* It's not actually a virtual private network, at least by the traditional definition. They route HTTP(S) and DNS traffic only; other protocols (presumably) get routed in the clear.
* IPv6 isn't supported at all.
* I might be missing it, but I can't find any cryptographic design documents or a threat model anywhere. A quick repo search doesn't even bring up any cryptographic primitives, which makes me wonder about malicious peers.
It's good to have more competition in this space, so I'd like to be wrong (or eventually wrong, feature-wise) about all of the above. But if I'm right, this is roughly the same as using a SOCKS proxy (and maybe a bit worse, if any other peer can futz with your traffic).
* Shelling out to some tool that may be responsible for all of the heavy networking bits
* Falling back on a non-monotonic clock but calling it monotonic
* Another sketchy shellout that calls a bunch of scripts with trivial interpolation/injection bugs. It's not clear if the arguments passed to those scripts are remotely controllable, but it's sketchy.
2.0 is a major re-architecting for performance and versatility with a rewrite of the CLI and service layer (not core protocol). If we had 100% of our time to dedicate only to engineering we could have shipped it by now, but biz and other things got in the way.
It would be cool if there was a reputable open source project that would let people share/buy residential proxy usage, but at the end of the day there's no way to guarantee people aren't doing horrible things with your IP.
They don’t. For instance, Luminati, possibly the best known player in this market, uses HolaVPN users as exit nodes.
Btw, Firefox seems to have made it impossible to run extensions uncrippled from source without uploading to their server for signing. Utter madness.
Secondly, how come there is no regulation about selling chrome extensions and apps?
What the market will bare doesn't just apply to product pricing.
And someone clicking through a EULA might be an argument for them having invited the use of their resources by a very similar argument to that many used to justify using other people's WiFi back when that was gloriously insecure most of the time ("but the AP broadcast its existence, effectively inviting me to join, and happily gave me an IP address to work with, how could I not believe I was welcome to use it?").
But almost everyone "a reasonable person" would not recognise or understand the technical words used in the disclaimer, nor even read all the way down where it's buried several links in.
However, this is not how these residential proxies are sold- mass market ones with millions of IPs are generally botnet/hacked/malware/extension malicious author sellout/etc./ There are not actually millions of botnet user, they just try to make themselves look big. Like they say AT&T has a /8? So they get 1 botnet hacked PC on AT&T broadband and say "wow we have a /8 worth of proxies!!"). Criminals not known for their truthfulness.
The ones that ask you $20-50/m and to plug something into your network is generally used for fraud, account hijackings and maintenance (getting a stable IP for stuff like a credit card checkout or paypal account to use for more than a few days for fraud, long term social media abuse, similar) instead of mass market ban evasion.
Don't support them.
I've been contacted by several of those "SDK companies" that basically turn phones and browsers into botnet drones for $0.01 an install.
We started with 100k daily API calls and that got later increased to 1 million after requesting it.
You are expected to be well behaved though. You can also lose your quota or API access for severe abuse, like using API to mass upload spam.
But i must say using proxy services and other things did not helped us much. Because most of them were banned before we use.
If you for a minute think this / your IP address will not be misused to scrape, grief, DDoS, up & download "questionable content", you are very wrong.
Their answer to the question of 'what happens when a bad actor has their illegal activity routed through my connection' seemed illogical. They claimed that as more people signed up, the proportion of bad actors would decrease , which makes no sense to me.
Also, I'm not entirely sure what methods they have taken to stop a bad actor from collecting packets from other users that are routed through the bad actors exit node.
The worst thing IMO is the way it's being presented and marketed. The impression the website gives is that its just like all other VPNs but free, which is very misleading.
> No bandwidth caps. No throttling. Stream all day, and download away.
Yes, no caps on the tunneled connection. But it will happily use up your home connection data caps with both your own and other people's traffic.
Then once you run an exit for long enough, your home network will get tor-like treatment from many CAPTCHAs and you'll be blocked from anything on cloudflare.
