Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Do all VPNs suck?
45 points by mrsmee89 on June 9, 2019 | hide | past | favorite | 62 comments
It seems like every VPN's relies on me relying on them telling the truth which to me defeats the purpose. Am I missing something?

Any security researchers have any recommendations if I am?




VPN providers trade a local threat actor who is probably ignoring you for a foreign one who is probably watching and analyzing everything. Best advice on this thread was doing a VPN back to your home router.

Typically, you'd use one for default internet browsing on public wifi, with the expectation that your endpoint ends up on the list of a foreign intelligence agency who ostensibly doesn't care about you or what you are interested in.

The other best advice used to be, "don't be a terrorist," but these days, it's more, "don't be a political actor," given whatever you type will be found and used as leverage if you achieve any prominence. I'd posit that security tech is sufficient for business, but not for politics.

See: https://en.wikipedia.org/wiki/Kompromat


Well, your ISP is probably selling your browser history, so there is that.


My personal go-to is Mullvad, but yes, it still relies on trust.

It should be possible and even probably usable to chain multiple Wireguard connections together, and therefore no VPN provider would have both your identity and knowledge of your traffic, provided you pay with properly clean cryptocurrency. But if you are paranoid that all VPN providers are bugged, you’ll need even more defenses, such as never using your own internet connection and, on the more nefarious side, using compromised servers as relays.

That said, a VPN plus DNS over HTTPS plus HTTPS everywhere should be good enough for dealing with threats when your adversary isn’t a nation-state.


I can second Mullvad.

The only person I trust in the VPN ecosystem is the guy who runs this site: https://thatoneprivacysite.net

He writes reviews, and doesn't have anything to sell. It's through that site that I found out about Mullvad.


Mullvad is what I use. I started using it after I saw the Manjaro folks discussing it, and it's all I use for VPN when I'm not using Bitmask. I pay in Bitcoin Cash.

Those interested in getting started with WireGuard on Manjaro Linux see detailed instructions here: https://habd.as/post/encrypted-internet-wireguard-manjaro-li...


Why Bitcoin Cash and not Bitcoin?


Not OP, but I use Cash instead of Bitcoin because transactions are cheaper and faster.


He writes reviews but certainly not good critical ones. This site makes repeated very very silly claims regarding jurisdictions.


I know absolutely nothing about cryptocurrency.

What's the easiest, and safest (as in won't get scammed, not too concerned with identity but it would be nice), way to pay via cryptocurrency with a credit card? Mullvad lets me mail in cash which is what I was going to do but I'm not a patient person.


Setup a coinbase account. Link you bank account and buy enough of whatever cryptocoin they accept.

Once you own the coin, go to the buy page on the VPN site. It will give you a long address. Use coinbase to send the correct amount of coin to that address. Depending on various factors, the transaction will process nearly immediately, or within an hour.


For an added layer of anonymity I would move what you buy on coinbase to binance and trade it for another currency. So for example buy litecoin on coinbase, move to binance. Trade that for Bitcoin and pay using that.


Or better: use chipmixer [1]. Mixing coins through centralized exchanges does not really help as any party which gains access to binance' backend, whether it be successful hacking attempt or some law enforcement, can completely de-anonymize and backtrack the initial transaction through their logs and the blockchain.

[1] https://bitcointalk.org/index.php?topic=1935098.0


I specifically called out binance because LE is highly unlikely to get access to their logs. But it's a remote possibility yes. Chipmixer or services similar always have the possibility, however remote, of your money disappearing.


I think it's worth keeping in mind that there are multiple different reasons that people use VPNs, and that different solutions are appropriate for those purposes.

Some want security, they want to be sure that the local network operator/ISP/government isn't monitoring their traffic. Those people should run their own VPN at a trusted location.

Some want to evade geoblocking or use P2P services without fear of copyright letters. This is what commercial VPN providers are for IMO.

Some want anonymity. Normal VPN services can't really provide this, but Tor and the like can.

---

Personally my focus is on the security side of things. I have a VPN endpoint at home for personal use and a similar setup for my company. If I'm going somewhere particularly untrusted I'll set up a temporary VPS with a trusted provider just for use while I'm there and trash it afterward.


You can run your own VPN with a little know how and determination. I have two servers which cost $20 / month ($10 each). Each running openVPN, then I share the keys to my laptop and desktop. Haven’t done mobile, but I could probably figure that out.

The real trick, is VPNs need a lot of bandwidth and compute. Get a bare metal server with unlimited bandwidth.

I switch between the servers to limit how much data each provider can collect. Not perfect, but I also have ProtonVPN and use Tor periodically. This means I have at least 4 ways my traffic goes out. It’s just about the best I can do


This is solid advice, except in two parts:

1. You shouldn't use OpenVPN[1]. Use Wireguard or, if you must, IPSec with IKEv2. Wireguard's mobile experience is excellent, as a plus.

2. VPNs do indeed require bandwidth. But their compute requirements are pretty minimal on modern hardware: you can comfortably fit a few users onto any cloud provider's micro tier with either Wireguard or IPSec. You can get away with paying <$3/month by using the free tier and only paying for the bandwidth you use.

[1]: https://github.com/trailofbits/algo/blob/master/docs/faq.md#...


Can you recommend some sort of introduction/book to VPNs? I get the idea, I have read the wikipedia page, but my understanding boils down to "one server encrypts and sends small packets, the other decrypts". The packets still go through the public internet / your ISP, but they are encrypted?


You can consider a VPN service as sitting between you and any server or site you access. The traffic still has to go through your ISP and the public Internet (for this scenario). The VPN service does encrypt the traffic from your device to the VPN server (and back). This allows you to hide your browsing history from your ISP and anyone snooping on your ISP. They’d just see encrypted packets going to the VPN servers.

But the traffic from the VPN server to the site/server you want to reach may or may not be encrypted, depending on whether it would or would not be encrypted if you were to access it directly.

As far as the end site/server is concerned, it gets requests from the VPN server, and so it cannot (easily) know that the request is really coming from your device’s IP address. This is how circumventing geographic restrictions works. If you want to access, say Netflix US, you’d use a VPN server with a US IP address, while you may be in some other country altogether. There are content providers who detect VPN usage and try to block them.

P.S.: There’s a lot of simplification in the above descriptions.

Edit: This page [1] has a good explanation on VPNs.

[1]: https://thebestvpn.com/what-is-vpn-beginners-guide/


VPNs only need as much bandwidth as you want to consume. Doesn't need much cpu or memory either. You can do a basic ssh tunnel for example.


I only use VPNs for downloading torrents, basically just to avoid nasty letters from the cable company.


I know private internet access has proven in court that they don't keep logs, but still, trust.


Some sources:

https://torrentfreak.com/private-internet-access-no-logging-...

https://torrentfreak.com/vpn-providers-no-logging-claims-tes...

Of course, there's still need for some level of trust, but I think when it comes to VPNs, having public court records of the VPN provider saying they are unable to provide data in response to a subpoena is probably as good as it gets.


Any other VPN you know of that have been proven in court as well? Thanks.


Another vote for hosting your own. I used to roll my own VPN server but switched to Algo since it is easy to roll out and supports most major VPS providers.

https://github.com/trailofbits/algo


I was doing this for about 2 years on DigitalOcean. But early this year they stopped accepting prepaid credit cards as a means of payment (I had been buying prepaid Visas from Wal-Mart with cash).

Since then I haven't been using a VPN... perhaps I'll try again on Linode or something. Does anyone know of a good VPS provider (or trustworthy/non-honeypot VPN provider) that accepts anonymous payments?


> But early this year they stopped accepting prepaid credit cards

Didn't they start taking multiple crypto currencies though? I noticed the other day there's a crypto-currency ATM in my local supermarket. I'm not sure where you live and if there's one near you, nor if the machine requires some form of verification (it probably does have a camera...), but if it accepts cash, which I imagine it would given the type of people that would want to use it, then that's a pretty easy way to get hard to trace online currency.

Just, you know, keep your face mostly covered when you buy, and don't mix that wallet with any other purchases at all.

Actually, maybe I'll head down there tomorrow and buy my first bit of cryptocurrency.


Mullvad is a VPN, but it has good performance, takes crypto for payment, and hasn't shown themselves to be untrustworthy yet.


Also actual cash ("5 EUR (or an equivalent amount in any other currency)" for a month), which may be easier to make anonymous than crypto.


Envelopes would be postmarked with the post code from which they were mailed. That probably wouldn't give Mullvad any information they don't already have, since they can see your IP address.

But an intercepting 3rd party could pair your account ID with with your geographic region; it would be even worse if you accidentally drop a hair inside the envelope.


Sure, it's not a silver bullet, but I suspect the risk model is better understood (post it away from me if geographic region matters, be careful of fingerprints and hair). It also has to be preemptively intercepted, rather than crypto which is recorded forever (if I pay upfront for a year, a bad actor has one shot to intercept, whereas with crypto they can _always_ analyse the transaction history to see if I've slipped up and they can correlate transactions anywhere).

I don't think either gives you an absolute guarantee[1], but cash doesn't have as many subtle pitfalls.

[1] At the end of the day, you have to assume Mullvad isn't compromised _anyway_, so even if they did, it may not help (as you can probably be identified from your traffic)


Thanks for this! Looks like they also support WireGuard.


Pia has anonymous payment methods, you can even use retail gift cards.


VPNs are the perfect vehicle for selling something warm and fuzzy to the masses with minimal deliverables. I place them right up there with military grade encryption.


Now that you mention it, "military grade x" sounds like something solid and unobtainable by civilians.

But looking deeper, "military grade x" where x is not a weapon prohibited to civilians usually isn't that interesting.

At a nearby surplus store you can buy MRE's and military clothing side by side with normal work clothes and camping gear. After a short time you realize civilians can get tastier MREs, boots and clothing that fit and work better... and they are lower priced.


I was a software dev for the military and typically the encryptions used are generally the same ones available to the public (AES, RSA, TLS). The difference is that the keys are longer that standard, ie AES-256/512, RSA-4096, TLS1.3. Additionally military grade security means multiple layers of protection. So lets say a wifi-link is protected via AES-256, there might also be channel hopping technology involved to make jamming and eavesdropping difficult. Military grade is basically overkill for most situations unless your life literally depends on it.


Doesn't wifi use frequency hopping too? Or is that bluetooth?


That's done to avoid interference and happens as minimally as possible which makes for easier signal processing. Military communications actively switch frequencies many times per second in unison according to highly secure crypto-variables. This makes jamming and eavesdropping very difficult because its hard to tell active channels from brief background static. Bluetooth, on the other hand, has about 80 channels about 1mhz apart and it tries to bond as many as possible for parallel transfers. This is why when you are far away from a bluetooth device the transfer speeds degrade rapidly.


"military grade x" can also mean whatever was the cheapest and/or the lowest bid.


Host your own. The only way to be sure.

That said, what exactly is your threat model? Protecting yourself against literally every possible threat is a pointless effort...


If you host your own, there is now a dedicated IP address with only your one client connected.


Even assuming that's true (it's not), why is that a problem?


Not the op, but unless you're constantly recycling vms or changing reserved ips, how is that not true?

I think it'd only be a problem depending on your threat model. If your traffic only comes from one ip, then it makes it easier to look for traffic from you if you're trying to be anonymous or hide your traffic from a.

If you're just trying to browse safely/privately on public wifi, then it doesn't matter.


You don't have to route directly from your VPN to your client.


Sounds expensive and complicated.

What's a valid "threat model"?


Hosting wireguard on a VPS is neither expensive nor complicated. However, you then must trust a VPS provider, and the other tenants. If you use a dedi host you still have to trust the machine, network to not be tampered or bugged. If you use a colo you still have to trust the network and the staff.

If you start your own data center, lay your own fiber, and peer with ISPs and hosts, well, everyone knows who you are again.

