Snooping ISPs, public IP, and geoblocking are not prevented by a VPN server in your home network, which the author does not warn about.
The other two cases work if you make your VPN server accessible from the internet, which the author also does not expand upon or even mentions.
It's a good tutorial but the question about VPN servers is often now how, but where. And this question is not asked.
Other than DNS or other traffic filtering, do you gain anything by using a VPN on a Raspberry Pi on your home network?
You could also have the PI run a VPN client and connect to a privacy-promising VPN service, effectively ‘bouncing’ off home.
Not sure if that is even technically possible without pain, or why you wouldn’t connect directly to the privacy-promising VPN.
On a recent trip I tried using IPvanish with a FireTV stick and Amazon detected the VPN, most likely from a blacklisted set of IP addresses.
Using your own home IP should hopefully prevent that from happening.
Was this on a smart phone / tablet or TV/STB? I used a similar thing to let my parents watch TV from my account -- https://news.ycombinator.com/item?id=22052333
I'm not sure why an ISP would limit the physical location, and also how would that work if they have users in another state?
I've heard about WISPs putting GPS locks on their CPE devices, but that's pretty useless too, they're setup to connect to one tower only, if you move it, it won't see the tower and won't connect to anything, so ... ??
The specific about it are that I was trying to watch content on a broadcast channel. It was probably a local sports game. But, I was in a different city with a different affiliate. So, the geographic region does actually play into the licensing for these channels. I could otherwise watch whatever (and the local affiliate for the city I was in), but regardless of what my IP address was, I couldn’t watch the affiliate for my city.
It makes sense, but I’m not sure I was expecting the TV provider to be that detailed.
Ironically, a TV show that my ISP's content division made, which is free for it's users, was the most downloaded torrent (in Serbia) in the second half of 2019. I did an analysis of the IPs of everyone who downloaded it, a significant percentage (~20%) were from that ISP.
Basically, people risk fines and warning letters by pirating a TV show that is free for them (cable ISP that doesn't sell Internet without TV, any and all TV packages come with a smart phone app and website where you can watch your channels + a free VOD catalog) because the restrictions on device type, bootloader integrity, IP address are so draconian.
The ISP, of course, looses in the end, because it's users were also uploading the TV show to other torrent clients of non-users, which is lost potential revenue.
Phones all have VPN settings these days, whereas the SSH tunnel would be harder to accomplish.
I setup a VPN client on the 3G interface since there's no public IP address, and I connect to it from my own home network as a local IP address (which can't actually access my network due to explicit firewall rules I setup).
This way I can reboot the modem remotely even if the Internet is dead, and I also setup the Pi to reboot itself every night at 3am, in case something goes wrong and the VPN client crashes.
But you also don't get much more than that for using a paid-VPN, you just transfer the risk of being snooped on to their network/ISP as opposed to your own. Same with running a node on AWS/Digital Ocean.
VPNs do not make you anonymous. A shared VPN might give you some plausible deniability but it's hard to trust that your specific traffic isn't being logged.
That's true. But unfortunately, a lot of product placements on YouTube suggest exactly that. The claims of companies like NordVPN are highly misleading if not simply wrong. But especially on non-tech related channels, the audience is unlikely to know how VPNs work and what they do.
How many people really understand the difference between a VPN and a proxy server? Even among the tech literate.
It might, but it's very feasible to correlate encrypted VPN traffic to outgoing traffic with netflow logs, which the underlying network operator is almost certainly storing.
I have a VPN, which is there to tie everything onto one network, regardless of what "real" network its attached to.
This means that if I'm out and about I can still push and pull to my local gitserver, or access the home control systems.
I have it on my phone as well, so I can control localnetwork things even if I'm on 4G
But unless you have machines running on different networks, or you want to access internal things from outside your home, running a VPN may be mostly pointless(save for the fun learning).
I imagine connecting to your home network when on public wifi might be a valid use case, but I haven't investigated how to achieve this effectively.
My hope IP almost never changes, fortunately. Otherwise you would have to do some sort of dynamic DNS.
Second, some ISPs offer TV service on mobile devices and even set top boxes, but only inside your LAN on your assigned IP address. My ISP offers up to 3 TV STB devices (that run Android TV) per contract for free (mandated by law, because I can't buy my own STB and get a smart card!), but they only work on my LAN.
Since I live away from my parents, I wanted to have TV in their house without paying twice (that same ISP is not available at my parents' house at all, anyway)
My solution was to install OpenVPN Connect on the set top box, set it to auto start on boot, and to auto connect to my VPN.
From the TV app's point of view, I'm in my LAN, and it can talk to my modem on it's fake "virtual" IP address, and also reach the ISP's servers with proper authorization (they authorize users based on the IP address that was assigned to that user, which is stupid if you share your WiFi without having VPN on the guest SSID, but whatever).
Also, services like NBA League pass black out the games for your local teams, based on your IP address. One time I was visiting the in-laws, who happened to be in the market for the game I wanted to watch. VPN to home let me stream the game.
I connect to it from work to access files.
Mainly, my family all use the VPN on our mobiles with openVPN. From my mobiles we can stream and/or download our music and movies from the rp2 server using Kodi+Yatse with trivial set up. It's like having your own Netflix+spotify for your own digital collection.
It helps for these things when abroad, e.g. when travelling I can stream Netflix content and live TV that are region-locked to where I live. Having the VPN on all the time while not on home WiFi also makes it impossible for sites/services to figure out when I'm moving around and where, and basically thwarts any attempt to derive where I am at any point in time.
Mentioning that it's a required step could have been helpful though.
The tutorial only explains how to set up a VPN server but nothing of the surrounding infrastructure to make it useful for any of the use cases the author mentions.
It really depends...
If you are connecting to that VPN from remote location it does. Whatever is your actual physical location your IP will appear to be your home IP.
Geoblocking might also be solved if you happen to be in a country that has the content blocked while your home location can access that content.
However, as you pointed out, making a VPN accessible from outside is not covered.
I remember spending a whole day configuring OpenVPN, lots of packages, certificates, key files, no clue what half of the things I was doing were for. I also didn't particularly like the OpenVPN iOS client. Setting up WireGuard took less than an hour, every step of the process made sense, and it allowed me to remove a whole lot of cruft from my server.
wget https://git.io/vpn -O vpn.sh
* inspect the file manually for malware etc.*
sudo bash ./vpn.sh
You enter your IP, port, protocol, client name and it generates a .ovpn file that you import into any client and it just works.
If you need to revoke a client or add another one, re-run the script and it will ask you what to do. It can also uninstall itself safely.
I still haven't managed to setup WireGuard.
OpenVPN gets about 40 Mbps for me on the Pi, but my upload is less, so I don't need more. On a VPS, it gets about 90 Mbps.
I used this guide to configure OpenVPN , which you could almost publish as a paperback ;-)
It's magic in that it does everything itself, it's not a black box.
It's only 460 lines with whitespace and comments, including the files it's writing to the filesystem.
What I am wondering - it is using a pregenerated dh param file (I can understsand why - to make the initial process faster). I am not much into crypto, with all the other elements being created during the setup process, how big no-no is having a predefined dh file?
OpenVPN is generally well supported.
Rasberry Pi was not the first ARM dev board with linux, and most of the "Make your Pi do X!" recipes out there would more reasonably be described as "How to set up your linux server do X", but that's not cool, and had no Pi, so ...
Grrrr mumble mumble, yes I know I'm an old curmudgeon.
The second and more likely reason is that Raspberry Pi are keywords that help get you in the hands of your target audience, I'm guilty of it on my blog. If you're running a Debian server on x86, you're probably not the target audience for a "simple" VPN tutorial.
It annoyed me that these folks have a Github account but can't figure out things without step-by-step instructions...
fuck fuck fuck no. this whole site should be blacklisted
* installed unattended-upgrades (from a random github repo instead of apt repos
* passes --yes to apt-get, which may remove important packages
* reconfigures /sbin/iptables to link to /usr/sbin/iptables-legacy
* saves the current iptables rules (some of which may have been set temporarily by root)
* overwrites existing dhcpd config if it already exists
* overwrites existing openvpn-related config if it already exists (including syslog)
Random scripts from the internet should always at least be casually reviewed. Posting something like this just encourages people to trust random scripts on the internet, which is going to end poorly eventually.
curl into a shell, because YOLO.
For the love of $deity, at least pass the -o option or do something like the following before running this - substitute in your editor of choice.
`curl -L https://install.pivpn.dev | bbedit`
RPi4 is plenty fast for full gigabit VPN performance. Its ethernet interface should also easily reach 950 Mbps. Although it's a different matter whether current VPN software can take full advantage of it. My guess is not.
There's some handicap due to lack of useful crypto HW in RPi4. But if multiple cores are used, it should easily reach 1 Gbit speeds. VideoCore VI could theoretically also be used for crypto acceleration, although I haven't heard anyone doing it — yet.
Edit: Just tried "openssl speed -multi 4 aes-256-cbc" on RPi4.
aes-256 cbc 224787.70k 243743.77k 250572.29k 251253.42k 253684.39k 252919.81k
In other words, 2 Gbit/s CPU based AES-256 performance.
Even if it could do a theoretical gigabit...you'd still be sharing that up & down.
I suspect you could get a good 700ish with a USB 3 gigabit dongle though. I ran a rpi4 as router/fw that way for a couple months (250 internet so never found out where the limits are)
With Wireguard you should have a much better performance however as it's multithreaded and rpi4 offers you 4 cores.
An i7 4500U with 8GB ram and 128GB SSD costs around $300, but you can get a decent setup for $180
So that someone else's ISP can snoop. It's a tradeoff I guess but just to be clear that someone is able to snoop that traffic, you're just moving from your provider to someone elses provider.
That's a race to the bottom.
I've worked in datacenters that hosted VPS providers, that had Verizon and Centurylink/L3 as their cross connects. Here's a nice list of Tier1 internet providers, these guys are going to do the bulk of transit for most data centers. https://en.wikipedia.org/wiki/Tier_1_network#List_of_Tier_1_...
There's still going to be direct connect at the various peering points, so in this case, you'll get a direct connect from your provider to say google, but that's already in a TLS connection and google already has your IP address or probably your specific street address as does your VPN provider. So I'm not sure what the point is. You'll get the same thing for amazon and netfilx and facebook but again, all TLS and I don't know that you're gaining much since you've already got a positive ID on you with the tracking these days. If, in fact, they don't have a positive id, They'll have one pretty quickly and perhaps tag you to a VPN IP which they will know is a VPN because the positive tracking has matched you with your CC and your real address as well as all the other people connecting through said VPN from geographically disparate locations. Basically if you sign into a single account over your VPN, then the cats out of the back and if you don't then the cat is PROBABLY out of the bag.
I check out these VPS providers that pop up here and there but there's never a mention of their transit, they are just using whatever the datacenter has, and most of them have the same backbone providers as the last mile. So, while this may be necessary for some people, You'll often see people make this decision thinking it grants the privacy when it doesn't really change that part of their situation.
I think it can be a dangerous part of discussion since it's not clear to most people what's actually happening.
This has helped tremendously and is super easy to set up.
Bonus is while traveling we can access services without firewalls from our home country and everyone sees us as "still in the office". This includes clients, government, banks, etc. Additionally while using it we are not detected to be using VPN so far.
You need to understand firewalls and routing first.
Pihole is basically just a "pimped" dns server.
So, to rephrase your question: "is it possible to run both a VPN server and continue running a dns server?"
Not really a pi issue. SD cards just aren't made for 24/7
Haha, WTF did I just read?
There are many uses for VPNs and we have to be careful about why we use them.