Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Poor Man's VPN With a Cheap VPS (longren.io)
85 points by tlongren on April 14, 2014 | hide | past | favorite | 68 comments

Or just

ssh -D localport -fN user@vps

Then for chrome/chromium:

chromium --proxy-server="socks5:localhost:localport"

If you need multiple instances running different proxy connections use different data directories like:

chromium --user-data-dir="other-dir" --proxy-server="socks5:localhost:localport"

Edit: sshuttle covers more than port forwarding but the article was geared at browsing the web through a vps hence my comment.

I've been using this method to Internet from China with better success than paid VPN solutions. So simple, and I can debug myself! Hint: if things are mysteriously hanging, add `-vvv` to turn on super verbose logging: `ssh -vvvfND localport user@vps`

I gave up using SOCKS, and now just use SSH to map a local port to a remote squid3 instance. This way my DNS queries are done on the VPS, and aren't subject to interference by my ISP.

GUI version of doing the same thing:


Where's the GUI?

That's a good option as well! So, if sshuttle ever stops working, this. Thanks for pointing this out.

Does that actually proxy the connections opened by flash these days?

It does not.

For that, you need to change your routing table so that anything destined for goes through the tunnel.

This is basically what sshuttle does.

One downside is that SSH tunnels can only forward TCP, not UDP, traffic. sshuttle adds special handling for DNS (which is UDP) but any other UDP communication will not work.

For $20 LESS per year than this "poor man's VPN", I can get an actual VPN that I don't have to maintain, has multiple world-wide POP's, and doesn't log customer usage: https://www.privateinternetaccess.com

True. However, the idea with this is that you probably have a spare low-end VPS that you can use for VPN also.

You can get a low-end VPS for even less if you look at some VPS companies special offers, like $15/year for 1GB RAM, 20GB disk, 1TB transfer/month. Yes, low-end and most likely overbooked servers, but still decent enough for a proxy.

You don't need so much RAM for a VPN sever with a few users. You can get by with 128MB (or even less if you're ruthless), and get such servers for $7.50-$15.00 per year.

Check out: http://www.lowendstock.com/ http://www.lowendbox.com/ http://www.lowendtalk.com/categories/offers

wow, I never knew you could get a vps for that cheap, thanks.

Exactly the point of the article.

> and doesn't log customer usage

Come on. As always, naivete is dangerous: until you can't rely on anything but promises, whatever they say can't be trusted.

Does PrivateInternetAccess being located in the US have any impact on the security of their service? They are heavily promoted and that makes me skeptical of their motivations.

My understanding is that, in some ways, it gives them an advantage since many countries in the EU and elsewhere have mandatory data retention laws. The US does not.

They also go out of their way to accept anonymous payment sources, something most VPN providers don't bother with.

Yes, see Lavabit. The FBI can compel a US company to add a wiretap to their infrastructure.

That's why we built Lavaboom overseas and out of US jurisdiction. The same applies to many secure email providers.

After some research, I ended up going with IVPN (https://www.ivpn.net/). It's pretty affordable too.

What led you to decide on IVPN?

It's hard to truly compare, but I started from VPN review sites and just disqualified most of the sites that seemed to care more about torrenting than about privacy, and of the remaining ones I went with the one with the best reviews and official policies.

We built an incredibly easy single click OpenVPN setup tool for DigitalOcean and Rackspace during Sochi: http://www.tinfoilsecurity.com/vpn

Enter API key creds, it makes the box for you, sets it up, and hands you a config you can use for your client of choice. (The script is open source for those of you that don't want to enter creds - we don't store them, and actually remove access whenever we can; for example, we delete our own SSH key from DO because they let us).

That's brilliant! Does it really work? How would one connect to it?

Works great. :) we give you, at the end, a config file you can use for your OpenVPN client of choice. We like viscosity on win/Mac: https://www.sparklabs.com/viscosity/

Out of curiosity - why not TunnelBlick on Mac?

Have you used it? The Viscosity UI is, in my opinion, bounds better - easier to use, more obvious configuration options, etc.

I started using TunnelBlick before I had heard of Viscosity. The UI isn't great but it was easy enough to install and configure.

I will check out Viscosity, as I don't particularly like having to use the config files directly each time I want to make a small change. Do you know whether the performance (throughput, latency) differs between the two?

