Any security researchers have any recommendations if I am?
Typically, you'd use one for default internet browsing on public wifi, with the expectation that your endpoint ends up on the list of a foreign intelligence agency who ostensibly doesn't care about you or what you are interested in.
The other best advice used to be, "don't be a terrorist," but these days, it's more, "don't be a political actor," given whatever you type will be found and used as leverage if you achieve any prominence. I'd posit that security tech is sufficient for business, but not for politics.
It should be possible and even probably usable to chain multiple Wireguard connections together, and therefore no VPN provider would have both your identity and knowledge of your traffic, provided you pay with properly clean cryptocurrency. But if you are paranoid that all VPN providers are bugged, you’ll need even more defenses, such as never using your own internet connection and, on the more nefarious side, using compromised servers as relays.
That said, a VPN plus DNS over HTTPS plus HTTPS everywhere should be good enough for dealing with threats when your adversary isn’t a nation-state.
The only person I trust in the VPN ecosystem is the guy who runs this site: https://thatoneprivacysite.net
He writes reviews, and doesn't have anything to sell. It's through that site that I found out about Mullvad.
Those interested in getting started with WireGuard on Manjaro Linux see detailed instructions here: https://habd.as/post/encrypted-internet-wireguard-manjaro-li...
What's the easiest, and safest (as in won't get scammed, not too concerned with identity but it would be nice), way to pay via cryptocurrency with a credit card? Mullvad lets me mail in cash which is what I was going to do but I'm not a patient person.
Once you own the coin, go to the buy page on the VPN site. It will give you a long address. Use coinbase to send the correct amount of coin to that address. Depending on various factors, the transaction will process nearly immediately, or within an hour.
Some want security, they want to be sure that the local network operator/ISP/government isn't monitoring their traffic. Those people should run their own VPN at a trusted location.
Some want to evade geoblocking or use P2P services without fear of copyright letters. This is what commercial VPN providers are for IMO.
Some want anonymity. Normal VPN services can't really provide this, but Tor and the like can.
Personally my focus is on the security side of things. I have a VPN endpoint at home for personal use and a similar setup for my company. If I'm going somewhere particularly untrusted I'll set up a temporary VPS with a trusted provider just for use while I'm there and trash it afterward.
The real trick, is VPNs need a lot of bandwidth and compute. Get a bare metal server with unlimited bandwidth.
I switch between the servers to limit how much data each provider can collect. Not perfect, but I also have ProtonVPN and use Tor periodically. This means I have at least 4 ways my traffic goes out. It’s just about the best I can do
1. You shouldn't use OpenVPN. Use Wireguard or, if you must, IPSec with IKEv2. Wireguard's mobile experience is excellent, as a plus.
2. VPNs do indeed require bandwidth. But their compute requirements are pretty minimal on modern hardware: you can comfortably fit a few users onto any cloud provider's micro tier with either Wireguard or IPSec. You can get away with paying <$3/month by using the free tier and only paying for the bandwidth you use.
But the traffic from the VPN server to the site/server you want to reach may or may not be encrypted, depending on whether it would or would not be encrypted if you were to access it directly.
As far as the end site/server is concerned, it gets requests from the VPN server, and so it cannot (easily) know that the request is really coming from your device’s IP address. This is how circumventing geographic restrictions works. If you want to access, say Netflix US, you’d use a VPN server with a US IP address, while you may be in some other country altogether. There are content providers who detect VPN usage and try to block them.
P.S.: There’s a lot of simplification in the above descriptions.
Edit: This page  has a good explanation on VPNs.
Of course, there's still need for some level of trust, but I think when it comes to VPNs, having public court records of the VPN provider saying they are unable to provide data in response to a subpoena is probably as good as it gets.
Since then I haven't been using a VPN... perhaps I'll try again on Linode or something. Does anyone know of a good VPS provider (or trustworthy/non-honeypot VPN provider) that accepts anonymous payments?
Didn't they start taking multiple crypto currencies though? I noticed the other day there's a crypto-currency ATM in my local supermarket. I'm not sure where you live and if there's one near you, nor if the machine requires some form of verification (it probably does have a camera...), but if it accepts cash, which I imagine it would given the type of people that would want to use it, then that's a pretty easy way to get hard to trace online currency.
Just, you know, keep your face mostly covered when you buy, and don't mix that wallet with any other purchases at all.
Actually, maybe I'll head down there tomorrow and buy my first bit of cryptocurrency.
But an intercepting 3rd party could pair your account ID with with your geographic region; it would be even worse if you accidentally drop a hair inside the envelope.
I don't think either gives you an absolute guarantee, but cash doesn't have as many subtle pitfalls.
 At the end of the day, you have to assume Mullvad isn't compromised _anyway_, so even if they did, it may not help (as you can probably be identified from your traffic)
But looking deeper, "military grade x" where x is not a weapon prohibited to civilians usually isn't that interesting.
At a nearby surplus store you can buy MRE's and military clothing side by side with normal work clothes and camping gear. After a short time you realize civilians can get tastier MREs, boots and clothing that fit and work better... and they are lower priced.
That said, what exactly is your threat model? Protecting yourself against literally every possible threat is a pointless effort...
I think it'd only be a problem depending on your threat model. If your traffic only comes from one ip, then it makes it easier to look for traffic from you if you're trying to be anonymous or hide your traffic from a.
If you're just trying to browse safely/privately on public wifi, then it doesn't matter.
What's a valid "threat model"?
If you start your own data center, lay your own fiber, and peer with ISPs and hosts, well, everyone knows who you are again.
There’s no escaping trust issues 100%. The idea of a threat model is all about the trade offs, what things you will decide to trust or how you will defend yourself in depth.
Hint: You're probably not trying to thwart the most sophisticated branches of a nation state.
My set up looks like this:
ssh -fCND 1080 proxy-server
ssh -fCND 1080 -J jump-server proxy-server
Now, there are few cases that could be useful like evading those pesky private CYBER detectives that companies hire to track torrents. Also it could be used to bypass region restrictions. That's just that, i would never trust a single byte of private info to go through a VPN.
There are few services who do not try to evade the (big) question of trust and they tell you that you could use Tor through their VPN, but at that point we have already taken a first class sit to the "security theater".
If all you want to do is hide your traffic from a state level actor, then tor is a much better solution.
TLDR; Freedome VPN is really good and located in a country with strong privacy laws.
I have yet to find a "perfect" provider but this site helps learn about a lot of them at once: https://thatoneprivacysite.net