just tap your egress traffic too.
From my perspective, my ISP is untrustworthy because it's legally required to be where I live. At least FSecure are not subject to that law, and are business-wise and give me a choice of endpoints that are outside of the jurisdiction of that law. They _might_ be collecting and on-selling that metadata, but I believe they are not. I 100% _know_ my ISP (and all my alternative choices for an ISP) are. So using them is a win.
Even if FSecure turn out to be evil - they'll be doing it for different reasons to my ISP (profit motive vs being compelled by local Australian laws), so the nature of my exposure there is different - and so far as I can see, smaller.
I strongly suspect the NSA _are_ tapping the egress of every commercial VPN provider and every commercial VPS provider. But if my adversary ever becomes the NSA I'm fucked, and I accept that.
If the local taxi commission or dog catcher go asking my ISP for my metadata records - even though I don't own a dog or a taxi license, I feel happier knowing my ISP can only tell them "Don't know, sorry. Here's a bunch of encrypted connections to various VPN endpoints around the globe."
There is no comparison for ISP with TOS saying they can and will sell your data and VPN company which explicitly advertises privacy.
First it is false advertising and second with GDPR such company would be wiped out after somebody figures it out.
I suspect my data leaking through profit motive from a VPN company specifically selected to be in a far away country is much less likely to fall into the hands of an internet troll or griefer, a disgruntled ex employee or partner, or a vindictive neighbour - than the trove of ISP metadata that can quite likely be readily accessed by bribing or blackmailing some random low-level government employee locally...
Streisand (https://github.com/StreisandEffect/streisand) is another option. It has the benefit of running on your own VPS (or bare metal if you want) and it is extremely user-friendly to set up and use.
1) Protect against logging and data retention laws
2) Avoid ISP legal universal blocking regimes
3) Shop for and compare cheaper prices: many places implement what we call the 'australia' tax, artificially inflate the prices when they see we're shopping from an Australian location. This is independent of actual tax collection issues.
4) Torrent: Australian's frequently access shows via torrenting still because our licensing/supply regime gives us a vastly sub-standard catalogue, and you can't access individual shows without signing up to full carrier packages, and we can't sign up to the international carrier's catalogue
5) Avoid data-shaping/non-net-neutral policies
6) Easy International and Geo-IP Testing
7) Logging onto services in public places via public wifi or access points
8) Accessing services during international travel
9) Accessing media explicitly geo-blocked in our country
Your solution (i believe) additionally doesn't meet the criteria of being able to egress from multiple countries/sources, nor does it cover the users who don't want the extra step of setting up the VPS.
I haven't checked, but i'm guessing a VPS comes at a far higher price for less (out of the box VPN specific features) than a specialised VPN provider.
I generally strongly recommend against using VPN providers on false advertisement grounds -- VPNs fundamentally cannot provide strong anonymity properties, but that doesn't stop many providers from listing anonymity as a selling point. In terms of the property VPNs can provide (privacy), you're better off maintaining as much control as possible over the service: you don't want to be tied to someone else's weak cipher or insecure protocol choices.
FD: I work for the company that made Algo, but have nothing to do with its development.
[1]: https://github.com/trailofbits/algo
[2]: https://github.com/trailofbits/algo/blob/master/docs/faq.md#...
https://github.com/StreisandEffect/streisand
Edited to add link:
https://github.com/StreisandEffect/streisand
I'd love to know more about this.
* OpenVPN's user experience isn't as good as IPSec's or (more recently) Wireguard's.
* OpenVPN uses TLS and specifically OpenSSL, meaning that it inherits substantial design and implementation flaws.
* OpenVPN's security track record is poor, both on the client and server sides.
Takes less than 10 minutes to setup a VPN with algo on DO and I just shut it down after my task was done. Cost me $0.02. The support for Wireguard + OSX Wireguard App is perfect and super easy.
Please tell your coworkers, thank you!
I've previously used AirVPN, which was great except for not having any servers near me, and ExpressVPN, which was great except for not having such a good interface for port forwarding (and also it's the most expensive of the ones I like).
PIA failed to answer a question that I sent in using their web support form (they didn't even say that they'd received it but couldn't answer it).
I thought wireguard was all cli based for now and no good UI (I use Linux desktop and Android phones)
https://play.google.com/store/apps/details?id=com.wireguard....
Wireguard also does not do any of the logging claimed by that article by default. I know this because I maintain Wireguard VPN instances on baremetal and public cloud. This strikes me as a misunderstanding of what Jason wrote on the mailing list about Blind Operator Mode[3].
I stopped reading that article after I saw these two (glaring) inaccuracies. Either someone has a vendetta against Wireguard or they seriously misunderstand the protocol's security and default behavior.
________________
1. https://www.wireguard.com/formal-verification/
2. https://eprint.iacr.org/2018/080.pdf
3. https://lists.zx2c4.com/pipermail/wireguard/2017-November/00...
It's insanely easy to set up a new box (I use linode right now but it works with a bunch of cloud providers) and it works well for my mobile devices too.
I like the fact that it's my own server and I am the only person with a copy of the encryption keys.
Also, I have a buddy who is in a middle-eastern country where using a VPN is illegal who was unable to use any other VPN service but had no issue connecting to and using my Streisand box.
I also like AirVPN, Mullvad and PIA a lot. I don't know anyone there personally, but they're all strong privacy advocates.
I'm concerned about relationships between Tesonet and NordVPN and ProtonVPN. So I wouldn't use them.
Can you elaborate on the problem with the relationship between Tesonet, NordVPN and ProtonVPN. Also does your problem with ProtonVPN extend to protonmail? Should I be considering switching to a new email?
The PIA CEO basically claimed that Tesonet operated ProtonVPN for the ProtonMail team. And then additional articles appeared, detailing the connections. And adding NordVPN to the mix.
But many of their HN posts were deleted. And much of the other online coverage disappeared, presumably because of pressure from NordVPN and/or ProtonVPN. But I found caches for three of them.[0,1,2]
Maybe it's all bullshit. But it leaves me suspicious. And I gotta say that ProtonVPN's responses seemed evasive.
0) VPNscam.com: NordVPN, ProtonVPN, ProtonMail, Owned by Tesonet CEO Darius Bereika https://keybase.pub/mirimir/NordVPN%2C%20ProtonVPN%2C%20Prot...
1) best10vpn.com: Proof that NordVPN is Owned by Data Mining Company Tesonet https://keybase.pub/mirimir/Proof%20that%20NordVPN%20is%20Ow...
2) airvpn.com: Why You Can’t Trust NordVPN https://keybase.pub/mirimir/Why%20You%20Can%E2%80%99t%20Trus...
Edit: Also FYI
Lawsuit names NordVPN, Tesonet in proxy data extraction scheme https://news.ycombinator.com/item?id=17873164
HolaVPN (luminati) is suing NordVPN (Tesonet) for stealing p2p proxy patents https://drive.google.com/open?id=1_AlNxNN-fiIVW64-605c_OJO0C...
But on the other hand, I gather that Mozilla has picked ProtonVPN for its integrated VPN testing. And they seem competent and privacy-friendly.
Also, whatever they did with ProtonVPN, there's no reason to believe that there's anything wrong with ProtonMail. That's arguably their core competency. And they arguably brought in Tesonet because VPNs were not part of their core competency.
[0] I use migadu.com but fastmail.com seems to be very popular with the HN crowd.
The person running it provided a number of detailed comparisons of various VPN providers here [2].
[1] https://thatoneprivacysite.net/choosing-the-best-vpn-for-you...
[2] https://thatoneprivacysite.net/vpn-section/
(2) Then read this about VPN services and deceptive ratings:
https://thatoneprivacysite.net/choosing-the-best-vpn-for-you...
(3) REFERENCE -- look up any VPN you're considering here before using it (there are mistakes in this table, e.g., encrypt.me was named cloak but the specs don’t match).
https://thatoneprivacysite.net/vpn-comparison-chart/
Note: products are listed by product name instead of by manufacture, e.g., F-Secure's VPN is listed as "Freedome," not "F-Secure."
Remember: NEVER USE FREE VPN.
One thing that's often missed is making sure you configure your local firewall to disallow all non-VPN traffic, such as startup/network initialization info.
They have a large commercial business that would get seriously Kaperskied if it turned out they were knowingly doing anything wrong, and I've decided that that's the kind of incentive I want in a VPN provider.
Would a VPN help with this? I’ve tried using Tor (through Brave), but I run into tons of captchas and many sites won’t load at all.
There are many other ways of tracking though, first of all browser cookies and cache, but also browser fingerprinting.
So, with these methods, you can even be tracked/uniquely identified while using a VPN.
https://www.privacytools.io/#fingerprint
ExpressVPN has been great to me and I continue to fail finding bad news about them. They dont offer any discounts tho and Im on $99/year plan but I was tempted to get NordVPN for half thatprice. I gave up on setting up their stone-age designed router software and came back to Express. Express has amazing software for N7000 router series and it allows me to exclude iPad that I use to watch Netflix while rest of network continues to be secure. So with their router software and $99/year you have unlimited amount of devices covered. Speed is amazing too and number of servers avail is very hight. Honestly I feel its worth double the proce I would pay for Nord, as I put it in my company costs anyways ;)
I could not recommend them high enough.
the speeds are not great, but it just maybe because i’m in china, i couldnt watch hbo go or stream netflix at the time, i use it generally for programming.
[0] https://news.ycombinator.com/item?id=19186795
I use it pretty much exclusively to tunnel my traffic when using a public and/or open WiFi with my phone or laptop.
One day I woke up and realised I do not know who runs those companies. For example, Nord is registered in Panama, a country where declaring company ownership is not mandatory. Why should I trust them with my data?
After a little digging I found that Proton is the only VPN provider whose owners have put their names and reputations on the the line. The only one.
It doesn't mean I trust them 100%. But if someone is willing to put their face on their website, I'd say it gives them an extra incentive to do their job right.
---
[1] https://thewirecutter.com/reviews/best-vpn-service/
To find a cheap VPS hang out on lowendtalk.com / lowendbox.com
Also, tor browser.
You may ask “how is this different than just running my own vps”, and the answer is the ability to redeploy to another region with no downtime and push of a button. I love that feature and use it often.
Because you’re on your own VPS, so far in my experience, I’ve never even noticed I’m connected to a VPN. It’s blazing fast. I cancelled my PIA account and moved over entirely.
https://ghostifi.net
I also setup OpenVPN access on my mum's laptop, so she can access things in the UK when she's traveling...
Bandwidth costs and blocking of known IP blocks makes a VPS-based solution not so attractive to me. I do have a couple of 'lifetime' accounts with random VPN providers as a backup. I also have the OpenVPN client running in a docker container on my PC with a SOCKS server in front of it, for flexibility.
$ sudo apt install openVPN
and run your own VPN instance.
But then again, openVPN requires an excessive amount of configuration, in order to achieve something as menial as a key exchange. The silly thing is that it does not achieve more than what "ssh-copy-id" does, without all the silly ceremonies.
By the way, commercial VPN services also tend to be more expensive than renting your own VPS, which you can nowadays even rent by the hour, if you want to.
In other words, OpenVPN is a service for people who do not know what they are doing. The problem with that is, that their security strategy will ultimately not work either. Paying money to an OpenVPN provider will not make any difference to the problem.
It’s similar in concept to Algo, in that you deploy your own VPN server on a VPS rather than use a hosted service. However, it provides a polished desktop app for deploying the server, and walks you through creating a VPS on DigitalOcean very easily.
This is incredibly helpful, because most folks I’ve helped with VPN setups are not comfortable aren’t handy with a CLI, and I’ve been able to walk more than one person through setting Outline up very easily.
[0] https://www.getoutline.org/en/home
I think easy-to-manage platforms like Outline will probably be the future, but I'm not convinced that shadowsocks is the right foundation.
[1]: https://crypto.stackexchange.com/questions/39776/evaluatung-...
I was looking for a reasonably priced VPN not based in the 5 eyes territory, and I came to iVPN as the best solution for my criteria and at $110 per year.
[0] https://thatoneprivacysite.net/vpn-comparison-chart/
- Wireguard in Switzerland
- IPv6 /64 subnet
- No bandwidth penalty
Now they can only fill the last point, if they ever get all three they'll get a lifelong customer out of me.
What I now have is Mullvad for IPv4 for their Swiss servers and good bandwidth, AzireVPN for their /64 IPv6 subnet. Both are running on my router, but I'd be happy to have only one provider.
It accomplishes 99% of what I used a VPN for (privacy on the go) and leaves only one point of trust (my ISP provider).
(3) REFERENCE -- look up any VPN you're considering here before using it:
(Choose "all" instead of 10, 20, etc. for the "Show" number of items to display setting. Click a column heading to sort by that column. Green is good. Red is bad.)
That said I just use a free one that didn't ask for a signup - https://www.vpnbook.com/
https://thewirecutter.com/reviews/best-vpn-service/
I highly recommend running your own VPN endpoint on at least a VPS/cloud instance somewhere. Such address blocks are used by tons of other users at immense traffic levels, and as such your traffic is much less likely to be intercepted by the provider itself.
https://www.getoutline.org/en/home
I tried a server of a certain free VPN via OpenVPN and since it did not support tunneling traffic through their own servers for IPv6 requests, my friend told me to disable IPv6 on my adapter's settings. Now ipleak.net doesn't detect my location. Was it a smart thing to do?
Or at least, it is if your ISP provides IPv6 service. If it does, and the VPN both routes IPv6 and doesn't push its own IPv6 address, IPv6-capable websites will see a global IPv6 address that's owned by your ISP.
https://test-ipv6.com/ is a good test site.
the only thing I like is how they aren't actually associated with Tor in any way... lol...
Also, if you pay your AWS bills using an Amazon Prime credit card, you get 5% back. (just checked on my cc)
The only way to configure this however is using the Apple Configurator tool and create a custom profile.
I run this for my OpenBSD IKEv2 servers which gives me automatic on-demand VPN on cellular and all non-known Wi-Fi networks (== not home).
'Activate on demand' is just a checkbox in WireGuard app settings on iOS, so apparently it's only the built-in VPN types that need Apple Configurator. Since IPSEC/IKEv2 are overengineered and L2TP is outdated, you're better off using wg anyway.
[1] https://news.ycombinator.com/item?id=19242119
Primarily it's a cheap but good seedbox. VPN is included and works with openVPN. I use it to access piratebay every now and then, which is otherwise blocked in my country.
I travel a lot in Asia which is why I need it as some countries block websites I need.
Had issues with it in China but put ExpressVPN on my phone which seemed to work fine 70% of the time.