> FreePN never logs your IP or tracks your activity. (...) FreePN shields your data from prying eyes, giving you peace of mind.
FreePN doesn't log. But anyone running FreePN is welcome to do just that.
It's a perfect tool for that monitoring too. Tor browser at least has lots of extra protections. This one does not, so settig up a tunnel-to-tunnel routing node means you can listen to a lot of interesting things. (Without the liability of being a true exit node)
That'll take a matter of minutes. It doesn't take much to get on googles shitlist as soon as you do any sort of bot activity against their services. I manage to get on it by just searching humanly!
That will happen if you use any VPN,so that's expected.
Our posts a few months back were largely exploratory posts - seeing if there was actually demand for the product (or at least enough to pursue the project!).
Since FreePN is such a technical product, we've been iterating a lot on our messaging. We are still in very early stages, but we do have some mechanisms planned to mitigate the effect of bad actors on the network:
- we plan to build in something similar to HTTPS Everywhere to the product, to automatically upgrade connections (and we only route traffic on ports 80 / 443 (optionally 53)).
- we also plan to build in the ability to allow peers to block certain categories of traffic from going over their connection (using blocklists similar to those used by Fortiguard -- so you could block all torrenting sites, as an example).
Early days still, but much to come!
I can see the reasoning here: bad actors will be the first to jump on such a service. They actively search for new services that they might be able to use to pipe their traffic through. Awareness amongst the wider population will grow more slowly, as they aren't for the most part actively looking for it, so as that awareness spreads the ratio of good-to-bad will likely improve.
Though the absolute number of bad actors I expect is enough for me to dismiss ever knowingly installing something like this on any device I own (or allowing it on any network I have some responsibility for), no matter what the good/bad ratio is like.
This is no different than that shady p2p VPN product that was shipped as a browser extension.
That's risky. What happens to me if someone does something illegal via my connection? How could I prove it wasn't me? Maybe I could win in court by citing my use of something like this, but I really don't want to be dragged into court in the first place even if I end up walking out.
Also, industry leaders like NordVPN and ExpressVPN may engage in P2P routing especially to unblock services like Netflix and Disney+ .
HolaVPN unapologetically does this too .
All of this is discounting the new-age dVPNs like Orchid (not quite the Tor replacement that was promised ) and Mysterium .
Routing arbitrary traffic is plain risky, it is entirely conceivable to be arrested for it, or at least be searched, whether you can explain it away later or not. “Other providers are doing it too” hardly makes it any less risky.
Except Tor (or Whonix or Tails), WireGuard, or ZeroTier are a better option.
All of these allow better management (and therefore control) of routes.
There is a very good reason Usenet does not require uploading, and P2P protocols like BitTorrent are used with a VPN. It provides a reasonable enough protection against a civil actor such as RIAA and MPAA while a determined actor (with more control over the used networks can dig up the data trail. Ie. police in case of serious crimes such as CP.
On a somewhat related note what was the name of the end of 90s pseudonymous network where you had to buy a 'nym' and could renew it for money?
ZT would be useful for this from an oppressed country because it is used by a ton of businesses. You would just look like you were accessing a corporate ZeroTier DVPN from home, which is pretty common these days.
That's better in some ways than Tor. The problem with Tor is if you use it naked then it can be obvious that you're using Tor. Even in countries like the USA I've always been concerned that using Tor might put you in some kind of database. In a very non-free country I'd be really worried about using Tor naked, meaning without running it over something more mundane looking like ZT or Wireguard.
I'd argue that the chance of being accused because someone used your connection in p2p VPN is less than when someone will use your wifi to do something illegal.
For whatever values of 'this risk' you evaluate running this code to carry.
Arguing semantics with a prosecutor might be your idea of a good time, but that seems to me like the sort of thing I could do without. In any case, they may call this a VPN, but it isn't a VPN in the sense that term is normally used, and it certainly isn't even vaguely similar to that VPN connection you make to the office.
I mean, ISPs do this don't they? Telephone networks do this don't they?
This is the tradeoff when registering an ISP in the jurisdictions I'm familiar with: you are immune to legal action concerning the data that is carried over your network (ie. you won't get raided for a customer sending death threats), but in return you must cooperate with the authorities and provide data on your offending customers. You must do whatever is necessary to be able to provide this data upon a subpoena: from assigning static IP addresses / CGNAT port ranges to customers, to logging every NAT translation from your roaming mobile network.
Source/background: operating an ISP in Poland.
ZeroTier is actually quite good. I've used it successfully in/for enterprise-grade services.
This is all very unexpected actually! (No one from FreePN made the post here!) We've been doing some early market testing in a few Linux communities on Reddit, but full disclosure, the product is currently in an early-alpha stage (it’s only available on Ubuntu and Gentoo Linux currently, and very much under construction). We have big ambitions for the project, but it is still very early days.
Love hearing the feedback from everyone here — some very valid criticisms from a lot of folks — and on a lot of points that have been brought up here, we actually have plans to address. A few bullet points on where we are as an organization / project:
— the marketing copy isn’t set in stone — I’ve been working on the site a bunch recently & it’s very much in flux (we’ve been posting in a few Linux communities to see what the response looks like)
— when we posted a few months ago about the project, in all honesty, it was a demand test to see if this would be something worth pursuing — but we’ve been trying to take the feedback from those posts to heart in our development process
— we market ourselves as a VPN, but to be clear we _are_ a dVPN (distributed VPN). The peer-to-peer VPN wording on our site is mostly for the sake of simplicity. I’d point most folks to our project README on GitHub for more in-depth technical details.
— right now FreePN is structured as a 1-to-1 peer connection, but we eventually plan to build in multi-tenant peer support as well as optional multi-hop routing (similar to Tor) and selective whitelisting of domains so that as a peer you can elect to categorically block certain types of sites — say torrenting. These blocklists would draw from open-source category site-lists like Fortiguard.
— we do currently only route web traffic (+ DNS) — so only traffic on ports 80 and 443 is being routed (optionally port 53)
— we don’t currently support IPv6 (though we have plans to add support in the future)
— we don’t log traffic (you can see in the repo), and while peers logging traffic is a potential concern, that’s only true if you’re using non-HTTPS connections (we have plans to bake in something similar to HTTPS Everywhere, automatically upgrading connections).
As far as our vision for the product — our goal for FreePN is to eventually become a ‘privacy all-in-one’. We started FreePN because we care deeply about internet privacy — but trying to protect yourself online practically is a very technical and time-consuming endeavor (basically — it’s really hard to protect your privacy online, and we’re trying to make it easy). In terms of features, we’re working on building in ad-blocking as our next major milestone.
I’ll do my best to respond to everyone’s questions and concerns here this evening / in the morning & tomorrow as I’m able!
"Every user is exit node" concept in addition to legal question raises more practical questions. What are you going to do if majority for your users (and when you call something "free" the chance increases) will be from countries like China, Russia, Iran and other where government controls and blocks a lot of the websites and services? And I'm talking not about surveillance but about actual block of the IP subnets like Russia did to AWS, DO and GC when they tried to block Telegram.
Also on the website you declare
> No bandwidth caps. No throttling. Stream all day, and download away. Unlike other VPNs, FreePN will never bottleneck your connection.
Sorry but this is simple lie. If we will take Turkmenistan (their internet censorship is better than China's one if you wonder why I take this unknown country) max bandwidth you can get as average citizen is about 2mbps. And there will be users (exit nodes) from TM for sure so for external users there will be bottleneck.
- What happens if someone downloads CP through my home connection?
- How do you plan to block ads with both Chrome and Firefox moving to DNS over HTTPS?
- Right now we're still undecided / exploring different ways of monetizing the product! (something similar to Adblock-Plus though is our leading idea).
- We're working on a way to disallow users from acting as exits for certain kinds of traffic - so you'll be able to categorically block certain kinds of sites through the UI in the near future.
- Even with DoH on by default in the browser, we can still override / specify a DNS server.
Let me know if you still have questions / any of the above is unclear!
To block something you should know that it exists. Do you have full and actual list of CP resources? I doubt. So what is the point of ability to block something if you even don't know that it exists before it is too late. The only way to deal with it are whitelists but who will use "VPN" if only certain websites will be accessible?
> We're working on a way to disallow users from acting as exits for certain kinds of traffic - so you'll be able to categorically block certain kinds of sites through the UI in the near future.
How does this stop someone posting ISIS propaganda to Twitter? Or uploading CP to Google Drive?
> Even with DoH on by default in the browser, we can still override / specify a DNS server.
Can you? Browsers don’t respect the system’s DNS settings even with plain old DNS over UDP so I don’t think that’s the case. I might be missing something though!
> - we plan to build in something similar to HTTPS Everywhere to the product, to automatically upgrade connections (and we only route traffic on ports 80 / 443 (optionally 53)). - we also plan to build in the ability to allow peers to block certain categories of traffic from going over their connection (using blocklists similar to those used by Fortiguard -- so you could block all torrenting sites, as an example).
Your product is irresponsible.
What’s the long term business model then?
We're still exploring different methods of monetization, but leaning towards an Adblock-Plus style model at the moment (but would want to keep any ads we served entirely local / we'd never send any data off device & would want to be as transparent about everything as possible). Personally, I think it keeps our interests best aligned with those of our users & helps keep the focus on preserving user privacy!
The privacy community did not react positively _at all_ to this. This also has gotten them quite a lot of negative media coverage.
Also, how are you funded short-term? Like, right now?
Short term, I'm self-funding the company (day job + previous exit of an entirely unrelated company).
We at https://safing.io/ are also self-funded, but also receive a lot of public funding.
Interestingly our visions are very similar, but our technical views seem to differ a lot.
I think monetizing a privacy product without having the user pay is extremely hard. There will need to be an extremely high amount of transparency everywhere.
> I think monetizing a privacy product without having the user pay is extremely hard. There will need to be an extremely high amount of transparency everywhere.
I would agree with this wholeheartedly -- we're still very early stages, but trying to keep things as open as possible in terms of our tech & intentions with everything.
> but also receive a lot of public funding.
Curious what sources you receive public funding from?
We list everything in detail here: https://safing.io/ownership/#influences
Like, goddamn, VPNs aren't THAT expensive. Not compared to, IDK, a lawyer, or missing a day of work because you're in a jail cell, trying to explain to some cop that you installed a program on your computer that let other people you don't know do random stuff on the internet over your internet connection without your own knowledge or involvement, and you aren't complicit in any way...
What’s the advantage of a p2p model instead of a better / stealthy VPN protocol that can’t be blocked, which you can also commercialise?
At a glance sounds like a reinvention of Tor, but less secure.
...and with every client also acting as an exit node, which is kinda a big deal.
How easy is it in this system to force a specific user to use you as their exit node during a targeted attack? Given the state of their website, i am going to guess pretty easy.
You are trying to cater to a privacy-minded audience yet you provide literally no information on how the whole thing works. I don't think you fully understand how crucial a very detailed technical spec is for the adoption of a tool like this.
The first question with any P2P project is if I have any control over other people's traffic that passes through my system. No mention of this anywhere, leave alone a detailed discussion. I saw your replies here on this subject and they are ultimately... inane if you pardon the bluntness. I realize that you mean well, but you are exceptionally naive in terms of how quickly a system like this will be abused to a very severe degree.
Also, unlike SoftEther, we don't depend on volunteers for our network - the network is largely made up of the users themselves!
What is your business model?
I understand that you don't need servers, because your users supply that part, but who pays for development, support, and all that stuff?
My reply was instantly flagged of course.