There’s no escaping trust issues 100%. The idea of a threat model is all about the trade offs, what things you will decide to trust or how you will defend yourself in depth.


Once I started really paying attention to security I thought I was being quite paranoid; you're right, there are threats that exist at every level, and tradeoffs to be made. Once I started learning about things like this I realized that tradeoffs are a must:

https://thehackernews.com/2018/04/hacking-airgap-computers.h...


The threat model is figuring out what you're protecting yourself from. If you're just worried about someone snooping on public Wi-Fi, creating a VPN connection to your home router and using your ISP connection should be fine.


Trying to be completely secure often is both expensive and complicated. That's why you figure out your threat model first, to avoid spiraling costs and complexity.

Hint: You're probably not trying to thwart the most sophisticated branches of a nation state.


I consider my threats to be my wifi connection and my ISP. I have a VPS, which I trust as my "starting point", that caps only bandwidth so there's no overages. I use OpenSSH as SOCKS5 proxy because I already use ssh and DNS goes over the proxy. I think ssh may limit the number of open connections because I sometimes need to close tabs to continue surfing.

My set up looks like this:

    ssh -fCND 1080 proxy-server
    socks5://127.0.0.1:1080
    export SOCKS_SERVER=127.0.0.1:1080
When I'm connected to a device that doesn't give me a routable address, I'll use a ssh jump.

    ssh -fCND 1080 -J jump-server proxy-server
This isn't a VPN but it's equivalent for my usage. I'm waiting for Wireguard to mature in Chromebook / Android. I want to try it out.


Yes they do suck even if they totally truly respect your privacy and spill blood maintaining their systems, it's simply not possible to know if that's true or false and thus using a VPN service is NOT a sound method to increase your security.

Now, there are few cases that could be useful like evading those pesky private CYBER detectives that companies hire to track torrents. Also it could be used to bypass region restrictions. That's just that, i would never trust a single byte of private info to go through a VPN.

There are few services who do not try to evade the (big) question of trust and they tell you that you could use Tor through their VPN, but at that point we have already taken a first class sit to the "security theater".


With Wireguard [0], setting up your own VPN [1] somewhere like DigitalOcean is an afternoon project, and is often cheaper than most VPN subscriptions.

[0] https://www.wireguard.com/ [1] https://www.digitalocean.com/community/tutorials/how-to-crea...


Using your own VPN vs using a VPN provider is not a 1:1 comparison. VPN providers give you access to multiple servers running on different countries. You cannot setup 250 servers all over the world just to emulate a VPN's offering. There are shared and private IP addresses etc.

If all you want to do is hide your traffic from a state level actor, then tor is a much better solution.


For casual privacy purposes, such as hiding Web traffic from your ISP or cafe WiFi APs, you can use Tor.


Here is a good list of VPN services: https://www.privacytools.io/providers/vpn/


I'm surprised no one has suggested Outline: https://www.getoutline.org/en/home


I would honestly just host my own.


You presumably have to tell the truth about your identity to your cloud/VPS provider or, if using your own hardware, the ISP.


Good enough if you're only worried about the network you're connected to and your isp. It really depends on your use case.


You’d be hard pressed to find a better recommendation than Troy Hunt. [0]

TLDR; Freedome VPN is really good and located in a country with strong privacy laws.

[0]https://www.troyhunt.com/the-importance-of-trust-and-integri...


It really depends what you want. Freedome (openly) logs your connecting IP address and they block some P2P ports. In addition they incentivize social media spam and make the traditional false claim of being 100% effective.

I have yet to find a "perfect" provider but this site helps learn about a lot of them at once: https://thatoneprivacysite.net


tor doesn’t depend on it. although it’s quite difficult to safely use tor. anonymity is easy (enough) to expose. some of the same flaws apply to vpn as well.


It's a war-- the VPN companies against the tyrannical evil do'ers. Be thankful folks are trying to keep free speech, democracy, a spotlight on heinous, corrupt, morally absent regimes, and the truth alive.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: