498 comments

[ 3.5 ms ] story [ 144 ms ] thread
Great link from the EFF describing tor and https [0] click on the grey 'tor' and 'https' links to see what information is collected where and what can be viewed.

surprised this article does not mention tor? or has tor been abandoned as a tool for privacy?

[0] https://www.eff.org/pages/tor-and-https

I think tor is simply too slow and complicated to advertise as a tool to "regular people"

Encouraging people to use a VPN is much more likely to be effective

> I think tor is simply too slow and complicated to advertise as a tool to "regular people"

I know many people who use Tor daily for regular browsing - myself included. Yes, it's slower than not using Tor but that's expected from the 3-hop design.

There are reasons why a VPN is great but not for privacy. A VPN is currently allowing me to work remotely would be one of them.

CiPHPerCoder provided a great link[0] in this discussion [1] that details a short list of a few reasons why VPN's are likely not what "regular people" who are concerned for privacy should be using.

that all being said, tools like tor have become much easier to use with setups like tails [2] which may have its own security issues but I'll agree that regular users may not be capable of using Qubes with Whonix.....yet

I think advocating for a VPN is actually harmful to the "regular user" not only in the fact it will not accomplish what they want, it will deepen their ignorance on how the internet works because they will think "its encrypted" "so I am secure."

I do have some concerns that tor is a tool that needs to be improved upon greatly to truly accomplish its goals but I am not aware of any projects that are doing so. Re metadata, fingerprinting, developers inserting backdoors etc.

[0] https://gist.github.com/joepie91/5a9909939e6ce7d09e29 [1] https://news.ycombinator.com/item?id=15585974 [2] https://tails.boum.org/

[edit:added concerns about tor]

> I do have some concerns that tor is a tool that needs to be improved upon greatly to truly accomplish its goals but I am not aware of any projects that are doing so. Re metadata, fingerprinting, developers inserting backdoors etc.

I always try to tell people about Tor's limitations, which are considerable. (I wrote the content for the EFF graphic that was linked above, and one goal was to show people things that aren't hidden by Tor — for example you can see an NSA agent in the graphic performing some kind of correlation attack between source and destination by monitoring the network at multiple points. Of course, the source of data for this doesn't have to be fiber optic taps, so other entities that can get source and destination data can correlate them too.)

Tor is doing work on all of the things that you mention: metadata, fingerprinting, and developers inserting backdoors. One could wish for more work and that it had happened longer ago, but all of those are active areas of concern and research for the Tor project.

>I wrote the content for the EFF graphic that was linked above

Thank you! I constantly share that link with people, I (and many others) appreciate your work!

I regret not going into software development, I wish those are projects I could contribute to, alas my closest work towards development is tinkering with linux etc .conf files to get home projects to work, which is not development at all.

Since I spend a lot of time these days helping people on

https://community.letsencrypt.org/

I can testify that the ability to help people tinker with Linux configuration files is something that continues to be in great demand. :-)

Thanks! I'll begin lurking
(Just to be clear, I mean that Tor is doing work to prevent developers from inserting backdoors.)
Every time this sort of question comes up, I reflexively link people to this page: https://gist.github.com/joepie91/5a9909939e6ce7d09e29

Most of the time what people think they need a VPN for, a VPN won't actually help them much. They have a narrow use-case in privacy contexts, in which case you're better off using Tor.

That github note doesn't really disagree with the article, which points out that you need to trust your VPN provider.

My general position is this: I don't trust my phone provider. At all. Just a week or so ago there was an HN post demonstrating how an ad provider can get your full name, cellphone plan details etc just by calling an API from a page rendered on your phone. But I also don't really have a choice - AT&T or Verizon or T-Mobile, they're all different flavors of the same crap.

Do I trust my VPN provider unequivocally? No. But I trust them a hell of a lot more than my phone provider, and they can't sell my personal info against my browsing history because they don't have it.

A VPN isn't the answer to everything, but nor is it useless.

No, hold on. The two articles disagree very much. The one Scott just cited explains that you can't trust a commercial VPN provider.
The Mozilla post says:

> Are VPNs truly private?

> Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?

Which is basically also saying you can't trust a commercial VPN provider. I suppose it does differ in that it says it's still an option, though.

Why do you trust your VPN provider more than your phone carrier?

What have they done to earn your trust?

Partially, at least, they don't need to earn my trust as much. They don't have my name, address, date of birth and social security number/credit data, like my phone company does.

The only positive point of trust a VPN provider has is that no-one has exposed them selling browsing data. Definitely not great, but also better than my phone company by default.

It's a bit like how "stranger danger" isn't a thing kids get taught about anymore, because random strangers aren't risky if you go up to them, only if they come up to you. (Or, in more statistical terms: bad actors are a small proportion of the pool, but they have an incentive to self-select into interacting with you that good actors do not. If you just draw randomly from the pool, you won't get a bad actor. If you let the pool show the initiative, you'll get mostly bad actors.)

Your VPN provider is just some random company. You went up to them. They're randomly selected (insofar as your choices are random) from the space of all VPN providers, and most providers aren't malicious.

Your ISP is, at least in the US, almost always a monopoly. They're self-selected: they went up to you.

A VPN provider can tell you they're not logging your traffic because they think they aren't but really they are because there's a box somewhere that your traffic passes through that has logging enabled (for example -- and don't hyperfocus on the example, I know how you programmer types like to pick up the example and play ping pong with it for six hours).

So incompetence is a reason to not trust a provider as well.

I suspect that in general there are two reasons.

* My VPN provider explicitly states that they do not collect user information or store logs of user activity. Unlike my ISP that has a No Privacy Policy.

* My VPN provider has not done anything to lose that trust.

So which is worse, your VPN provider telling you that they don't store logs of user activity and then very well doing it (as has been proven in multiple cases), or your cell provider telling you they're going to fuck you, then fucking you?
I think the most popular use case is torrenting which a VPN will help.
If you want to torrent, turn one of the low end boxes into a seedbox rather than a VPN server.
That isn't great privacy wise as it's still privacy by policy. The best way to torrent is to use i2p which - unlike Tor - encourages that activity. (Short tuto: the default Java i2p bundle already comes with I2PSnark, a torrent client. To download a torrent, search through known i2p trackers such as the Postman Tracker: http://tracker2.postman.i2p )
The content owner could still request your information from the VPN provider and the VPN provider might provide it (even if they say they won't). I think the main benefit is that there are so many individuals torrenting copyrighted material that aren't using VPNs that it means you aren't the "low hanging fruit" so you're considered not worth the effort by the content owners.
Yes, but there is a big difference between "this provider might be lying about not storing traffic, and they also might give the data to someone" and "this ISP is 100% storing traffic and routinely gives that data to others."
Why base your privacy on wishful thinking ("provider is probably not lying") instead of using privacy by design solutions? (e.g. i2p for torrenting)
Because privacy by policy is good enough for almost everyone.
> Because privacy by policy is good enough for almost everyone.

Source? And why would it be good enough when it has been shown time and time again that it's ineffective (example: DNT header)?

Even then, setting up your torrent client to use a proxy is just as simple and effective.
I trust most VPN services more than I trust my ISP. If what you are trying to do is avoid your ISP collecting your surfing data for advertisers, throttling Netflix traffic, or adding a super-cookie to headers, then a VPN might make sense.

My ISP choices are limited to two companies that are both terrible. A VPN is a nice way of limiting what they can do to you.

You don't get any additional privacy, the only way to really _guarantee_ that you get additional privacy is to use a solution that provides privacy by design rather than by policy.
How do you not get any additional privacy?
As I mentioned using privacy by design solutions (Tor, i2p, ...)
I'm not looking for a guarantee. Probably getting additional privacy is good enough for me.
> I'm not looking for a guarantee. Probably getting additional privacy is good enough for me.

I think we can both agree that wasting your money on wishful thinking ("maybe provider doesn't log") instead of using free open-source privacy-by-design solutions is a bad idea.

(comment deleted)
I would certainly disagree with that.

The privacy-by-design solutions have their problems at well (ex: speed). It would be better to use them over VPN IF AND ONLY IF their features would be strictly equal.

As they are not, one simply calculates the expected value of both, taking into account the probability of the VPN actually logging the traffic (which should be low for VPNs with good reputation).

For some use cases, even a VPN that logs traffic would be a good idea. For instance in many countries if you download a torrent they will log your IP and try to identify you. IF you have a VPN, they won't even bother asking the provider the IP because it is just not worth it for something like that. If you were exchanging child porn on the other hand they will ask for it and take time to find you.

Not everybody needs the same guarantee of privacy or has the same risk if the privacy was to fail.

Your statement is the same as saying one should never invest in shares because the return is not known in advance, so you should just buy government bonds which are safe.

Now you have to trust two ISPs: Yours and the VPN provider's.
My ISP is AT&T. I don't think there's much the VPN provider or their ISP could do to make things worse for me. The worst case scenario is that they are as bad as AT&T and there's a non-zero chance they are better.
That's a shallow analysis.

The worst case scenario is not just that they're as bad as AT&T. The worst case scenario is that they're as bad as AT&T and still provide a false sense of security.

Even if you're diligent, other users with your (ISP, VPN) provider pairing might not be, and they could be harmed as a result.

The comments security nerds make here on HN aren't one-on-one individualized consulting (n.b. that's paid work in my field), they're general advice for the public to refer to.

If you are tunneling all traffic through your ISP, seems to me you aren't trusting them all that much.
Ignoring traffic analysis, you shouldn't have to trust your own ISP while using a VPN. Ignoring traffic analysis makes sense unless you're a high profile criminal, and it affects all low latency tools, including Tor.
I meant colloquially. If you're not using your VPN 24/7, you have to trust both at different times.

You are of course correct. :)

Tor is basically a funnel into the DOJ and has been for quite some time:

https://arstechnica.com/tech-policy/2017/03/doj-drops-case-a...

They run massive PR campaigns with carefully structured press releases designed to convince the kind of people they want to detain that TOR is private and safe for any kind of activity.

Because of this people tend to get swole when you suggest that TOR is not any good for protecting your privacy because lots and lots of people have been arrested, tried and convicted after trying to use it to hide elicit activities.

The US government has made millions of dollars of investment into TOR:

https://www.theguardian.com/technology/2014/jul/29/us-govern...

Pretty much every time the US government is investing in something you can be certain that their intention is not to help you out.

AFAICT, in all current cases it isn't Tor itself that's been broken by the authorities. It's the client end that has been compromised; and in a way that isn't specific to Tor. Had these users been using a VPN without Tor, they could have been compromised in largely similar ways.

Please, find me a counter-example - because I haven't seen one.

Admittedly, one thing that has happened is that the authorities are able to target compromises in the Tor Browser specifically, rather than in a wider range of clients that non-Tor VPN users might use. But they're probably more vulnerable than the Tor Browser is anyway.

Chrome is arguably more 'secure' than the ESR Firefox that the Tor Browser is running on. If you are realistically concerned about this type of targeted attack, you should probably be browsing with Chrome isolated inside of Qubes/Whonix.
It's important to consider here that the average person using TOR is not a network administrator.

And that they'll follow the instructions that come with the TOR browser and assume that it's safe.

So when I say that TOR isn't safe, I mean that it isn't safe as it's presented.

Saying that TOR isn't safe if you know what you're doing is like selling someone a car with no seatbelts and then telling them well if you knew what you were doing you'd install seat belts yourself and then the car would be safe.

> So when I say that TOR isn't safe, I mean that it isn't safe as it's presented.

Sure. But it is no more dangerous to use Tor on its own than it is to use a VPN privacy service on its own. So your claim that the US Government is enticing people into using Tor to entrap them is nothing more than an unsubstantiated conspiracy theory. It would be easier for governments if criminals didn't use Tor.

> conspiracy theory

It's too late for you.

You're thinking of these as Single Points of Failure, but they're not in parallel; they're in series.

Consider the attacker: a service you've visited that has your "outermost visible" IP, and wants to know who you are. From their perspective, it doesn't matter if your ISP is willing to give information freely, because they don't know who your ISP is until they've already gotten the information from your VPN provider. Each layer prevents the layer below it from being attacked, until it is removed.

Yes, a state actor could just ask "every ISP at once" to look at their logs of OpenVPN-protocol traffic and identify the packets that match the ones that arrived at the service. But state actors aren't the usual attacker profile, and require entirely different strategies (e.g. getting human "proxies" to use Internet cafes for you.)

I feel like this is dated, because in 2017 this:

> You are on a known-hostile network

is true for every network in the USA. You can be sure they ae all being snooped on by 1. the ISP collecting traffic data for profit and 2: the gov. because they get it all anyways.

The title of this should be "Don't expect VPN to magically protect your privacy," not "Don't use VPN services."

Here are some reasons I've used, and continue to use, VPN:

* When I am on a network that uses an idiotic blacklist to block certain types of content. The network might even be run by my employer and I might be accessing content that is necessary for my work, but there might be no way to appeal the idiotic blacklist.

* When I am on a network that INJECTS content into HTTP responses (a certain paid airline WIFI used to do this).

* When I am on a network that might allow other users on the network to snoop on / mess with my traffic.

* When I want to access services that I have paid to access but are only available to IP addresses in a specific geographic region, and I happen to be in another geographic region.

Etc.

I used to be employed at a place that was so restrictive I couldn't even access asp.net (the website). I think it was something to do with it being in the cloud and looking like it was being hosted in the middle east. Most people probably don't know what it's like to work in a company with the extremely power hungry network admin that want someone coming to them for everything.
Three of your four points are explicitly addressed in there as reasons to use a vpn.
For now, I am running my own VPN on Linode. The only real benefit of this is now my traffic is mixed with non-similar traffic. The hope is that this makes it less valuable to monitor the contents of my traffic. Of course, this just security through obscurity, and nothing more than a half measure.

The internet is not designed for privacy, and privacy does not benefit the majority of commercial stakeholders of the internet. This is probably why most privacy solutions feel like shoving a square peg through a round hole. My personal feeling is that we should combat commercial bulk surveillance through legislative means.

Your last paragraph ignores the existence of many privacy by design solutions such as Tor or i2p. Yeah, they can't protect against a global passive adversary - as any other low latency anonymity system in existence, but that's totally different from saying that there's no way to have privacy on the Internet.
Tor is a solution for specific use cases. It does not address privacy on the internet in a general way. For example, if I use tor to browse facebook, I am logged into facebook and still just as trackable as I would be if I wasnt using tor.
> Tor is a solution for specific use cases. It does not address privacy on the internet in a general way. For example, if I use tor to browse facebook, I am logged into facebook and still just as trackable as I would be if I wasnt using tor.

No, at least now facebook may not know your exact location (especially if you use their onion service: https://www.facebookcorewwwi.onion/ ) and they can't track your activity outside of facebook. Of course, it doesn't solve - nor can any other anonymity system - the fact that you transmitted personally identifiable information with facebook.

(comment deleted)
Most people I know want a VPN to pirate stuff without consequences. So I'd say, Tor would not cut it.
Tor is emphatically not meant for piracy, especially BitTorrent.
As I mentioned in another comment about using VPN for torrents:

> That isn't great privacy wise as it's still privacy by policy. The best way to torrent is to use i2p which - unlike Tor - encourages that activity. (Short tuto: the default Java i2p bundle already comes with I2PSnark, a torrent client. To download a torrent, search through known i2p trackers such as the Postman Tracker: http://tracker2.postman.i2p )

Unless stremio and other pop corn time like can work transparently with i2p, it won't help.
> Unless stremio and other pop corn time like can work transparently with i2p, it won't help.

What? i2p is a self-contained network and not really meant for clearnet browsing.

You need to look up what stremio (https://www.strem.io/) is and understand the value proposal for the casual non tech saavy end user. This is the face of torrenting now. Not magnet links. People don't know what a URL is anymore, don't expect them to understand a classic torrent client or i2P.
You mentioned stremio and I respectably pointed out that it's not going to work over i2p for reasons mentioned above. I don't even see why you're mentioning it when we're talking about privacy.
My whole point is that people use VPN for torrenting so Tor would not help and i2P neither. What are you talking about ? Did you read the first post ?
> My whole point is that people use VPN for torrenting so Tor would not help and i2P neither.

My point was that I2P can help them since it's (a) torrent friendly, (b) has a bundled Torrent client (I2PSnark), (c) there are many eepsite torrent trackers such as: http://tracker2.postman.i2p

But they use stremio which doesn't work with i2p.
Since we're talking about it: what's the value proposition in creating an illegal service for non tech savvy end users?

I'm trying to figure out why they made this. They can't really run ads without ending up like the founder of TPB.

Regardless, it doesn't seem unreasonable to expect people to know what a magnet link is. When all you need to do is download transmission and click on a magnet link, people are fine with that.

I'm fairly new to whole world of increased internet privacy, so I'm curious of the benefits of using a VPN or Tor. I'm not a political activist or engaging in illegal activity, I just want my personal data being passed around as little as possible (preferably by spending little to no money to do so). Is using Tor worth the effort? What are the benefits? Or do I simply use Chrome and resign to my fate like nearly everybody else?
> Is using Tor worth the effort?

Definitely.

> What are the benefits?

Because of its 3-hop design, a non global passive adversary (GPA) would need to control both your entry node and the exit node to de-anonymize one of your Tor circuits. In addition, Tor circuits generally last for 10min only. Also using the Tor Browser you get stream isolation meaning that you get different Tor circuits for different websites.

You can also setup your own non-exit node and connect to it to ensure that no single point in your Tor circuit controls both the entry node and the exit node.

> a non global passive adversary (GPA) would need to control both your entry node and the exit node to de-anonymize one of your Tor circuits

That's not a benefit, that's a feature. A benefit involves a use-case. What does a person gain from not having their traffic de-anonymized? The described user is someone who doesn't have any particular activities they need to keep secret or risk jailtime. So, for them, what's an example of something that could happen differently in their real life if they used Tor vs. if they didn't?

(This wasn't a rhetorical question; there are such use-cases. I'm just commenting to prod you into zooming out a bit from "privacy is its own end" to thinking more about what regular people care about and how privacy helps them get it.)

For starters, don't use Chrome.

Chrome sends a whole lot of data to Google (and possibly to their data-sharing partners) such as, at the least, what sites you visit and how long you are on each. When combined with Analytics, cookies, profiling and whatever G services you use, and the fact that Chrome is a program (not a site) connecting that all, you have pretty much lost any legitimate hope to privacy before you begin. Use HTTPS everywhere is a no-brainer, as at least the middle steps won't see the data. IMO, using a commercial VPN is just not that difficult and the speed is close to native, so its a lot easier than TOR.

Basically it comes down to this: What you don't want people to know, you don't tell them. So if you don't want personal data floating around everywhere, don't tell them personal data.

Or just be a nice happy good citizen in the normal world. What you do in other worlds should then not be mixed with the normal word.

Duckduckgo recently included "How to Choose a Good VPN" in their privacy newsletter - https://spreadprivacy.com/how-to-choose-a-vpn/
Looks like DDG recommends TunnelBear[1]. Any one have an experience with them? I'm always a bit skittish on free VPNs.

https://www.tunnelbear.com/b/privacy-partners/

It seems like a promo link which gives you 500mb per month for free. You have to pay for unlimited data.
From the number of YouTube channels that promote them, I expect they must have a strong affiliate program. Just a possible bias to keep in mind...
Its a nice user-friendly app, works well on all my stuff. Using it on linux took a bit of manual setup, but their instructions worked. I'm a customer, and I would recommend it. I outsourced my trust in them to DDG. Hopefully they didn't steer me wrong there.

Downside is that it basically only works per device. It doesn't run on any routers that I know, to get full coverage over your network traffic.

User-friendly, but blocks port 22, so if you need SSH and can't change the port, try something else.
Be careful, Mozilla. When you blog about VPN's as Mozilla, you write from a position of authority. VPN's are a notoriously minefield of shady providers and false promises. You do not want to recommend CyberGhost to your followers, the find out in six months when they show up in a court order that, oops, CyberGhost actually logs a ton of stuff that can be subpoenaed.

Exercise caution. Do your research.

> There are many, many VPN providers, and Mozilla can’t recommend any specific service.

Was it somehow unclear? Pretty clear to me at least.

But then they go on to mention several providers by name, with links.
Did you even read the article?

For instance:

> Are VPNs truly private? Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?

Look, if you see such an article from a authority the authority is well aware of what they do to their name. They've built this authority with hard labor over years. So the chance is far over >67% that they are trying to cash out.
Are we going back into time where we can draw parallels between internet access through an online portal like AOL and now when we are accessing our internet through a VPN?
Actually i think the lay users access the "internet" via facebook (aka the "modern equivalent of AOL")...while non-lay users use VPNs. ;-)
useful resource on selecting a VPN provider: https://thatoneprivacysite.net/vpn-section/
I recently setup on ZorroVPN after going through that list. It's a little on the pricier side (BlackVPN is another one I was considering with similar pricing), but the performance has been pretty good so far. They don't have their own client so you don't have to worry much about them installing junk on your machine. You can use one of the open source clients out there.
(comment deleted)
I'd hand cash to Mozilla if THEY provided a VPN service.

Or if Amazon provides one I'd use that for sure.

Definitely Mozilla but why Amazon? They operate with vastly different values systems.
Both would inevitablely have to log.

Both would help with ISP selling data to advertisers level snooping and open WiFi network insecurity issues though.

I'm on Verizon so I don't get to choose if I need one. I have to use one on my phone at least.

They are still useful for lumping your traffic in with others for copyright infringement. Torrent clients offer the files for sharing while downloading.

They are still useful for some simple geo evasion as well.

They aren't a solution for every security issue at all. Tor is generally better to run from open wifi from a tails USB rather than from a VPN.

Also, many VPNs actually log things they can provide to the FBI even though they lie and say they don't. They can get a NSL and end up having to without being able to tell you that they did. Sometimes a NSL canary is used, but not always.

> I'm on Verizon so I don't get to choose if I need one.

Can you expand on that? I’m also on Verizon and feel like having a panic attack.

They throttle youtube and netflix now, which broke youtube with my VR headgear. :(

Also, the permacookie nonsense, and they are certainly data mining the crap out of everything you do.

I'm not sure what you mean by "I don't get to choose if I need one". Both Android and iOS natively support VPNs, and most corporate phones are set up to connect to the corporate network securely via VPN - on many US carriers.
I think chisleu meant that they consider Verizon to be so untrustworthy that not getting a VPN is really not a viable choice to make. So chisleu doesn't get to choose whether to use a VPN or not.
Oh, I think I understand now. "I have to use one on my phone"

Thanks!

I always wonder about ProtonVPN (the ProtonMail people).

It's Swiss based so I assume there would be a decent amount of round trip latency, but for sheer privacy it seems like a solid company that goes the extra mile by locating itself for legal purposes.

https://protonvpn.com/

I am debating whether I should go with them or not, as well. They do seem solid, but I have not heard any people mentioning them.

I have a paid account with Netflix/Hulu/HBO and I'd like to watch it when I'm travelling or when I'm working remotely from third world countries. That would be my sole use case. Can they stream without huge latency?

I can't watch Netflix through ProtonVPN.
Regarding speed, I've been using ProtonVPN for around 4 months and It's much faster than other VPN providers I've used (TorGuard and PIA). It doesn't work with Netflix as Netflix blocks most VPNs.
ProtonVPN is my first and only VPN - occasionally there are connection issues. Speed is not superb as far as I can tell but sufficient for most use cases. I tend to stick with them. No idea if they are better or worse. I chose them b/c with regards to privacy they seem trustworthy.
I didn't read the article but I want to say that the solution is not VPNs. We can end up being like North Korea where VPNs are forbidden. The solution is to have educated voters who do not vote to showmens like Erdoğan or Trump. https://youtu.be/fLJBzhcSWTk
All the "you don't get privacy from a VPN" talk misses the variable of who you want privacy from. If you don't care about e2e privacy, but want a simple way, without using Tor, to keep websites from knowing your real IP, then VPNs are great.
I always ask this on the VPN threads here, and don't feel like I get a solid answer (I'm not particularly well-versed on the topic so I'm genuinely curious and would love to be corrected).

If I go to Bob's website on my computer without any VPN, and Bob wants to find me, all he would need to do is get my IP, call my ISP with a warrant, and then get my information.

If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions. Then he calls the VPN company, and asks them to associate the IP and specific browser sessions with me. In that case a) the VPN really does store logs even though they advertise they don't, so they're able to associate me with my activity, or b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.

It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?

So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?

If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users? Wouldn't it be easier for Bob to call AWS with a warrant and get your account info than mess with some offshore VPN provider?

Speed, in terms of bandwidth and latency. I consistently get slower speeds using a VPN. Granted, I'm using Google Fiber so I have symmetric gigabit, but there is a downside to it, depending on your use case.
Was there any point to this comment other than humblebragging about your fiber connection?
It's a legitimate point to consider. I've set up my home router with Tomato by Shibby, which allows routing all traffic over a VPN link. I was finding the router couldn't keep up with a 50 Mbps link. Granted, these routers aren't designed with that use case in mind. But, running a VPN link all the time on mobile devices kills battery very quickly, so setting up the link on the router is preferable. Consequently, I don't route all traffic over the VPN, which is suboptimal.
I put a 2nd router behind my regular router and switch the gateway, on devices I want to use the VPN, to this 2nd router. Benefits: 1. allow devices to use non-vpn friendly sites 2. Keeps everyone on the same subnet so the VPN is not in the way for local file transfers. 3. main router not overburdened by VPN software
Tomato allows selective routing, both by destination and by device, so that's helpful. Your setup definitely avoids some of the overhead mine has. But, really, I'd just like the little ARM processor in my R7000 to be able to keep up so I can saturate my link. I'm not familiar with ARM's ISA all that much, but it seems an AES-NI equivalent would be really nice to have.
There's no catching him, he's behind 80 proxies.
Did you try HMA? I had amazing speed with them.
No, I was using PIA, I might try them out though, thanks.
PIA is cool because it works seemlessly with your phone as well. It used to be you had to have some special access to get it to work with a provider like Verizon, but it works flawlessly now.
Tried them out yesterday and they give about 10% of my Internet speed on any server. So my 400 Mpbs connection slowed down to 40 Mbps, which is a pretty rough drop. And I haven't been able to find an OpenVPN connection that could handle more than that 40 Mbps.
I'm in the same boat as well. I'm not in the US but I do have symmetric gigabit as well. I've been using EC2/DO boxes to setup VPNs for me, but they hardly ever come close to my home speed.

This is usually due to the ec2/do instances being the cheapest or second cheapest with bad CPUs and overcrowding.

You're also only guaranteed gigabit speeds on the higher tier instances. I'd be interested in what you get using iperf3 between EC2 and your home connection.
VPNs protect you from snooping by 3rd parties on the way to Bob's site, such as your ISP, anyone on your network, or anyone on any of the intervening nodes between you and Bob's.

If you don't want Bob to identify you then yeah you need more than just VPN such as ad blockers, disabling cookies, and more.

Depends on what you mean by VPN but the let-me-bittorrent ones don't get you confidentiality (or integrity) to web sites you visit, past your immediate ISP.
Your VPN provider might not log. Or it might log and sell your internet activity. Of course, the same is true of your ISP, so you have to see who you trust more.
So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?

The downside in a nutshell: "Researchers recently tested 300 free VPN apps on Google Play and found that nearly 40 percent installed malware or malvertising on users’ machines."

"Bob" very likely doesn't know you even exist and doesn't care. The downside of VPNs is that many VPN hosting companies are even less trustworthy than "Bob" and do care who you are. An unscrupulous VPN provider can MitM your connections, harvest anything you give the VPN's app privilege to see (probably a lot), etc.

Step one of security is to understand the threat you want to defend against and make sure your defense against that is (a) adequate, (b) appropriate, and (c) not compromising you in other ways.

Another downside:

Recently the Federal Government sent out a malware to certain persona of interest. That malware played a higher pitch sound than can be heard by the human ear. They were able to track that person and identify them because they heard the sound on the computer's microphone. TOR or VPN can stop this.

> That malware played a higher pitch sound than can be heard by the human ear.

That should be "... can not be heard ..." right?

Also, do you have a link with more details.

No, it's right as-is.
Ah I think I read the "higher" as "high" and misunderstood it.
That still doesn't really make sense. I think you misread "than" as "that".
"a higher sound than can be heard" or "played a sound, which cannot be heard due to its pitch"

would both work, but your interpretation isn't correct.

Without a source to corroborate, the tinfoil hat factor is extremely high with this one
I slightly agree. However, these days it seems more and more that "thing elite spy agency does to track terrorist" is on about a 6 months to 1 year lead on "thing startup does to target ads."
Wouldn’t even surprise me if it was the other way around either.

Some of the brightest minds of this generation are working on ad tech.

Sadly.

Angelheaded hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery of night, indeed.
Ability and motive...

Are they able to do this? Yes, for sure.

Are they willing to this? For terrorists or maffia bosses, no doubt. For smaller fish? Maybe they can't be bothered. Or maybe they can.

Once it's productized, it's probably easy to reuse.
Technically, but maybe not bureaucratically.
> A team of researchers from the Brunswick Technical University in Germany discovered [234] Android apps that employ ultrasonic tracking beacons to track users and their nearby environment.

https://en.wikipedia.org/wiki/SilverPush

My tinfoil hat is spinning!

Here is a source, but no „malware“ but ads, the line gets more and more blurry

https://arstechnica.com/tech-policy/2015/11/beware-of-ads-th...

I'm surprised a computer speaker has the frequency response to play an inaudible tone.
Most wouldn’t, I’d imagine OP is referring to a mobile device, look at Androids dev docs they recommend sticking to 44.1khz, which we know does fail into the range of human hearing with its 22khz reproduction, albeit fewer people. I’d suspect the person being spied on would become suspicious upon many children they encounter and even more dogs fleeing from their direction.
Tested my kids - they could hear an alleged 21khz tone out of laptop speakers. The actual level of the tone doesn't matter - it was above my level of hearing. Wasn't a double blind, but they told me when it started and stopped based on a bash script with random intervals.
I'm 20 but I can still hear 20 khz, albeit not very well.
I could when I was 20, did a proper hearing test when I joined my company. 15.625khz was very noticeable - I scoffed at the old timers who couldn't hear it.

I can no longer hear it. Still I can hear 1khz, so that's what's important.

> TOR or VPN can stop this.

You're saying that the persons of interest in this case were identified and targeted only based on an IP address and not based on some other aspect of their online activity?

If they were able to gain access to a person's microphone doesn't that mean they are already compromised?
Wasn't this how they caught the Silk Road guy? Ross Ulbricht? They played a loud noise from his computer in a public area, as I recall.
that is not how they caught him. They used a correlation attack. He was stupid and posted something using his personal email on stackoverflow about setting up tor website and processing bitcoin transactions. He then used a linked account to advertise silk road a few times. This made him a prime suspect. They followed him for weeks and watched that every time dread pirate roberts logged in and posted on silk road he was sitting in a cafe or library on his computer connected to a vpn. This was enough for them to get a search warrant and they found all the other evidence they needed to convict him on his laptop
Why not just use a trusted solution like openvpn and only use providers who provide openvpn servers? That immediately gets rid of one half of your problem; and as for the other half, vpn services that allow for connections via openvpn are likely to be more trustworthy. In addition, the vpn company can't MitM connections which are already on an encrypted channel outside of the vpn conneciton.
Isn't openvpn kind of a hack and a IKEv2/IPSEC based strongswan solution to prefer?
Don't see why you're getting downvoted. From a user standpoint, IKEv2 doesn't require a secondary client and integrates with most major OS better.

For example: It's way easier for a client to install a mobileconfig to ios that supports on demand VPN than it is to have them download and configure openvpn. Fairly set and forget.

IKE is a nightmare to admin, only for Cisco level bureaucracies.
OpenVPN protocol is sorta weird (I wrote a clean room client and server impl). But IPSec stuff is such a pain to deal with that it is not worth it despite it having better OS integration.
It's arguably no more a "hack" than TLS is one. Right?

Re OpenVPN vs IKEv2/IPSec, this IVPN FAQ seems accurate.[0] But then, I helped edit it, so I'm biased. Still, if anyone can point to inaccuracies, I'll recommend fixing them :) The major weakness is pre-shared IKE keys.

On the other hand, I get from IVPN that the IPSEC implementation in iOS is very secure.

0) https://www.ivpn.net/knowledgebase/160/Is-using-L2TPorIPSec-...

> use providers who provide openvpn servers

how can you prove what the provider is using? people can lie

It is irrelevant what software the provider is using as long as they use the openvpn protocol. This will be obvious to anyone who tries to connect using openvpn.
Can you explain further, how can you be sure things weren't aded to the software?
To the client side or the server side? On the client side, you should download the code from a location you trust. On the server side, it is irrelevant if something is added to the software for the attack we are discussing.
You can use your own OpenVPN client.
When you use a VPN service that supports openvpn, you:

a) Install OpenVPN yourself (open source)

b) Download an OpenVPN profile from the VPN company

c) Configure OpenVPN with the profile

Specifically, you don't have to install any binary software from the company itself.

This suggestion is intended to solve the "free VPN app installs malware" problem and not solve the "VPN provider who actually logs/is in league with govt/MPAA/etc" problem.
Indeed. Threat models are crucial here.
OpenVPN is a protocol. If the VPN provider supports it, you set it up in your own client that supports OpenVPN. Using a VPN provider that requires you use some proprietary app is madness.

I recently signed up for such a service, in order to get my Nintendo Switch online for multiplayer gaming. My home internet connections sub-let from the landlord and could be considered semi-hostile -- not able to connect to peers on the Switch due to triple NAT, and I suspect some QoS throttling as well. The VPN solves my routing problems, but if anyone has a suggestion for another option here I'm all ears.

Well, never use free VPNs!

Also, don't choose a VPN based on some online review. Most of those are basically paid advertising. Either "pay if you want a good review" or "pay more for highter rank", or stuff by independent affiliates, who get paid for referrals.

Better, choose VPNs that have been recommended by consensus in relevant communities. Torrent users. Wilders. Me ;) And by the way, I do consult for IVPN, but my opinions are otherwise unbiased.

Would you recommend IVPN?
Well, of course I would! They're one of the oldest. Except for the the first generation, anyway, such as Anonymizer (now basically owned by the CIA) and Cryptohippie (still very cool, but very expensive).

And they have great clients for Windows, OS X and iOS. I've found a few others that are just as leak-free.[0] However, the data there are old, and just about all VPN services have improved their clients. What's most relevant about the site is the testing protocol. There's more about that in an IVPN guide.[1]

I also recommend AirVPN, Mullvad and PIA. But not necessarily for their clients. I mean, IVPN doesn't have a custom Linux client. So in many cases, you need firewall rules. And you need to make sure that you're not using an ISP-assigned DNS server with the VPN.

0) https://vpntesting.info/

1) https://www.ivpn.net/privacy-guides/how-to-perform-a-vpn-lea...

The great thing about Mullvad is you can use OpenVPN instead of their client if you want. And those guys really know what they are doing.
Even better, with Mullvad you can now use WireGuard instead of OpenVPN, for considerably better performance and possibly better security. I've configured my EdgeRouter Lite to route all wifi traffic on my default home network through WireGuard for a couple of weeks and it has worked very well.

https://www.mullvad.net/blog/2017/9/27/wireguard-future/

You can use open-source OpenVPN with any VPN service that offers OpenVPN connectivity. You can also use AirVPN's client Eddie, which has a pretty decent built-in firewall.
I use OpenVPN to connect to PIA both on my Linux machines and Android.
Just adding another vote for Mullvad. Tried a few others, have had the best luck with Mullvad (bandwidth, # of servers, rock-solid connection, etc.)
My VPN activities run on a old Windows box, and I did not want to trust the VPN clients to not fail and blast my data in the open for a day or two before I noticed. I ended up writing a SafeVPN Windows service that kills processes within 30 seconds of VPN failure.

I used PIA for a couple of years without issue, but then it went into some kind of decline for me, always driving network traffic to zero after a few hours. After changing hardware and reinstalling the OS with no effect, I finally tried AirVPN and things went back to normal. AirVPN is a bit more expensive, but their client is light years ahead of the PIA client.

It's better to use Windows Firewall, because blocking is virtually instant. Basically, you set LAN as a private network, and the VPN as a public network. For LAN, you allow connections only to the VPN server(s) that you use, plus a DNS server that's not associated with your ISP. You can also allow connections to other LAN devices, if you like. For the VPN, you allow all output, but only input for established connections.
Can you point to a writeup of how to do this?

The only step beyond this that I have seen is a recommendation to use OpenBSD as a firewall in a virtual machine.

No, sorry. I used to know a URL, but ... And most of your search hits will feature application-level blocking, which seems silly to me. Also, I don't use Windows much anymore. And I've forgotten the specifics.

But. It's basically what I described. For public VPN network, just use the default (all output, only established input). For private LAN, deny all output and input, and allow output to selected IP addresses (VPN and DNS servers).

Thanks for taking the time to reply. It seems like this would be worth a write-up!

Perhaps something like this can be scripted; if it becomes polished enough it could be recommended as a part of every VPN setup.

Interesting feature of Windows firewall, thanks. As the AirVPN client connects, it checks several hundred servers for the lightest load, so for that default behavior, I don't know which IPs to configure locally.
Well, the AirVPN client in Windows has its own firewall, which I didn't manage to make leak.
Various sites on the internet (e.g. Reddit, piracy sites, etc) will recommend either PIA and/or Torguard over anything else.
That's because PIA and Torguard are willing to outbid others to get that ranking :) Or so I've heard.

That's why you generally ignore online reviews.

Well my Torguard license is expiring soon. Who would you personally recommend instead?
AirVPN, IVPN, Mullvad or PIA. They've all been around for several years, and focus on privacy. And I've never heard anything bad about any of them. PIA is the least expensive, and IVPN costs the most. AirVPN and IVPN are probably the fastest. IVPN and Mullvad probably have the best technical expertise.
Why do you think that just because a VPN isn't free, it won't ALSO sell you out on the other side?
It's not so much that they couldn't sell you out, but that if word got around that they had, it would be bad for business.
That's not what was said. "Free VPNs are not to be trusted" does not imply "All paid VPNs can be trusted".
But to flip that around, what about adding payment into the mix has any bearing at all on the trustworthiness of a VPN provider?
Payment means there may be a viable business model other than sharing private information. Realistically I don't know how you can ever be sure, but I'd absolutely never trust a free VPN service.
Basically how much they have to lose.

Say for instance there are two vpn services. Both have a 100,000 users. One makes $1,000 a year off of advertising, and the other makes $1,000,000 a year($9/month). Now both are approached by a nefarious gentleman who offers them $20,000 a year to harvest their user's information. But every year there is a 25% chance people find out and your service is shut down.

Who takes the deal? Maybe the free guy, but very few people would risk a 1M/year revenue stream to make a little extra cash, but someone might risks a much smaller revenue stream for a comparatively bigger payoff.

What is your opinion on PrivateInternetAccess?
I've been very happy with PIA. It's cheap with minimal impact to my bandwidth. The concern is that, like all VPNs, we are trusting them not to keep logs. PIA claims that they proved in court that they do not keep logs because they provided no useful data to an FBI request. There's a debate over whether this proves they don't keep logs or not here:

https://www.privateinternetaccess.com/forum/discussion/26284...

Is this semantics? I am uncertain. I do think that it's in PIA's best commercial interests not to keep logs. It's the core of their business model. The moment a PIA customer's identity is revealed through them is the moment they lose all business.

I've used PrivateInternetAccess, they are trustworthy, but US based so count on them rolling on you if someone has a good reason to be interested in you.
Well, they apparently didn't roll for a US court, in a case involving harassment, as I recall. Would they roll for the NSA? How would they handle a NSL? I have no clue. Their founder has said that, although he lives in the US, none of their server admins do.
They've been recommended by a lot because they recently backed up their claims of no logging (FBI asked them for data, and they couldn't provide it). You'll see that they are ranked pretty high on this list, where there are some breakdowns. They are pretty cheap and popular too. Popular helps by making associations more difficult. That is seeing a VPN server accessed page X and that you were accessing the VPN server at said time. A college student was connected to a bomb threat by this method, being he was the only one on campus to be using TOR at the time the bomb threat was made (from TOR). You'll be fine with any VPN that is relatively popular and doesn't do any tracking.
A relevant detail to that story is that he admitted his guilt under questioning. Had he continued to deny any involvement, they would not have been able to prove that he was sending the bomb threat, as it could have been from someone who wasn't on campus.
Very true. But there have been several instances of cases like this. And this thing doesn't matter if your VPN logs or not[+]. But what I was trying to point out is that these types of access collisions are important to understand. And why I don't think people should roll their own VPN.

[+] I'm not trying advocate crime here or advising how to avoid it. Just trying to bring to light a vulnerability.

> And why I don't think people should roll their own VPN.

People who are interested in not being identified probably shouldn't. But there are good security reasons to potentially do so.

Criminals are great examples, because their OPSEC failures are often detailed in court records, reported in the media, and discussed online. One of my articles on IVPN's website uses several such OPSEC failures (Silk Road, Sheep Marketplace, etc) as examples.
"A college student was connected to a bomb threat by this method"

This is why we can't have nice things...

It's also worth noting that PIA supports several free software projects.
Or, to phrase it differently: PIA outright bought a great number of previously community-run projects, and is concentrating power.

Freenode and Snoonet, two major IRC networks, are now owned by them.

Yes, and interestingly, the Freenode staff had previously disabled Tor access to the Freenode network for over a year or so because of "attacks" which they claimed they could not handle. This was a pretty flimsy excuse once I finally found someone that knew the technical details, and though I chased the "right" people down several times to ask why Tor access had not been enabled, I never got a good answer. Cue PIA taking over Freenode, and within a couple of weeks, Tor access to Freenode was once more enabled. I've been a happy PIA customer for some years now, but that left such a huge and positive impression on me. I'm not completely sure the two things are simply correlated, but after talking to all those Freenode staffers over the years about it, I can't imagine it wasn't pushed by PIA.
Enough. You do this on every mention of PIA and you have been told to stop or get banned [0]. I don't know why you are on this crusade when there is not even the slightest hint of wrongdoing [1] so please, easy on the conspiracy theories.

Disclaimer: Happy PIA customer.

[0] https://news.ycombinator.com/item?id=14911509

[1] https://news.ycombinator.com/item?id=14911915

Wow, what's going on there? :/ Case of sour grapes for that user?

My only beef is I thought PIA would be a kickass gig to work at. Alas, never heard back from my resume. They post in the monthly thread.

Still interested, if any of you PIA people are watching :D

(not the person you were responding to)

To be honest, my only problem with them is their customer service. And their phone app. My connection is half speed on my phone. :( They also have some strange problems with the linux app (which I wish they would open source). Otherwise I'm really happy with them.

Have you tried using a standard OpenVPN client (on your phone, on Linux, etc.) with PIA profiles?
I actually haven't. I will try later and report back. But I have a 60/30 connection (down/up) and am getting 26/5, after messing with settings (which strangely is using TCP instead of UDP). And yes, this is under 5G, and I've tried multiple servers.

As for the Linux side, their app just needed some better instructions on their site, and then works fine. So I'm not really upset on that, just had to argue with tech support for awhile to get transferred to somebody that knew what I was talking about.

It's not about conspiracy theories, but about concentration of power.

If control of PIA — for whatever reason, and be it that Andrew Lee dies and his heirs sell it, or that he can't finance it anymore, or that a three-letter agency forces him to — ends up in the wrong hands, then also all of Freenode and Snoonet end up under control of that entity.

It's not that I don't trust PIA, but that I fear that PIA itself may end up in the wrong hands.

And I'm not on a crusade against PIA — I won't complain about their donations without requirement to advertise in return to projects such as KDE, with a transparent funding process.

But I am on a crusade against centralizing any services, be it killing XMPP federation (thanks, Google), be it pushing a "secure" Messenger that is bound to a single social graph and server infrastructure controlled by one group in the US (thanks, Moxie), or be it a single compsny gaining significant control over several major IRC networks, clients, libraries, and over Matrix at the same time.

No matter the intentions, how good they may be.

I think they're good, but there are some downsides. Sometimes traffic can really slow down because they're _too_ big.

Another issue is, all their IPs are well known. When browsing while connected to them, you can run into a lot of issues: captchas, blocked sites, etc.

The other day I was accidentally connected and made a purchase. What a giant headache. My purchase was flagged and blocked and it took a lot of my time to call the company and get it cleared up.

A few weeks back I ran in to the same issue with accidentally making a purchase while connected to PIA. Mine was also flagged and I had to jump through several hoops to prove I made the purchase. It was a pain but I completely understand why that happened and I'm still very happy with PIA.

I will mention that while it doesn't magically fix slow speed issues, they have the ability to report a slow server through the app (on Windows, I can't attest to any others). You just right click the icon in the notification tray and click "Send Slow Speed Complaint." They do add more servers in areas that are overloaded.

I don't use PIA, but one advantage of them is you can use a Starbucks or Target gift card to pay. Buy the gift card with cash then there is no trail.
>"Buy the gift card with cash then there is no trail."

Until it's important-enough for them to track down the card, figure out when it was bought, go over the security footage of who was buying at the time, extract footage of you buying it. They can then extract your face and match against a DB. Or perhaps see what car you enter into, and extract its license-plate.

Heck, even if they don't have that, they can ask the cell-phone companies to see which phone-numbers were connecting to the nearest tower during that period. That already narrows down the list to say, 1000 people?

We're almost there. All the technology is already in place, and the only thing stopping it from happening is consolidation.

I have been pleased with their service. It wasn't much hassle to set up, particularly. Was certainly a little trickier on my linux machine.

I find the speed has almost been completely acceptable. I have had only a handful of times where it seemed sluggish and bogged down.

I know there is a some question of whether they can truly be trusted? Do they truly not keep logs? And they are US based which are all things to consider. I weighed those factors against the customer reviews, price, and simplicity of their service, and I think my choice has served me well. Their rates are dirt cheap for what seems to be a reliable service.

I'd use them. They're among the least expensive. And they don't seem to retain logs or detailed access records, based on testimony to a US court. But that was about an exit in the US, where there's no legal requirement for VPNs to log. Where there are such legal requirements, maybe they (or any other VPN) would retain and produce logs.

When I checked in mid 2016, their custom Windows client leaked while the VPN was reconnecting after uplink interruption. But then, only six of the 29 VPNs that I tested didn't leak: AirVPN, FrootVPN, IVPN, Mullvad, Perfect Privacy and SlickVPN. Strangely, FrootVPN didn't leak using open-source OpenVPN, suggesting that they're doing something unusual at the networking level. PIA's OS X client didn't leak, however.

They do tend to oversell their servers, however. So you'll often get less throughput than with AirVPN, IVPN or Mullvad.

Or just DIY if you're just a regular Joe or Jane, it's quick, cheap, and easier than most assume.
I’m curious about your DIY solution and what that involves.
Algo is quite easy to install and run
And then you have stuff like AV companies' VPNs for which you pay AND your data gets sold.

(Basically, all AV companies listed on stock market sell your data.)

well, I've suspected that. But can you point to evidence?

I wrote a post last summer for IVPN's blog. Bottom line, AhnLab and Emsisoft seemed to be the only commercial ones that don't share data.

AhnLab: “AhnLab will not collect any personal information other than [data collected during software use] and will not disclose such data to any third party.”

Emsisoft: “Any information we collect from you is only used by us to serve you better. Your information is never given to a third party.”

Everytime you turn around we heart of another free VPN selling data. How else do they stay in business.
>So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?

Rarely addressed: VPN CLIENT ISOLATION.

The majority of us sit behind a NAT'd address range provided by our physical router, thus isolating our machines via a hardware router / firewall from our ISP. When you connect via a VPN, you are not automatically isolated from other client-peers on that VPN and must implicitly trust the VPN provider has properly configured client isolation. You can do testing, like firing up Wireshark and listening for broadcast traffic or simply by trying to nmap other hosts on the network, however, whatever you find could change with a configuration setting at any time.

Exactly my thoughts;

One way to further "secure" this would be to run the VPN client on a hardware router like pfSense (instead of directly on your laptop) and block all incoming connections on the vpn client tunnel interface?

A disadvantage of this method would be that the WIFI signal from your Laptop to the router is no longer secured by the Vpn...

That's how I do VPN. I have my ISP connected router, then a DMZ network with my test servers & three routers: 1) guest, 2) main, 3) VPN. I then use a virtual LAN from (2) to (3) over a virtual interface on (2) to connect to (3) which is NAT'd. Honestly though, the whole advice of "get a VPN to be secure" is ridiculous because it can end up exposing you far more than what you were previously, especially if you are running a VPN client on a host that is running a media client / server like Plex, Kodi, WinAmp, iTunes (Bonjour), etc. If you are a developer and using The Fiddler, Charles Proxy, or the Burp Suite, then there's an easy route to the rest of your internal network. I know the first time I was on a VPN and saw someone on the VPN come through my interception proxy it freaked me out enough to instantly understand the dangers of VPN services.
It's more effective to block what you want on your host firewall and not rely on the the network to keep you safe.

"Processing in hardware", meaning application specific hardware acceleration, is a not a plus in security related things: it's not safer, and it doesn't exist in most boxes, and it's often impossible to field upgrade when bugs are found. It's done to speed things up/lower cost at large scale, but that's irrelevant for consumer/small office gear.

>It's more effective to block what you want on your host firewall and not rely on the the network to keep you safe.

I agree and am a big fan of host firewalls and host intrusion prevention systems, however, they must of course cover the VPN tunnel in their scope. In many cases they do not.

It is a configuration option, for sure. But I've never even heard of a VPN service that put multiple clients on the same subnet. It'd be a security nightmare. And I can't imagine what the advantage to the provider would be.
Think of SSH as the secure networking swiss pocket knife but that it is free for everybody to use, learn and script with. Now think how someone could make money out of it. They can't. So they start creating an alternative, that is so complex and hard to understand, that no person alone can manage it, and even the best solutions are unreliable, expensive and corporate. This is something you can sell and argue well that you need a shitload of engineers to maintain. This is VPN.

What should you use if you're smart enough to come to HN for reading? SSH of course.

Do you mean you can use SSH for anonymous browsing? I genuinely don’t know how that works out, isn’t that just transfer the risk to the server you ssh into, so you end up having to trust the server? Do you have some links for reference?
SSH has a Socks compliant proxy built in. That said, you are right, you are basically shifting responsibility to the SSH server you are connecting to so you have to trust it the same way you would a VPN provider. As such, it’s essentially the exact same and so GP was clearly misguided.
(comment deleted)
Though this can provide an extra level of defense against MITM, if you trust your personal connection to the internet less than the server's connection to the internet.
You can provide the ssh server yourself. Which is not so hard. And security is something different than avoiding tracking. Avoiding tracking is very simply done by not using a centralized proxy which is maintained by someone else (like in VPN). When you are really under attack it's very different and in that case you couldn't trust VPN either. Even the VPN client would be a danger.
All SSH does is move your traffic to a different computer.

When it leaves that computer it's no longer encrypted.

It's not hard to look at unencrypted traffic leaving the computer you've SSH'd into and associate the traffic with the computer you've SSH'd in through.

Not to mention incredibly limited IP support. You can forward a few specific ports, or use SOCKS, but that's about it.
Why is SOCKS limited? Just make whatever you want to send your traffic through proxy it through the SOCKS.
Indeed, ssh -D {port} is something I use heavily (to create a SOCKS5 connection to a remote server, effectively a VPN)
This assumes 'whatever you want to send traffic through' speaks SOCKS.. most things dont. Web yes, but not most other things.
> most things don’t

That’s entirely not true. If you’d said “some”, you’d be right, but “most” is categorically incorrect.

I guess you’ve never heard of TUN/TAP support in SSH?
> All SSH does is move your traffic to a different computer.

And browsing the internet over a VPN is different... how, exactly?

Hm, do DNS queries go through an SSH tunnel?
Presumably so; when I've tried the SOCKS support built in to Firefox, I've noticed that sites that I have blackholed via my hosts file begin working again.
And VPN encrypts your traffic directly to Facebook? No. At some point it also leaves the VPN's network.
Umm. No.

Want to connect 2 lan's together and have full protocol binding and internal DNS support without mucking with 65535*N-nodes port forwardings?

yeah.

not to mention 'vpn' isn't a product..

so your entire notion of 'making money out of it' makes no sense.

as for commercial: OpenVPN is great, free, and fairly simple to use.

While it’s not the right tool for the job, it is possible to connect two networks together using SSH as the secure transport. Many (most?) good network folks will recoil in horror though about tunneling TCP inside TCP.
Re Full network: How?, without additional software e.g. ppp+socat+ssh along with TUN/TAP or similar, or running a non standard SSH client/server and having various nonstandard utilities on both ends, which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'..

TCP/TCP is another point.. and a good one, yes.

> Re Full network: How?

These articles explain the concept, but it takes nothing but SSH & Linux (albeit it can work on macOS too with additional software):

https://wiki.archlinux.org/index.php/VPN_over_SSH

https://debian-administration.org/article/539/Setting_up_a_L...

http://sgros.blogspot.com/2011/11/ssh-tap-tunnels-using-rout...

I've seen it done before where it was fully transparent to both networks. This required the tunnel to be setup on the default gateway for both networks. Again, as mentioned before and you agreed too, this is not a solution I would ever want to see in production for a company I was at.

> which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'

Which I agree, it isn't simple, but I was replying to someone saying it wasn't possible, not that it is easy to do.

Verifiably VPN providers lie when they say they don't log:

https://betanews.com/2017/10/09/purevpn-logs-fbi/

Whether it's through negligence or ignorance or intentional lying, it's nearly impossible to not log user activity in some way.

And really, think about this: Even if you try really hard not to log, as a provider you're competing with thousands of forensic scientists who do nothing all day but figure out how to associate activity with the people who committed that activity.

And once a federal agency has identified your VPN traffic, every single thing you've done through that VPN provider is all wrapped up in one neat bundle for them to peruse.

You will sometimes face hassle authenticating with certain sites. Your VPN will trigger two-factor auth verification, or sometimes trigger an account lock-out or force password resets, etc.
I've been using one pretty consistently ever since the legislation passed allowing ISPs to sell your browsing history. I generally don't have any problems with it, but that isn't to say it is not problematic:

* Connection issues are really annoying. At home it is manageable, but reconnecting to a different wifi network with a phone introduces a delay that sometimes lasts minutes before it becomes functional again

* Some websites make you enter captchas in order to use them, probably due to VPN abuse by malicious users. Others outright block traffic to any detectable VPN traffic.

* It is slower in general, but the worst case slowness seems much worse and more common. Unavoidable really, you're introducing another potential point of failure.

* Useful LAN functions (like *.local domains) become non-functional

> Useful LAN functions (like .local domains) become non-functional

Is that true if you 1. disable the "force all DNS traffic over VPN" setting, but then 2. have a local resolver (e.g. dnsmasq) that resolves LAN domains but forwards all other traffic to a DNS server on an IP that will end up routed through the VPN?

I'm not sure if your methods would fix the issue but you can get around it if your router supports acting as a VPN client. After you configure the connection it becomes invisible to all your lan clients and you can use all of your local network goodies.
Not really an answer to any of the questions you asked, but I'll provide my perspective.

I don't use a VPN to hide my identity from the websites I'm connecting to. I use a VPN to hide the websites I'm connecting to from my ISP.

Residential ISPs in the UK are supposed to log a bunch of internet stuff (not clear exactly what), which is then made available warrant-free to over 40 government departments, including for purposes obviously unrelated to "national security" (not that that would make it OK), e.g. HMRC and the Food Standards Agency

https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016

Additionally, I use a DigitalOcean VM and run OpenVPN myself, I don't get a service from a VPN company.

> I use a DigitalOcean VM and run OpenVPN

I've been looking to do the same recently, do you use Digital Ocean Droplets? If so, how have you found the experience?

I've been using DO for my VPN needs and it's been a very good experience. You can start a 5$ Ubuntu droplet, which is more than enough to host OpenVPN, and then configure your VPN manually. Check here :

https://www.digitalocean.com/community/tutorials/how-to-set-...

Or you can do it the easy way (but you won't learn as much) and run a bash script to configure everything automagically :

https://github.com/Nyr/openvpn-install

I just tried that but on my VPS the 'tun' device was not enabled and the automagic script died. Seems that is not easy to fix on a VPS depending on your provider. Thanks for the tip though.
Not the OP and I don't use DO specifically, but I've found using a VPS provider to be a more or less painless VPN experience. Providers like DO, OVH, and Vultr have scripts for easy one-click OpenVPN setup, or you can roll your own if you don't trust their scripts (though if that's the case maybe you don't trust the VPS provider at all...)

That said, always verify that the tunnel is operating correctly before assuming it is and taking off. I've found on more than one instance that the OpenVPN client was misconfigured and seemed to connect, yet my IP was still being reported as my ISP's.

I did notice the Vultr OpenVPN deploy has license restrictions of two clients.
I think that's an OpenVPN restriction, not a Vultr specific restriction. You have to pay for a commercial license if you want multiple connections with OpenVPN.
It's a bit trickier (and more time consuming) to set up than I initially imagined but not at all undoable. A lot of tutorials are bit out of date or conflicting so it wasn't quite as easy as just following a recipe.

I didn't use DO but an even cheaper host and set up VPN at router using DD-WRT.

Occasionally I have to turn it off at router as certain sites/ services recognize the datacenter IP but not all that often.

Main reason I set it up is I use a small local ISP and know the owners and no need to have them watching net traffic.

The settings on both ends have to match perfectly. Don't forget to set DNS for openVPN also.

Unfortunatly, you lose access to certain sites, like Netflix, who block cloud IP ranges.
You lose those with any VPN provider I've tried.
NordVPN works mostly reliably with Netflix.
airVPN has this problem, unfortunately.

I have a device through which I netflix on which I do not do other personal browsing.

Quite a shame though, but nothing netflix can do about that. :-(

They could use billing address or something else to establish your location instead of your ip.
Add to that many shopping sites (Best Buy for instance), deal sites, ticket buying sites, hotel/airline sites, heck, even my state's offender tracking system blocks the handful of VPS services I've tried.
So I know of normal people using VPNs in the the UK for some or all of the reasons below:

1. They're blocking lots of torrent websites, using a VPN circumvents this

2. They're sending out letters to people saying "you're torrenting, stop". VPN stops this

3. Some ISPs throttle traffic to certain services and streaming sites, VPNs circumvent this

Think about it this way: What if your VPN operates in another country? It becomes an international issue if Bob wants your VPN to tell them who you are.

On the other hand, if your VPN operates in another country, some websites within your country may block you due to content licensing issues.

My favorite formula, in constructing nested VPN chains:

1) First VPN, that only my ISP and second VPN see: I choose one that's popular where I live, and commonly used for torrenting, and I have a torrent client up 24/7.

2) Second VPN, that only the first and third VPNs know about: I choose one that does business from a jurisdiction that isn't very friendly with my government and its friends.

3) Third VPN ...

4) Final exit VPN, that only the previous VPN and websites see: I choose one that doesn't attract too much attention. For Mirimir, that's IVPN, because I'm already so associated with it.

What is your favorite way to create VPN chains in Windows/Linux/OSX?
I mostly use VirtualBox, or VMware in Windows. pfSense VMs make great VPN gateways. VPN and pf setup are pretty easy with their webGUI. Debian VMs also make great VPN gateways, but setup is harder, and their disk footprint is greater.

I've thought about doing it all in one OS, with iptables or pf to control routing. It'd be lots lighter, but more fragile.

Another option, if you want more security against exploits, is Qubes. But the hardware requirements are far more restrictive, and the learning curve is steeper.
Chief on my mind would be the issue of trust. Your traffic is coming out of the VPN node unencrypted. They could snoop you, MITM you, basically anything. So, who do you trust more? Your ISP or a mysterious VPN service probably in Russia that you learned about yesterday?

I figure my ISP is quite likely to sell my data and do other unfriendly things. But I figure they are quite unlikely to attack my traffic and do other illegal things.

Is Bob a cop? Does he have probable cause that you were involved in criminal activity. I don't think you can just handwave "call my ISP with a warrant".
Sure, adversaries could pressure VPN providers for logs, account information, help tracing traffic, etc. So you pick VPN services that have been in business for several years, are well known and recommended in relevant communities, and have no history of giving up their customers. There's a recent relevant thread on Wilders: https://www.wilderssecurity.com/threads/purevpn-keeping-logs...

Even so, it's prudent to assume that your VPN provider logs, works with your adversaries, etc. Just like the Tor project assumes that any particular relay may be malicious. So Tor clients create three-relay circuits, to distribute the risk. And one can do the same with VPN services. I'm currently working through a nested VPN chain, using servers from multiple providers. I use pfSense VMs as VPN gateways, and workstation VMs. It's also easy to add Whonix to the mix, so I can use Tor through nested VPN chains.

You're assuming that private parties have the ability to get warrants or subpoenas to get information from your ISP. They do not.

If "Bob" wants to know who you are when you visit his website, he doesn't have any options to get that information. If "Bob" thinks you are violating his copyright rights, he can file a DMCA complaint against you. If "Bob" doesn't want people from Iceland to access his site, he can try to filter based on IP range.

VPNs do three things: 1. obscure your identity 2. obscure your location 3. prevent local inspection of your network traffic.

How effective that "obscurity" is depends on who wants to know and why.

For me it’s not bob I don’t trust, it’s my ISP.
It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP

If the VPN is malicious or self-hosted.

If the servers and the company headquarters are located in a country not part of the "14 Eyes", and most importantly, host a lot of other traffic that is not you, there is obfuscation, legal barriers, and plausible deniability that you did not do what "they" are claiming you did.

VPNs aren't a defense against subpoenas or warrants, they're a defense against ISPs scraping your connections and selling them to advertisers.

No advertiser is going to come after your VPN provider asking for logs, and even if they did your VPN provider is going to tell them to get fucked anyway. Again, unless the advertiser in question happens to be the federal government and they have a subpoena or a warrant, no VPN provider is going to give you logs to help you associate a user, I have no idea why you would even think that.

If you don't want traffic from users on the VPN you are free to block them (Netflix does this) but nobody is going to give logs over to a random webmaster to help deanonymize users.

If you want to remove the VPN provider from the question entirely (many of them are on the shady side), you can use Algo to automatically deploy a Digital Ocean droplet or Linode instance to relay your connections for you. However this doesn't fundamentally change anything - if someone comes after you with a warrant or a subpoena, then Digital Ocean/Linode is going to give you up.

https://github.com/trailofbits/algo

This is not exactly a difficult concept to understand so if you have asked this question repeatedly and still aren't satisfied with the answer, perhaps you should look inward.

> VPNs aren't a defense against subpoenas or warrants, they're a defense against ISPs scraping your connections and selling them to advertisers.

Some VPNs imply this when they claim they don't keep logs on their users.

>VPNs aren't a defense against subpoenas or warrants

They absolutely are for a huge number of people. Why do you think so many VPN's advertise the fact that they don't keep logs? I imagine far (_far_) more people use VPN services as a way to evade copyright holders than as a mechanism to avoid marketers (most people don't give two craps about the latter issue.)

BTW, was the snarky bit at the end really necessary?

> they're a defense against ISPs scraping your connections and selling them to advertisers.

isn't SSL supposed to do that? At most an ISP ought to only be able to sniff the domain.

> ISPs scraping your connections and selling them to advertisers.

Sell what exactly?, the domains you visit because with SSL that is all what they know.

>b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.

>It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?

I'm not sure how you made this jump. If the provider doesn't have logs, Bob can't find you. The end.

No-log providers can still very likely be compelled to start logging by a combination of the All Writs Act and NSLs.
I also couldn't understand his reasoning here, and I'm surprised you're the only one that pointed this out in this thread.
> Then he calls the VPN company, and asks them to associate the IP and specific browser sessions with me.

That's when a good VPN provider will tell you to piss off.

Plus I doubt many VPNs that actually do logging will have the fingerprint data.

1. VPN Overview https://thatoneprivacysite.net/

2. oVPN.to is probably a good idea, as long as you are not based in China

3. Pay anonymously for the VPN. If it need to be really secure, only access VPN via TOR.

Such a VPN that did keep logs would lose their entire business model if it broke that they kept logs - even if they kept logs (and why should they? That might always leak and kill their business) why should they help a third-party to them?
> If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions.

Every TCP connection is uniquely represented by (src ip, src port, dst ip, dst port). Bob can provide all four of these, and a timestamp, to the VPN provider. The VPN provider can then resolve that to a specific user if they are logging connections.

in which case, if you can't trust 1 VPN, can't you jerry-rig a better VPN by daisy chaining several together, so that each VPN will have to be asked to sort through traffic?
Isn't that what TOR is all about?
There are lots of problems you see in practice which are not discussed often....

* Inability to send mail though a mail program

* Daily disconnections of VPN service

* Captchas and other verification/friction when using services (eg youtube, amazon etc)

* Some services may believe you are in a different country incorrectly, meaning you have to force them to use the right location, or be happy with it being wrong

* Some services will not work at all (for example purchasing through apple)

* Paid streaming services – like netflix, hbo go and amazon streaming will likely not work at all

* You may not be able to port tunnel traffic inside the VPN

And of course you have to trust the provider. For example PureVPN claims 'no logs' but it seems that isn't the case...

https://betanews.com/2017/10/09/purevpn-logs-fbi/#comments

There is a lot of friction in using a VPN. Which makes the idea, often proposed by technical people that if you are worried about privacy - 'just get a VPN' either naive or disingenuous. That said even with the friction it is worth the cost and hassle IMHO.

In practice you have to have a way to flip on and off VPN on some machines/devices.

There is more discussion on this here...

http://www.toytheory.com/?p=295

(edit: fix formatting)

If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users

I believe there is the alternate option of setting up your own VPN .

Instead of using AWS, you could set it up on an additional router or on your PC/pi wherein you'd lose the advantage of anonymity amongst other users but your information is still encrypted to be acceptably safe.

I don't look to it as a foolproof solution, but I do see it as a way to make things a little bit harder for someone that's trying to track me.

The arguments here often sound similar to "experts" that complain about 2 factor auth: Sure, it's not perfect and there are better solutions in some cases, but it's still better than nothing for a lot of people.

This is a sales page, not a objective discussion.

(a) There's not much you can do with VPN that you can't do with SSH (actually I can't think of anything). And SSH is much more configurable.

(b) To avoid tracking of your browsing it is not a smart idea to pipe all your browsing through the servers of one VPN provider. A smart way would be to split up browsing streams, not to combine them.

I'm very sceptical about Mozilla writing such an ad page and trying to sell it as a reasonable technical blog post.

> There's not much you can do with VPN that you can't do with SSH

For most end-users, there is nothing they can reasonably do with ssh.

Every end user that can't use ssh can't use VPN either. It's only a lucky coincidence if it works for a few for a limited period of time. It's just that many VPN Clients come with a very limited set of configuration and debugging output which makes the average grandma more confident because she doesn't know all the shit that happens underneath.

Everybody who is able to repair a bike though is also able to use SSH.

I don't know why anyone advocates using a VPN provider when it's so trivial to set up your own VPN now.

https://github.com/trailofbits/algo https://github.com/Angristan/OpenVPN-install

Either of these options, depending on your preferences (protip: use Algo, unless you're in a place that blocks IPSEC VPNs...It's cheap enough to have both available). This at least covers the basics of what they're talking about being snooped in the post. Then you don't have to worry about trusting the VPN provider (but you do have to worry about trusting your cloud provider).

If your threat model is different, you might want to be in a pool of users, but you can use the same service and solve this problem socially...

> I don't know why anyone advocates using a VPN provider when it's so trivial to set up your own VPN now.

That won't give you any privacy as anyone who wants to de-anonymize its traffic can correlate the fact that you connect to it with your IP (asking the VPS provider for logs) and that you bought it (asking the VPS provider for your banking info).

But that's not really the threat model described when people are talking about their ISP snooping on what they do. A private VPN solves exactly that problem.

Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service). Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).

> But that's not really the threat model described when people are talking about their ISP snooping on what they do. A private VPN solves exactly that problem.

It only solves it against a particular ISP.

> Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service).

I completely agree, that's why I always maintain that only privacy by design solutions should be relied on (Tor and i2p for example).

> Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).

But they know the IP, so that's still identifiable information.

You can combine Tor and a VPN though, though you'll want to rotate through VPNs to avoid timing attacks.

Use of one doesn't exclude another.

> You can combine Tor and a VPN though, though you'll want to rotate through VPNs to avoid timing attacks.

I don't think that adds any privacy, setting up your own non-exit relay and connecting to it may significantly increase your privacy depending on your threat model (since then you can be sure that no single point in your Tor circuits controls both the entry node and exit node, and hence can't correlate your traffic. You're still vulnerable to a global passive adversary (GPA) of course).

> I don't know why anyone advocates using a VPN provider when it's so trivial to set up your own VPN now.

..links to github repos...

You are blessed with technical skills and experience so this is trivial to you (and many people on HN), but there are tons of people out there for whom this is not a trivial task.

If you can get through the steps to sign up and use a VPN service, you can likely get through these with a bit more time invested and a helping hand.
Agreed - 99% of people don't know how to understand whats in a github repo.
I heard a ton of sites block traffic coming from the AWS IP range, do you know if that's true?

I've been putting off setting one up for a while.

There are a small handful of sites that treat me like a spammer and make me go through extra hoops to sign in, but I have not found what you said to be the case.

A lot of folks are doing their automated testing with AWS systems and blocking those IPs would likely cause a lot of people some headaches.

The DNS blackhole that Algo by-default puts ad providers in causes me more problems than that, in all honesty, because occasionally I have to log into service like Hubspot that are blocked.

I typically don't trust VPN providers, so I set up my own on AWS with this CloudFormation script. [0] It is almost effortless, takes 10 minutes and I can spin it up or spin it down without paying for a subscription, only AWS metered costs.

EDIT: another poster mentioned Algo [1]. This method requires a high degree of savvy and entails a higher level of difficulty, but looks much more configurable.

[0] https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-pr...

[1] https://github.com/trailofbits/algo

That sounds like a lot of trouble to go to every time you want an anonymized browsing session.

Inconvenient and cumbersome at best.

Which, the first or the second option? The first one entails a one-time 10 minute setup and you can leave the AWS instance running if you don't mind incurring a small ongoing EC2 fee.
How often do you find that your AWS IP is blocked, or that you need to bypass a captcha? I would think that AWS would be a major source of scrapers and other traffic that a site might not want and might choose to block. I know that Cloudflare offers to block "suspicious" traffic, which would seem likely to include traffic coming from an AWS server rather than an ISP.
Surprisingly not often at all for the sites of interest to me. YMMV of course.
Does this protect you from a warrant to Amazon revealing your identity?
No but this is not a problem for me since my use-case is more avoiding MITM attacks and safely using public Wifis.

Every VPN has an endpoint, and whether that endpoint is acceptable depends on your use case.

I've set up my own VPN using Streisand [https://github.com/StreisandEffect/streisand] & Google Compute Engine (Micro Instance). When you create an account on Google's Cloud, you get $300 (or used to at least). This instance type is big enough to handle the few devices I connect to it, fairly speedily too.
Is it not feasible that a warrant to Google instantly reveals your identity?
Without a doubt! I'm not too concerned because I'm using it within the USA to access my email, HN, and various other common websites while on public wifi.
Yup, hosting illegal content via a cloud provider is a good way to have your account shut down.
Learned recently: Opera includes a VPN for free.
Edit: Opera includes a "gratis" VPN, but definitely not for free. Just read the Privacy Terms. And they keep logs.
I wish that we had arrived at a different term for third-party VPN proxy services. I use VPN connectivity to my home network whenever I am on the road so that my traffic is encrypted over-the-air (Wifi) regardless of its protocol or destination. When I read, "Do you need a VPN?" I think "I love having a personal VPN to my home network that I use from everywhere. You might love it too!" I am evangelical about creating and using a personal virtual private network—that is, a "VPN" in the more traditional sense of the term.

And then I realize the question is actually about third-party VPN proxy services, which seem to be a substantially different use-case.

It's just a shame that the term "VPN" has become so ambiguous.

(comment deleted)
I didn't realize there was much of a difference beyond a third-party hosting and maintaining the VPN or not.
Would you mind sharing your tips for setting this up? I've been considering doing something similar for a little while now but am unsure how to get started.
Not to trivialize it, but the basic steps are:

1. Add a VPN host to your home network, either as another role on your router/firewall or as role on a host inside your network. For example, if you're running pfSense as your firewall, you can add an IPSec/L2TP or OpenVPN role to the pfSense host. Many hardware router/firewall devices have VPN host capabilities. You can start simple by defining users at the VPN host. Later you can use your home network's LDAP directory for users, but I personally didn't bother doing that.

2. Set up your laptop(s) and phone(s) to connect to that VPN. Disable "split tunneling" on the devices. If split tunneling is enabled, only traffic that is intended for your private network would be sent to the VPN. Disabling it requires that all traffic—even traffic destined for the public Internet—needs to be routed through the VPN host.

3. Connect to the VPN whenever you are outside of your home.

4. You can optionally assign a static private IP to each device so that when you're connected, all devices use known IP addresses that you can name using a local DNS server. This would allow you to, for example, reach your laptop by the name "laptop.yourdomain.org" (or whatever). I give all of my devices hostnames so that I don't need to remember their IP addresses.

5. The result is you have a personal "virtual private network" that facilitates private LAN-like communication between all of your devices. For example, I use this to access my personal file server from anywhere.

6. You can get even more sophisticated by setting up site-to-site VPN connectivity between your home network and a machine or network you run at a data-center. This allows you to, for example, reach not just your home file server but also manage your personal public-facing Internet services running at your data-center hosted machine or VM—from any of your devices.

> 4. You can optionally assign a static private IP to each device so that when you're connected, all devices use known IP addresses that you can name using a local DNS server.

This is where I’ve always got hung up. I’ve for a long time wanted a static URI for a machine at home (e.g. SSH, IRC bouncer, music files, etc.)

I assumed I’d have to use some kind of local host tunneling solution (like pagekite.io), which are either expensive or difficult to trust/rely-on, or register as a business to get a static IP.

Any tips?

I was speaking of assigning private static IPs to everything on your virtual private network, and then using a private DNS server. This allows you to reach your devices/hosts by name rather than their IP.

However, the entire scenario relies on you having at least one static IP address for your firewall/VPN endpoint. You need to be able to reach that from anywhere on the public Internet.

I think the easiest way is to get a router capable of running DDWRT or similar that has an OpenVPN server built in to it, flash your router, generate some keys, and hook in with all the OpenVPN clients on Windows, Linux, Android, iPhone, and MacOS. It's really not that bad. I use it all the time when I'm out of my house. I can browse knowing that no one between me and my home can know anything about what I'm doing. Of course, my ISP at home can see everything all the time.

I can even access my home automation system. Shoot, I have one installed at my mom's house and can monitor her furnace when she's on travel in the winter. Everyone would enjoy a personal VPN.

https://www.dd-wrt.com/wiki/index.php/OpenVPN

One low maintenance way of doing this would be to setup a SSH server at home (and configure your home NAT/Router to forward traffic to that machine)

Once you have SSH access to home there are a number of ways to tunnel your traffic (on desktop platforms, not sure about mobile). Sshuttle works pretty nice. You can also optionally just tunnel traffic for certain apps or browser profiles by using ssh -D (SOCKS5 proxy)

And those which work as browser extensions, aren't even VPN proxies, they're just plain HTTP[S] proxies.
I guess the future is a ten-pack of cheap netbooks, a linux live CD, and free public wi-fi.

Access the internet, then smash the entire thing and throw it away and repeat.

Randomizing your MAC Address and using a live CD would not be enough for most cases?
I wouldn't think so with fingerprinting, intel ME and individual processor IDs and such.

I was just giving an extreme example for true anonymity now, something we just sort of had on the internet in the 90's.

I spend 40 bucks or so on a Raspberry Pi, then installed these:

http://www.pivpn.io/ https://pi-hole.net/

Insanely easy to get running: plugged it in to my home router, and now I do all my remote browsing from my home network. I HIGHLY recommend it. I know it doesn't help with privacy, since you're using your home network, but I'm currently more concerned with WiFi hacks, pineapples, and the like.

I started using BlackVPN about a month ago because the highly personalized ads all around the web got extremely unnerving. Having accounts with FB/AMZN type services means they'll never go away completely, but it's better than nothing.

I'm curious if anyone has any commentary on other providers worth looking into. BVPN is based in Hong Kong which has a strong history of pro-privacy AFAIK, and they claim to not even have the technical ability to keep logs of relevant info. Either way, I think I'd rather have some random Hong Kong company have my semi-anonymized info rather than my ISP.

Is there any way in which a VPN is superior to Tor, except possibly speed?
You might suspect that your Tor nodes are being run by FBI, but trust your VPN more.