I haven't noticed any difference, but I don't have any statistics for that. Just "feel."

OMG that looks amazing! Contact me about it? tyler@longren.io.

Always wonder how come tinc is not as popular as other VPN solutions. Peer to peer network routing via tun/tap interfaces, all traffic encrypted, each host has a public/private key pair.

I have been using it to build an VPN network with cheap VPS from different providers and found it really reliable and easy to set up. Besides that, once used it to watch some south park at UK and also worked wonders, no need to even setup a proxy, just route your traffic through the interface.

Link for the interested: http://www.tinc-vpn.org/

Tinc is difficult to setup and uses a custom protocol which may not be thoroughly vetted.

I can't comment on the protocol, but tinc is very easy to set up. You just need to generate pub/priv keys and then add your routes in /etc/tinc/vpn/tinc-up. We're running it in production with ~30 nodes worldwide and using puppet to dynamically add/remove nodes on the fly.

What is great is it's able to re-route around any peering issues suffered by local ISPs. Say you have three nodes in the US, UK, JP and your JP ISP loses routing to your US ISP. If both can still route to the UK then tinc will automatically keep traffic flowing.

Of course if you manage to get a template setup it is easy.

But now that I haven't setup tinc for awhile I have no idea how to do it again and the examples are horrible.

Every node needs to have a copy of every other node's configuration file and it is annoying to add a file to N servers when you are adding the N+1th server.

For the setup I will say it is on the same level of difficulty as it would be to setup iptables and routes manually. Yes, tinc does not abstract any of these things from you. But if you know what you are doing (not saying I always know what I am doing) it can be a powerful tool to build the exact network you want without any provider lock-in.

Now, I must agree on that, it might not be a friendly solution for dead easy routing to an exit node as a proxy with dns-tunneling built in. I just wanted to know why tinc does not get enough love, and you answered accordingly. But if you are building a serious network I do think tinc hits the sweet spot between being easy and allowing for any network you can think of without being tied to a particular server provider that might offer private IPs.

As for the configuration I use git, which makes it super easy to setup the N+1th server. None of the private keys are committed to the repo, of course. My infrastructure is not that big so I am still doing some things by hand, but it should be easy to automate some parts by using git hooks + puppet|ansible|chef.

About the protocol I do not understand why it would be a problem, other than not being ssh or the possibility of being filtered over the network. Doesn't most VPN solutions have their own protocol?

If you put your configuration files on github then someone can figure out which IPs they can ddos.

The problem with a non-vetted protocol is that it could have flaws.


Like everyone else here, I've been using ssh -D. Which is awesome especially because I have my hosts organized into my ~/.ssh/config file, so if I need a connection in the USA, I'll just type "ssh -D 4444 us".

I have a similar setup on my Android phone, by using Vx ConnectBot (http://connectbot.vx.sk/) plus ProxyDroid (https://github.com/madeye/proxydroid).

If anyone need some of the advanced features provided by OpenVPN, I can suggest this script: https://github.com/Nyr/openvpn-install I've successfully used it to install OpenVPN several times, and it's mostly effortless.

As for the VPSs, I can suggest http://lowendspirit.com/, awesome owner and can't beat the 3€/year (yes, year) price. You don't get a public dedicate ipv4, but if you need only a VPN then it's not really needed.

You can actually specify the -D in your .ssh/config with "Dynamic Forward 1234". Now whenever you connect, it'll also open up a proxy to which you can optionally connect.

Another neat trick is having a wildcard for a host to set global options, like compression.

Here's a little sample of what my ~/.ssh/config looks like: https://gist.github.com/jzelinskie/10675197

This should be called a lazy man's VPN, not poor. You can run a VPN on the same $5/m VPS.

I've been using the ssh -C -D 8080 -fN user@server.tld for years now, no VPS needed if you use a free shell account.

Free != lazy

Also, lazy people dislike having to manually configure their web clients.

Depends on the virtualization technology used - if it's usermode virt only, no way to set up a TUN or TAP adapter for OpenVPN.

Or lazy man's ssh tunnel. :)

I think that's the most succinct name so far. Like it. Maybe I should re-title the post.

OpenVPN is nice too and will work on the same cheap VPS. They have a command line version, and a paid product, Connect, which has a web UI for configuration.

It's free for a low number of users, though. And it also has clients for Android.

I find that I get better speeds through OVPN than through an SSH tunnel. YMMV :)

OpenVPN defaults to tunneling over UDP, but optionally supports TCP. SSH is always over TCP. Here's a bit of info from the man page [1] for anyone who's curious:

" OpenVPN is designed to operate optimally over UDP, but TCP capability is provided for situations where UDP cannot be used. In comparison with UDP, TCP will usually be somewhat less efficient and less robust when used over unreliable or congested networks."

[1] https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

More detailed info: http://sites.inka.de/sites/bigred/devel/tcp-tcp.html

SoftEther is really simple to configure and works very well using normal VPN clients, which is easier for non-tech friends/colleagues to access vs SSH.

+1 to SoftEther. I've been using it as a replacement for Hamachi (which recently went pay-only), allowing my godsons to log into my Minecraft server. I have it set up with a server running on a DigitalOcean VPS and the bridge to my internal network running on a Raspberry Pi.

+1 for SoftEther, also works better in China because of the protocols supported.

Another noteworthy script for instantiating an openvpn server quickly is this:


Again, this has emphasis on scrambled connections (ie china)

I can also recommend Docker + joyent/digital ocean with Openvpn. [0] Just paste a few commands, install tunnelblick and you are ready to go.

[0] http://blog.docker.io/2013/09/docker-joyent-openvpn-bliss/

Am I crazy for using PPP over SSH for this?

I enabled masquerading on the server for ppp0 interface and then I'm doing this on the client:

    route del default
    route add -host vps.host gw my_local_gateway eth0

    pppd pty "ssh vps.host -t -e none -o 'Batchmode yes' sudo /usr/sbin/pppd" local nodetach silent

    route add default ppp0
I guess some of this could be automated in ppp-options but I never bothered as it's a simple script I can run at any time.

>Am I crazy for using PPP over SSH for this?

Yes. You'll get all kinds of performance weirdness running TCP-over-TCP[1]

[1] http://sites.inka.de/~W1011/devel/tcp-tcp.html

Interesting. I guess I do not use it often enough to encounter those issues.

Thanks for the link, it's really useful to know this.

This sort of VPN is useful for getting around filtering and blockades but is not good for deniability. Tor and or a commercial VPN that doesn't keep logs is for being more anonymous.

How is a commercial VPN that claims not to keep logs more deniable than running your own VPS that definitely doesn't keep logs?

Well, the commercial VPN may or may not log traffic, so let's say it's 50/50.

Your VPS, on the other hand, is your VPS. If the police comes to your server, the company has no reason to hide who you are. That's 0% deniability, they'll come straight to you as the owner of the server. You'll then have to prove somehow it wasn't you (and you were, so it's a tough one). At the very least you'll get lawyers involved.

LIke probably_wrong said. If you own the VPS and only your traffic goes through it, your deniability is pretty low. All the traffic emanating from the node is still "you", only translated.

They don't need logs on the box to track the activity of the box.

I have used both techniques discussed, mostly for being able to download stuff I purchased on iTunes while being over seas.

VPN is for end-to-end security, not anonymity. If you want anonymity, use Tor.

Seems like an easier solution would be to run Tor on the VPS instead of via his home internet connection. Nice to learn about sshuttle though.

I have a VPS specifically setup for a Tor relay, as well. :) We're moving soon and will likely retire the "home" Tor relay.

Not poor yet, but on my way to being there it'd seem.

I'm pretty sure most VPS hosts wouldn't be too happy with that

I thought this would be an article about setting up PPTP and/or OpenVPN on a low end VPS. For anyone doing this for the first time, these shell scripts may be helpful:



I was setting up my connections before going to China. I found this guide useful: https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-1...

There are top cheap VPN providers, to find a decent one check out list of http://vpnwebsites.com/.

Thank you for all the responses. It's apparent there's MANY other options, and probably much cheaper options.

Given me a LOT to think about. Thank you all. :)

openvpn access server takes only a few minutes to setup. Digitalocean has an article on how to as well. https://www.digitalocean.com/community/articles/how-to-insta...

Ssh -d along with proxy chains - been doing this for ages.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact