Great link from the EFF describing tor and https [0] click on the grey 'tor' and 'https' links to see what information is collected where and what can be viewed.
surprised this article does not mention tor? or has tor been abandoned as a tool for privacy?
> I think tor is simply too slow and complicated to advertise as a tool to "regular people"
I know many people who use Tor daily for regular browsing - myself included. Yes, it's slower than not using Tor but that's expected from the 3-hop design.
There are reasons why a VPN is great but not for privacy. A VPN is currently allowing me to work remotely would be one of them.
CiPHPerCoder provided a great link[0] in this discussion [1] that details a short list of a few reasons why VPN's are likely not what "regular people" who are concerned for privacy should be using.
that all being said, tools like tor have become much easier to use with setups like tails [2] which may have its own security issues but I'll agree that regular users may not be capable of using Qubes with Whonix.....yet
I think advocating for a VPN is actually harmful to the "regular user" not only in the fact it will not accomplish what they want, it will deepen their ignorance on how the internet works because they will think "its encrypted" "so I am secure."
I do have some concerns that tor is a tool that needs to be improved upon greatly to truly accomplish its goals but I am not aware of any projects that are doing so. Re metadata, fingerprinting, developers inserting backdoors etc.
> I do have some concerns that tor is a tool that needs to be improved upon greatly to truly accomplish its goals but I am not aware of any projects that are doing so. Re metadata, fingerprinting, developers inserting backdoors etc.
I always try to tell people about Tor's limitations, which are considerable. (I wrote the content for the EFF graphic that was linked above, and one goal was to show people things that aren't hidden by Tor — for example you can see an NSA agent in the graphic performing some kind of correlation attack between source and destination by monitoring the network at multiple points. Of course, the source of data for this doesn't have to be fiber optic taps, so other entities that can get source and destination data can correlate them too.)
Tor is doing work on all of the things that you mention: metadata, fingerprinting, and developers inserting backdoors. One could wish for more work and that it had happened longer ago, but all of those are active areas of concern and research for the Tor project.
>I wrote the content for the EFF graphic that was linked above
Thank you! I constantly share that link with people, I (and many others) appreciate your work!
I regret not going into software development, I wish those are projects I could contribute to, alas my closest work towards development is tinkering with linux etc .conf files to get home projects to work, which is not development at all.
Most of the time what people think they need a VPN for, a VPN won't actually help them much. They have a narrow use-case in privacy contexts, in which case you're better off using Tor.
That github note doesn't really disagree with the article, which points out that you need to trust your VPN provider.
My general position is this: I don't trust my phone provider. At all. Just a week or so ago there was an HN post demonstrating how an ad provider can get your full name, cellphone plan details etc just by calling an API from a page rendered on your phone. But I also don't really have a choice - AT&T or Verizon or T-Mobile, they're all different flavors of the same crap.
Do I trust my VPN provider unequivocally? No. But I trust them a hell of a lot more than my phone provider, and they can't sell my personal info against my browsing history because they don't have it.
A VPN isn't the answer to everything, but nor is it useless.
> Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?
Which is basically also saying you can't trust a commercial VPN provider. I suppose it does differ in that it says it's still an option, though.
Partially, at least, they don't need to earn my trust as much. They don't have my name, address, date of birth and social security number/credit data, like my phone company does.
The only positive point of trust a VPN provider has is that no-one has exposed them selling browsing data. Definitely not great, but also better than my phone company by default.
It's a bit like how "stranger danger" isn't a thing kids get taught about anymore, because random strangers aren't risky if you go up to them, only if they come up to you. (Or, in more statistical terms: bad actors are a small proportion of the pool, but they have an incentive to self-select into interacting with you that good actors do not. If you just draw randomly from the pool, you won't get a bad actor. If you let the pool show the initiative, you'll get mostly bad actors.)
Your VPN provider is just some random company. You went up to them. They're randomly selected (insofar as your choices are random) from the space of all VPN providers, and most providers aren't malicious.
Your ISP is, at least in the US, almost always a monopoly. They're self-selected: they went up to you.
A VPN provider can tell you they're not logging your traffic because they think they aren't but really they are because there's a box somewhere that your traffic passes through that has logging enabled (for example -- and don't hyperfocus on the example, I know how you programmer types like to pick up the example and play ping pong with it for six hours).
So incompetence is a reason to not trust a provider as well.
* My VPN provider explicitly states that they do not collect user information or store logs of user activity. Unlike my ISP that has a No Privacy Policy.
* My VPN provider has not done anything to lose that trust.
So which is worse, your VPN provider telling you that they don't store logs of user activity and then very well doing it (as has been proven in multiple cases), or your cell provider telling you they're going to fuck you, then fucking you?
That isn't great privacy wise as it's still privacy by policy. The best way to torrent is to use i2p which - unlike Tor - encourages that activity. (Short tuto: the default Java i2p bundle already comes with I2PSnark, a torrent client. To download a torrent, search through known i2p trackers such as the Postman Tracker: http://tracker2.postman.i2p )
The content owner could still request your information from the VPN provider and the VPN provider might provide it (even if they say they won't). I think the main benefit is that there are so many individuals torrenting copyrighted material that aren't using VPNs that it means you aren't the "low hanging fruit" so you're considered not worth the effort by the content owners.
Yes, but there is a big difference between "this provider might be lying about not storing traffic, and they also might give the data to someone" and "this ISP is 100% storing traffic and routinely gives that data to others."
I trust most VPN services more than I trust my ISP. If what you are trying to do is avoid your ISP collecting your surfing data for advertisers, throttling Netflix traffic, or adding a super-cookie to headers, then a VPN might make sense.
My ISP choices are limited to two companies that are both terrible. A VPN is a nice way of limiting what they can do to you.
You don't get any additional privacy, the only way to really _guarantee_ that you get additional privacy is to use a solution that provides privacy by design rather than by policy.
> I'm not looking for a guarantee. Probably getting additional privacy is good enough for me.
I think we can both agree that wasting your money on wishful thinking ("maybe provider doesn't log") instead of using free open-source privacy-by-design solutions is a bad idea.
The privacy-by-design solutions have their problems at well (ex: speed). It would be better to use them over VPN IF AND ONLY IF their features would be strictly equal.
As they are not, one simply calculates the expected value of both, taking into account the probability of the VPN actually logging the traffic (which should be low for VPNs with good reputation).
For some use cases, even a VPN that logs traffic would be a good idea. For instance in many countries if you download a torrent they will log your IP and try to identify you. IF you have a VPN, they won't even bother asking the provider the IP because it is just not worth it for something like that. If you were exchanging child porn on the other hand they will ask for it and take time to find you.
Not everybody needs the same guarantee of privacy or has the same risk if the privacy was to fail.
Your statement is the same as saying one should never invest in shares because the return is not known in advance, so you should just buy government bonds which are safe.
My ISP is AT&T. I don't think there's much the VPN provider or their ISP could do to make things worse for me. The worst case scenario is that they are as bad as AT&T and there's a non-zero chance they are better.
The worst case scenario is not just that they're as bad as AT&T. The worst case scenario is that they're as bad as AT&T and still provide a false sense of security.
Even if you're diligent, other users with your (ISP, VPN) provider pairing might not be, and they could be harmed as a result.
The comments security nerds make here on HN aren't one-on-one individualized consulting (n.b. that's paid work in my field), they're general advice for the public to refer to.
Ignoring traffic analysis, you shouldn't have to trust your own ISP while using a VPN. Ignoring traffic analysis makes sense unless you're a high profile criminal, and it affects all low latency tools, including Tor.
They run massive PR campaigns with carefully structured press releases designed to convince the kind of people they want to detain that TOR is private and safe for any kind of activity.
Because of this people tend to get swole when you suggest that TOR is not any good for protecting your privacy because lots and lots of people have been arrested, tried and convicted after trying to use it to hide elicit activities.
The US government has made millions of dollars of investment into TOR:
AFAICT, in all current cases it isn't Tor itself that's been broken by the authorities. It's the client end that has been compromised; and in a way that isn't specific to Tor. Had these users been using a VPN without Tor, they could have been compromised in largely similar ways.
Please, find me a counter-example - because I haven't seen one.
Admittedly, one thing that has happened is that the authorities are able to target compromises in the Tor Browser specifically, rather than in a wider range of clients that non-Tor VPN users might use. But they're probably more vulnerable than the Tor Browser is anyway.
Chrome is arguably more 'secure' than the ESR Firefox that the Tor Browser is running on. If you are realistically concerned about this type of targeted attack, you should probably be browsing with Chrome isolated inside of Qubes/Whonix.
It's important to consider here that the average person using TOR is not a network administrator.
And that they'll follow the instructions that come with the TOR browser and assume that it's safe.
So when I say that TOR isn't safe, I mean that it isn't safe as it's presented.
Saying that TOR isn't safe if you know what you're doing is like selling someone a car with no seatbelts and then telling them well if you knew what you were doing you'd install seat belts yourself and then the car would be safe.
> So when I say that TOR isn't safe, I mean that it isn't safe as it's presented.
Sure. But it is no more dangerous to use Tor on its own than it is to use a VPN privacy service on its own. So your claim that the US Government is enticing people into using Tor to entrap them is nothing more than an unsubstantiated conspiracy theory. It would be easier for governments if criminals didn't use Tor.
You're thinking of these as Single Points of Failure, but they're not in parallel; they're in series.
Consider the attacker: a service you've visited that has your "outermost visible" IP, and wants to know who you are. From their perspective, it doesn't matter if your ISP is willing to give information freely, because they don't know who your ISP is until they've already gotten the information from your VPN provider. Each layer prevents the layer below it from being attacked, until it is removed.
Yes, a state actor could just ask "every ISP at once" to look at their logs of OpenVPN-protocol traffic and identify the packets that match the ones that arrived at the service. But state actors aren't the usual attacker profile, and require entirely different strategies (e.g. getting human "proxies" to use Internet cafes for you.)
is true for every network in the USA. You can be sure they ae all being snooped on by 1. the ISP collecting traffic data for profit and 2: the gov. because they get it all anyways.
The title of this should be "Don't expect VPN to magically protect your privacy," not "Don't use VPN services."
Here are some reasons I've used, and continue to use, VPN:
* When I am on a network that uses an idiotic blacklist to block certain types of content. The network might even be run by my employer and I might be accessing content that is necessary for my work, but there might be no way to appeal the idiotic blacklist.
* When I am on a network that INJECTS content into HTTP responses (a certain paid airline WIFI used to do this).
* When I am on a network that might allow other users on the network to snoop on / mess with my traffic.
* When I want to access services that I have paid to access but are only available to IP addresses in a specific geographic region, and I happen to be in another geographic region.
I used to be employed at a place that was so restrictive I couldn't even access asp.net (the website). I think it was something to do with it being in the cloud and looking like it was being hosted in the middle east. Most people probably don't know what it's like to work in a company with the extremely power hungry network admin that want someone coming to them for everything.
For now, I am running my own VPN on Linode. The only real benefit of this is now my traffic is mixed with non-similar traffic. The hope is that this makes it less valuable to monitor the contents of my traffic. Of course, this just security through obscurity, and nothing more than a half measure.
The internet is not designed for privacy, and privacy does not benefit the majority of commercial stakeholders of the internet. This is probably why most privacy solutions feel like shoving a square peg through a round hole. My personal feeling is that we should combat commercial bulk surveillance through legislative means.
A confusing, content-less, arbitrary recommendation against Linode with no clear justification or reasoning given anywhere in the tweet stack is obligatory? I'm confused. Are there any actual reasons not to use them?
Your last paragraph ignores the existence of many privacy by design solutions such as Tor or i2p. Yeah, they can't protect against a global passive adversary - as any other low latency anonymity system in existence, but that's totally different from saying that there's no way to have privacy on the Internet.
Tor is a solution for specific use cases. It does not address privacy on the internet in a general way. For example, if I use tor to browse facebook, I am logged into facebook and still just as trackable as I would be if I wasnt using tor.
> Tor is a solution for specific use cases. It does not address privacy on the internet in a general way. For example, if I use tor to browse facebook, I am logged into facebook and still just as trackable as I would be if I wasnt using tor.
No, at least now facebook may not know your exact location (especially if you use their onion service: https://www.facebookcorewwwi.onion/ ) and they can't track your activity outside of facebook. Of course, it doesn't solve - nor can any other anonymity system - the fact that you transmitted personally identifiable information with facebook.
As I mentioned in another comment about using VPN for torrents:
> That isn't great privacy wise as it's still privacy by policy. The best way to torrent is to use i2p which - unlike Tor - encourages that activity. (Short tuto: the default Java i2p bundle already comes with I2PSnark, a torrent client. To download a torrent, search through known i2p trackers such as the Postman Tracker: http://tracker2.postman.i2p )
You need to look up what stremio (https://www.strem.io/) is and understand the value proposal for the casual non tech saavy end user. This is the face of torrenting now. Not magnet links. People don't know what a URL is anymore, don't expect them to understand a classic torrent client or i2P.
You mentioned stremio and I respectably pointed out that it's not going to work over i2p for reasons mentioned above. I don't even see why you're mentioning it when we're talking about privacy.
> My whole point is that people use VPN for torrenting so Tor would not help and i2P neither.
My point was that I2P can help them since it's (a) torrent friendly, (b) has a bundled Torrent client (I2PSnark), (c) there are many eepsite torrent trackers such as: http://tracker2.postman.i2p
Since we're talking about it: what's the value proposition in creating an illegal service for non tech savvy end users?
I'm trying to figure out why they made this. They can't really run ads without ending up like the founder of TPB.
Regardless, it doesn't seem unreasonable to expect people to know what a magnet link is. When all you need to do is download transmission and click on a magnet link, people are fine with that.
I'm fairly new to whole world of increased internet privacy, so I'm curious of the benefits of using a VPN or Tor. I'm not a political activist or engaging in illegal activity, I just want my personal data being passed around as little as possible (preferably by spending little to no money to do so). Is using Tor worth the effort? What are the benefits? Or do I simply use Chrome and resign to my fate like nearly everybody else?
Because of its 3-hop design, a non global passive adversary (GPA) would need to control both your entry node and the exit node to de-anonymize one of your Tor circuits. In addition, Tor circuits generally last for 10min only. Also using the Tor Browser you get stream isolation meaning that you get different Tor circuits for different websites.
You can also setup your own non-exit node and connect to it to ensure that no single point in your Tor circuit controls both the entry node and the exit node.
> a non global passive adversary (GPA) would need to control both your entry node and the exit node to de-anonymize one of your Tor circuits
That's not a benefit, that's a feature. A benefit involves a use-case. What does a person gain from not having their traffic de-anonymized? The described user is someone who doesn't have any particular activities they need to keep secret or risk jailtime. So, for them, what's an example of something that could happen differently in their real life if they used Tor vs. if they didn't?
(This wasn't a rhetorical question; there are such use-cases. I'm just commenting to prod you into zooming out a bit from "privacy is its own end" to thinking more about what regular people care about and how privacy helps them get it.)
Chrome sends a whole lot of data to Google (and possibly to their data-sharing partners) such as, at the least, what sites you visit and how long you are on each. When combined with Analytics, cookies, profiling and whatever G services you use, and the fact that Chrome is a program (not a site) connecting that all, you have pretty much lost any legitimate hope to privacy before you begin.
Use HTTPS everywhere is a no-brainer, as at least the middle steps won't see the data. IMO, using a commercial VPN is just not that difficult and the speed is close to native, so its a lot easier than TOR.
Basically it comes down to this: What you don't want people to know, you don't tell them. So if you don't want personal data floating around everywhere, don't tell them personal data.
Or just be a nice happy good citizen in the normal world. What you do in other worlds should then not be mixed with the normal word.
Its a nice user-friendly app, works well on all my stuff. Using it on linux took a bit of manual setup, but their instructions worked. I'm a customer, and I would recommend it. I outsourced my trust in them to DDG. Hopefully they didn't steer me wrong there.
Downside is that it basically only works per device. It doesn't run on any routers that I know, to get full coverage over your network traffic.
Be careful, Mozilla. When you blog about VPN's as Mozilla, you write from a position of authority. VPN's are a notoriously minefield of shady providers and false promises. You do not want to recommend CyberGhost to your followers, the find out in six months when they show up in a court order that, oops, CyberGhost actually logs a ton of stuff that can be subpoenaed.
> Are VPNs truly private?
Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?
Look, if you see such an article from a authority the authority is well aware of what they do to their name. They've built this authority with hard labor over years. So the chance is far over >67% that they are trying to cash out.
I wish people would stop throwing this question at every headline that happens to have a question mark at the end of it. The headline here isn't clickbait, it's an attempt to answer a question that is pertinent to many.
Are we going back into time where we can draw parallels between internet access through an online portal like AOL and now when we are accessing our internet through a VPN?
I recently setup on ZorroVPN after going through that list. It's a little on the pricier side (BlackVPN is another one I was considering with similar pricing), but the performance has been pretty good so far. They don't have their own client so you don't have to worry much about them installing junk on your machine. You can use one of the open source clients out there.
I'm on Verizon so I don't get to choose if I need one. I have to use one on my phone at least.
They are still useful for lumping your traffic in with others for copyright infringement. Torrent clients offer the files for sharing while downloading.
They are still useful for some simple geo evasion as well.
They aren't a solution for every security issue at all. Tor is generally better to run from open wifi from a tails USB rather than from a VPN.
Also, many VPNs actually log things they can provide to the FBI even though they lie and say they don't. They can get a NSL and end up having to without being able to tell you that they did. Sometimes a NSL canary is used, but not always.
I'm not sure what you mean by "I don't get to choose if I need one". Both Android and iOS natively support VPNs, and most corporate phones are set up to connect to the corporate network securely via VPN - on many US carriers.
I think chisleu meant that they consider Verizon to be so untrustworthy that not getting a VPN is really not a viable choice to make. So chisleu doesn't get to choose whether to use a VPN or not.
I always wonder about ProtonVPN (the ProtonMail people).
It's Swiss based so I assume there would be a decent amount of round trip latency, but for sheer privacy it seems like a solid company that goes the extra mile by locating itself for legal purposes.
I am debating whether I should go with them or not, as well. They do seem solid, but I have not heard any people mentioning them.
I have a paid account with Netflix/Hulu/HBO and I'd like to watch it when I'm travelling or when I'm working remotely from third world countries. That would be my sole use case. Can they stream without huge latency?
Regarding speed, I've been using ProtonVPN for around 4 months and It's much faster than other VPN providers I've used (TorGuard and PIA).
It doesn't work with Netflix as Netflix blocks most VPNs.
ProtonVPN is my first and only VPN - occasionally there are connection issues. Speed is not superb as far as I can tell but sufficient for most use cases. I tend to stick with them. No idea if they are better or worse. I chose them b/c with regards to privacy they seem trustworthy.
I didn't read the article but I want to say that the solution is not VPNs. We can end up being like North Korea where VPNs are forbidden. The solution is to have educated voters who do not vote to showmens like Erdoğan or Trump. https://youtu.be/fLJBzhcSWTk
All the "you don't get privacy from a VPN" talk misses the variable of who you want privacy from. If you don't care about e2e privacy, but want a simple way, without using Tor, to keep websites from knowing your real IP, then VPNs are great.
I always ask this on the VPN threads here, and don't feel like I get a solid answer (I'm not particularly well-versed on the topic so I'm genuinely curious and would love to be corrected).
If I go to Bob's website on my computer without any VPN, and Bob wants to find me, all he would need to do is get my IP, call my ISP with a warrant, and then get my information.
If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions. Then he calls the VPN company, and asks them to associate the IP and specific browser sessions with me. In that case a) the VPN really does store logs even though they advertise they don't, so they're able to associate me with my activity, or b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.
It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?
So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?
If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users? Wouldn't it be easier for Bob to call AWS with a warrant and get your account info than mess with some offshore VPN provider?
Speed, in terms of bandwidth and latency. I consistently get slower speeds using a VPN. Granted, I'm using Google Fiber so I have symmetric gigabit, but there is a downside to it, depending on your use case.
It's a legitimate point to consider. I've set up my home router with Tomato by Shibby, which allows routing all traffic over a VPN link. I was finding the router couldn't keep up with a 50 Mbps link. Granted, these routers aren't designed with that use case in mind. But, running a VPN link all the time on mobile devices kills battery very quickly, so setting up the link on the router is preferable. Consequently, I don't route all traffic over the VPN, which is suboptimal.
I put a 2nd router behind my regular router and switch the gateway, on devices I want to use the VPN, to this 2nd router.
Benefits:
1. allow devices to use non-vpn friendly sites
2. Keeps everyone on the same subnet so the VPN is not in the way for local file transfers.
3. main router not overburdened by VPN software
Tomato allows selective routing, both by destination and by device, so that's helpful. Your setup definitely avoids some of the overhead mine has. But, really, I'd just like the little ARM processor in my R7000 to be able to keep up so I can saturate my link. I'm not familiar with ARM's ISA all that much, but it seems an AES-NI equivalent would be really nice to have.
PIA is cool because it works seemlessly with your phone as well. It used to be you had to have some special access to get it to work with a provider like Verizon, but it works flawlessly now.
Tried them out yesterday and they give about 10% of my Internet speed on any server. So my 400 Mpbs connection slowed down to 40 Mbps, which is a pretty rough drop. And I haven't been able to find an OpenVPN connection that could handle more than that 40 Mbps.
I'm in the same boat as well. I'm not in the US but I do have symmetric gigabit as well. I've been using EC2/DO boxes to setup VPNs for me, but they hardly ever come close to my home speed.
This is usually due to the ec2/do instances being the cheapest or second cheapest with bad CPUs and overcrowding.
You're also only guaranteed gigabit speeds on the higher tier instances. I'd be interested in what you get using iperf3 between EC2 and your home connection.
VPNs protect you from snooping by 3rd parties on the way to Bob's site, such as your ISP, anyone on your network, or anyone on any of the intervening nodes between you and Bob's.
If you don't want Bob to identify you then yeah you need more than just VPN such as ad blockers, disabling cookies, and more.
Depends on what you mean by VPN but the let-me-bittorrent ones don't get you confidentiality (or integrity) to web sites you visit, past your immediate ISP.
Your VPN provider might not log. Or it might log and sell your internet activity. Of course, the same is true of your ISP, so you have to see who you trust more.
So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?
The downside in a nutshell:
"Researchers recently tested 300 free VPN apps on Google Play and found that nearly 40 percent installed malware or malvertising on users’ machines."
"Bob" very likely doesn't know you even exist and doesn't care. The downside of VPNs is that many VPN hosting companies are even less trustworthy than "Bob" and do care who you are. An unscrupulous VPN provider can MitM your connections, harvest anything you give the VPN's app privilege to see (probably a lot), etc.
Step one of security is to understand the threat you want to defend against and make sure your defense against that is (a) adequate, (b) appropriate, and (c) not compromising you in other ways.
Recently the Federal Government sent out a malware to certain persona of interest. That malware played a higher pitch sound than can be heard by the human ear. They were able to track that person and identify them because they heard the sound on the computer's microphone. TOR or VPN can stop this.
I slightly agree. However, these days it seems more and more that "thing elite spy agency does to track terrorist" is on about a 6 months to 1 year lead on "thing startup does to target ads."
> A team of researchers from the Brunswick Technical University in Germany discovered [234] Android apps that employ ultrasonic tracking beacons to track users and their nearby environment.
Most wouldn’t, I’d imagine OP is referring to a mobile device, look at Androids dev docs they recommend sticking to 44.1khz, which we know does fail into the range of human hearing with its 22khz reproduction, albeit fewer people. I’d suspect the person being spied on would become suspicious upon many children they encounter and even more dogs fleeing from their direction.
Tested my kids - they could hear an alleged 21khz tone out of laptop speakers. The actual level of the tone doesn't matter - it was above my level of hearing. Wasn't a double blind, but they told me when it started and stopped based on a bash script with random intervals.
I could when I was 20, did a proper hearing test when I joined my company. 15.625khz was very noticeable - I scoffed at the old timers who couldn't hear it.
I can no longer hear it. Still I can hear 1khz, so that's what's important.
You're saying that the persons of interest in this case were identified and targeted only based on an IP address and not based on some other aspect of their online activity?
that is not how they caught him. They used a correlation attack. He was stupid and posted something using his personal email on stackoverflow about setting up tor website and processing bitcoin transactions. He then used a linked account to advertise silk road a few times. This made him a prime suspect. They followed him for weeks and watched that every time dread pirate roberts logged in and posted on silk road he was sitting in a cafe or library on his computer connected to a vpn. This was enough for them to get a search warrant and they found all the other evidence they needed to convict him on his laptop
Why not just use a trusted solution like openvpn and only use providers who provide openvpn servers? That immediately gets rid of one half of your problem; and as for the other half, vpn services that allow for connections via openvpn are likely to be more trustworthy. In addition, the vpn company can't MitM connections which are already on an encrypted channel outside of the vpn conneciton.
Don't see why you're getting downvoted. From a user standpoint, IKEv2 doesn't require a secondary client and integrates with most major OS better.
For example: It's way easier for a client to install a mobileconfig to ios that supports on demand VPN than it is to have them download and configure openvpn. Fairly set and forget.
OpenVPN protocol is sorta weird (I wrote a clean room client and server impl). But IPSec stuff is such a pain to deal with that it is not worth it despite it having better OS integration.
It's arguably no more a "hack" than TLS is one. Right?
Re OpenVPN vs IKEv2/IPSec, this IVPN FAQ seems accurate.[0] But then, I helped edit it, so I'm biased. Still, if anyone can point to inaccuracies, I'll recommend fixing them :) The major weakness is pre-shared IKE keys.
On the other hand, I get from IVPN that the IPSEC implementation in iOS is very secure.
It is irrelevant what software the provider is using as long as they use the openvpn protocol. This will be obvious to anyone who tries to connect using openvpn.
To the client side or the server side? On the client side, you should download the code from a location you trust. On the server side, it is irrelevant if something is added to the software for the attack we are discussing.
This suggestion is intended to solve the "free VPN app installs malware" problem and not solve the "VPN provider who actually logs/is in league with govt/MPAA/etc" problem.
OpenVPN is a protocol. If the VPN provider supports it, you set it up in your own client that supports OpenVPN. Using a VPN provider that requires you use some proprietary app is madness.
I recently signed up for such a service, in order to get my Nintendo Switch online for multiplayer gaming. My home internet connections sub-let from the landlord and could be considered semi-hostile -- not able to connect to peers on the Switch due to triple NAT, and I suspect some QoS throttling as well. The VPN solves my routing problems, but if anyone has a suggestion for another option here I'm all ears.
Also, don't choose a VPN based on some online review. Most of those are basically paid advertising. Either "pay if you want a good review" or "pay more for highter rank", or stuff by independent affiliates, who get paid for referrals.
Better, choose VPNs that have been recommended by consensus in relevant communities. Torrent users. Wilders. Me ;) And by the way, I do consult for IVPN, but my opinions are otherwise unbiased.
Well, of course I would! They're one of the oldest. Except for the the first generation, anyway, such as Anonymizer (now basically owned by the CIA) and Cryptohippie (still very cool, but very expensive).
And they have great clients for Windows, OS X and iOS. I've found a few others that are just as leak-free.[0] However, the data there are old, and just about all VPN services have improved their clients. What's most relevant about the site is the testing protocol. There's more about that in an IVPN guide.[1]
I also recommend AirVPN, Mullvad and PIA. But not necessarily for their clients. I mean, IVPN doesn't have a custom Linux client. So in many cases, you need firewall rules. And you need to make sure that you're not using an ISP-assigned DNS server with the VPN.
Even better, with Mullvad you can now use WireGuard instead of OpenVPN, for considerably better performance and possibly better security. I've configured my EdgeRouter Lite to route all wifi traffic on my default home network through WireGuard for a couple of weeks and it has worked very well.
You can use open-source OpenVPN with any VPN service that offers OpenVPN connectivity. You can also use AirVPN's client Eddie, which has a pretty decent built-in firewall.
My VPN activities run on a old Windows box, and I did not want to trust the VPN clients to not fail and blast my data in the open for a day or two before I noticed. I ended up writing a SafeVPN Windows service that kills processes within 30 seconds of VPN failure.
I used PIA for a couple of years without issue, but then it went into some kind of decline for me, always driving network traffic to zero after a few hours. After changing hardware and reinstalling the OS with no effect, I finally tried AirVPN and things went back to normal. AirVPN is a bit more expensive, but their client is light years ahead of the PIA client.
It's better to use Windows Firewall, because blocking is virtually instant. Basically, you set LAN as a private network, and the VPN as a public network. For LAN, you allow connections only to the VPN server(s) that you use, plus a DNS server that's not associated with your ISP. You can also allow connections to other LAN devices, if you like. For the VPN, you allow all output, but only input for established connections.
No, sorry. I used to know a URL, but ... And most of your search hits will feature application-level blocking, which seems silly to me. Also, I don't use Windows much anymore. And I've forgotten the specifics.
But. It's basically what I described. For public VPN network, just use the default (all output, only established input). For private LAN, deny all output and input, and allow output to selected IP addresses (VPN and DNS servers).
Interesting feature of Windows firewall, thanks. As the AirVPN client connects, it checks several hundred servers for the lightest load, so for that default behavior, I don't know which IPs to configure locally.
AirVPN, IVPN, Mullvad or PIA. They've all been around for several years, and focus on privacy. And I've never heard anything bad about any of them. PIA is the least expensive, and IVPN costs the most. AirVPN and IVPN are probably the fastest. IVPN and Mullvad probably have the best technical expertise.
Payment means there may be a viable business model other than sharing private information. Realistically I don't know how you can ever be sure, but I'd absolutely never trust a free VPN service.
Say for instance there are two vpn services. Both have a 100,000 users. One makes $1,000 a year off of advertising, and the other makes $1,000,000 a year($9/month). Now both are approached by a nefarious gentleman who offers them $20,000 a year to harvest their user's information. But every year there is a 25% chance people find out and your service is shut down.
Who takes the deal? Maybe the free guy, but very few people would risk a 1M/year revenue stream to make a little extra cash, but someone might risks a much smaller revenue stream for a comparatively bigger payoff.
I've been very happy with PIA. It's cheap with minimal impact to my bandwidth. The concern is that, like all VPNs, we are trusting them not to keep logs. PIA claims that they proved in court that they do not keep logs because they provided no useful data to an FBI request. There's a debate over whether this proves they don't keep logs or not here:
Is this semantics? I am uncertain. I do think that it's in PIA's best commercial interests not to keep logs. It's the core of their business model. The moment a PIA customer's identity is revealed through them is the moment they lose all business.
I've used PrivateInternetAccess, they are trustworthy, but US based so count on them rolling on you if someone has a good reason to be interested in you.
Well, they apparently didn't roll for a US court, in a case involving harassment, as I recall. Would they roll for the NSA? How would they handle a NSL? I have no clue. Their founder has said that, although he lives in the US, none of their server admins do.
They've been recommended by a lot because they recently backed up their claims of no logging (FBI asked them for data, and they couldn't provide it). You'll see that they are ranked pretty high on this list, where there are some breakdowns. They are pretty cheap and popular too. Popular helps by making associations more difficult. That is seeing a VPN server accessed page X and that you were accessing the VPN server at said time. A college student was connected to a bomb threat by this method, being he was the only one on campus to be using TOR at the time the bomb threat was made (from TOR). You'll be fine with any VPN that is relatively popular and doesn't do any tracking.
A relevant detail to that story is that he admitted his guilt under questioning. Had he continued to deny any involvement, they would not have been able to prove that he was sending the bomb threat, as it could have been from someone who wasn't on campus.
Very true. But there have been several instances of cases like this. And this thing doesn't matter if your VPN logs or not[+]. But what I was trying to point out is that these types of access collisions are important to understand. And why I don't think people should roll their own VPN.
[+] I'm not trying advocate crime here or advising how to avoid it. Just trying to bring to light a vulnerability.
Criminals are great examples, because their OPSEC failures are often detailed in court records, reported in the media, and discussed online. One of my articles on IVPN's website uses several such OPSEC failures (Silk Road, Sheep Marketplace, etc) as examples.
I was actually primarily talking about their donation to the Krita Foundation [1], but yeah, it's good to be aware of the above, even if thus far I haven't seen anything nefarious from them.
Yes, and interestingly, the Freenode staff had previously disabled Tor access to the Freenode network for over a year or so because of "attacks" which they claimed they could not handle. This was a pretty flimsy excuse once I finally found someone that knew the technical details, and though I chased the "right" people down several times to ask why Tor access had not been enabled, I never got a good answer. Cue PIA taking over Freenode, and within a couple of weeks, Tor access to Freenode was once more enabled. I've been a happy PIA customer for some years now, but that left such a huge and positive impression on me. I'm not completely sure the two things are simply correlated, but after talking to all those Freenode staffers over the years about it, I can't imagine it wasn't pushed by PIA.
Enough. You do this on every mention of PIA and you have been told to stop or get banned [0]. I don't know why you are on this crusade when there is not even the slightest hint of wrongdoing [1] so please, easy on the conspiracy theories.
To be honest, my only problem with them is their customer service. And their phone app. My connection is half speed on my phone. :( They also have some strange problems with the linux app (which I wish they would open source). Otherwise I'm really happy with them.
I actually haven't. I will try later and report back. But I have a 60/30 connection (down/up) and am getting 26/5, after messing with settings (which strangely is using TCP instead of UDP). And yes, this is under 5G, and I've tried multiple servers.
As for the Linux side, their app just needed some better instructions on their site, and then works fine. So I'm not really upset on that, just had to argue with tech support for awhile to get transferred to somebody that knew what I was talking about.
It's not about conspiracy theories, but about concentration of power.
If control of PIA — for whatever reason, and be it that Andrew Lee dies and his heirs sell it, or that he can't finance it anymore, or that a three-letter agency forces him to — ends up in the wrong hands, then also all of Freenode and Snoonet end up under control of that entity.
It's not that I don't trust PIA, but that I fear that PIA itself may end up in the wrong hands.
And I'm not on a crusade against PIA — I won't complain about their donations without requirement to advertise in return to projects such as KDE, with a transparent funding process.
But I am on a crusade against centralizing any services, be it killing XMPP federation (thanks, Google), be it pushing a "secure" Messenger that is bound to a single social graph and server infrastructure controlled by one group in the US (thanks, Moxie), or be it a single compsny gaining significant control over several major IRC networks, clients, libraries, and over Matrix at the same time.
I think they're good, but there are some downsides. Sometimes traffic can really slow down because they're _too_ big.
Another issue is, all their IPs are well known. When browsing while connected to them, you can run into a lot of issues: captchas, blocked sites, etc.
The other day I was accidentally connected and made a purchase. What a giant headache. My purchase was flagged and blocked and it took a lot of my time to call the company and get it cleared up.
A few weeks back I ran in to the same issue with accidentally making a purchase while connected to PIA. Mine was also flagged and I had to jump through several hoops to prove I made the purchase. It was a pain but I completely understand why that happened and I'm still very happy with PIA.
I will mention that while it doesn't magically fix slow speed issues, they have the ability to report a slow server through the app (on Windows, I can't attest to any others). You just right click the icon in the notification tray and click "Send Slow Speed Complaint." They do add more servers in areas that are overloaded.
>"Buy the gift card with cash then there is no trail."
Until it's important-enough for them to track down the card, figure out when it was bought, go over the security footage of who was buying at the time, extract footage of you buying it. They can then extract your face and match against a DB. Or perhaps see what car you enter into, and extract its license-plate.
Heck, even if they don't have that, they can ask the cell-phone companies to see which phone-numbers were connecting to the nearest tower during that period. That already narrows down the list to say, 1000 people?
We're almost there. All the technology is already in place, and the only thing stopping it from happening is consolidation.
I have been pleased with their service. It wasn't much hassle to set up, particularly. Was certainly a little trickier on my linux machine.
I find the speed has almost been completely acceptable. I have had only a handful of times where it seemed sluggish and bogged down.
I know there is a some question of whether they can truly be trusted? Do they truly not keep logs? And they are US based which are all things to consider. I weighed those factors against the customer reviews, price, and simplicity of their service, and I think my choice has served me well. Their rates are dirt cheap for what seems to be a reliable service.
I'd use them. They're among the least expensive. And they don't seem to retain logs or detailed access records, based on testimony to a US court. But that was about an exit in the US, where there's no legal requirement for VPNs to log. Where there are such legal requirements, maybe they (or any other VPN) would retain and produce logs.
When I checked in mid 2016, their custom Windows client leaked while the VPN was reconnecting after uplink interruption. But then, only six of the 29 VPNs that I tested didn't leak: AirVPN, FrootVPN, IVPN, Mullvad, Perfect Privacy and SlickVPN. Strangely, FrootVPN didn't leak using open-source OpenVPN, suggesting that they're doing something unusual at the networking level. PIA's OS X client didn't leak, however.
They do tend to oversell their servers, however. So you'll often get less throughput than with AirVPN, IVPN or Mullvad.
well, I've suspected that. But can you point to evidence?
I wrote a post last summer for IVPN's blog. Bottom line, AhnLab and Emsisoft seemed to be the only commercial ones that don't share data.
AhnLab: “AhnLab will not collect any personal information other than [data collected during software use] and will not disclose such data to any third party.”
Emsisoft: “Any information we collect from you is only used by us to serve you better. Your information is never given to a third party.”
>So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?
Rarely addressed: VPN CLIENT ISOLATION.
The majority of us sit behind a NAT'd address range provided by our physical router, thus isolating our machines via a hardware router / firewall from our ISP. When you connect via a VPN, you are not automatically isolated from other client-peers on that VPN and must implicitly trust the VPN provider has properly configured client isolation. You can do testing, like firing up Wireshark and listening for broadcast traffic or simply by trying to nmap other hosts on the network, however, whatever you find could change with a configuration setting at any time.
One way to further "secure" this would be to run the VPN client on a hardware router like pfSense (instead of directly on your laptop) and block all incoming connections on the vpn client tunnel interface?
A disadvantage of this method would be that the WIFI signal from your Laptop to the router is no longer secured by the Vpn...
That's how I do VPN. I have my ISP connected router, then a DMZ network with my test servers & three routers: 1) guest, 2) main, 3) VPN. I then use a virtual LAN from (2) to (3) over a virtual interface on (2) to connect to (3) which is NAT'd. Honestly though, the whole advice of "get a VPN to be secure" is ridiculous because it can end up exposing you far more than what you were previously, especially if you are running a VPN client on a host that is running a media client / server like Plex, Kodi, WinAmp, iTunes (Bonjour), etc. If you are a developer and using The Fiddler, Charles Proxy, or the Burp Suite, then there's an easy route to the rest of your internal network. I know the first time I was on a VPN and saw someone on the VPN come through my interception proxy it freaked me out enough to instantly understand the dangers of VPN services.
It's more effective to block what you want on your host firewall and not rely on the the network to keep you safe.
"Processing in hardware", meaning application specific hardware acceleration, is a not a plus in security related things: it's not safer, and it doesn't exist in most boxes, and it's often impossible to field upgrade when bugs are found. It's done to speed things up/lower cost at large scale, but that's irrelevant for consumer/small office gear.
>It's more effective to block what you want on your host firewall and not rely on the the network to keep you safe.
I agree and am a big fan of host firewalls and host intrusion prevention systems, however, they must of course cover the VPN tunnel in their scope. In many cases they do not.
It is a configuration option, for sure. But I've never even heard of a VPN service that put multiple clients on the same subnet. It'd be a security nightmare. And I can't imagine what the advantage to the provider would be.
Think of SSH as the secure networking swiss pocket knife but that it is free for everybody to use, learn and script with. Now think how someone could make money out of it. They can't. So they start creating an alternative, that is so complex and hard to understand, that no person alone can manage it, and even the best solutions are unreliable, expensive and corporate. This is something you can sell and argue well that you need a shitload of engineers to maintain. This is VPN.
What should you use if you're smart enough to come to HN for reading? SSH of course.
Do you mean you can use SSH for anonymous browsing? I genuinely don’t know how that works out, isn’t that just transfer the risk to the server you ssh into, so you end up having to trust the server? Do you have some links for reference?
SSH has a Socks compliant proxy built in. That said, you are right, you are basically shifting responsibility to the SSH server you are connecting to so you have to trust it the same way you would a VPN provider. As such, it’s essentially the exact same and so GP was clearly misguided.
Though this can provide an extra level of defense against MITM, if you trust your personal connection to the internet less than the server's connection to the internet.
You can provide the ssh server yourself. Which is not so hard. And security is something different than avoiding tracking. Avoiding tracking is very simply done by not using a centralized proxy which is maintained by someone else (like in VPN). When you are really under attack it's very different and in that case you couldn't trust VPN either. Even the VPN client would be a danger.
All SSH does is move your traffic to a different computer.
When it leaves that computer it's no longer encrypted.
It's not hard to look at unencrypted traffic leaving the computer you've SSH'd into and associate the traffic with the computer you've SSH'd in through.
Presumably so; when I've tried the SOCKS support built in to Firefox, I've noticed that sites that I have blackholed via my hosts file begin working again.
While it’s not the right tool for the job, it is possible to connect two networks together using SSH as the secure transport. Many (most?) good network folks will recoil in horror though about tunneling TCP inside TCP.
Re Full network: How?, without additional software e.g. ppp+socat+ssh along with TUN/TAP or similar, or running a non standard SSH client/server and having various nonstandard utilities on both ends, which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'..
I've seen it done before where it was fully transparent to both networks. This required the tunnel to be setup on the default gateway for both networks. Again, as mentioned before and you agreed too, this is not a solution I would ever want to see in production for a company I was at.
> which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'
Which I agree, it isn't simple, but I was replying to someone saying it wasn't possible, not that it is easy to do.
Whether it's through negligence or ignorance or intentional lying, it's nearly impossible to not log user activity in some way.
And really, think about this: Even if you try really hard not to log, as a provider you're competing with thousands of forensic scientists who do nothing all day but figure out how to associate activity with the people who committed that activity.
And once a federal agency has identified your VPN traffic, every single thing you've done through that VPN provider is all wrapped up in one neat bundle for them to peruse.
You will sometimes face hassle authenticating with certain sites. Your VPN will trigger two-factor auth verification, or sometimes trigger an account lock-out or force password resets, etc.
I've been using one pretty consistently ever since the legislation passed allowing ISPs to sell your browsing history. I generally don't have any problems with it, but that isn't to say it is not problematic:
* Connection issues are really annoying. At home it is manageable, but reconnecting to a different wifi network with a phone introduces a delay that sometimes lasts minutes before it becomes functional again
* Some websites make you enter captchas in order to use them, probably due to VPN abuse by malicious users. Others outright block traffic to any detectable VPN traffic.
* It is slower in general, but the worst case slowness seems much worse and more common. Unavoidable really, you're introducing another potential point of failure.
* Useful LAN functions (like *.local domains) become non-functional
> Useful LAN functions (like .local domains) become non-functional
Is that true if you 1. disable the "force all DNS traffic over VPN" setting, but then 2. have a local resolver (e.g. dnsmasq) that resolves LAN domains but forwards all other traffic to a DNS server on an IP that will end up routed through the VPN?
I'm not sure if your methods would fix the issue but you can get around it if your router supports acting as a VPN client. After you configure the connection it becomes invisible to all your lan clients and you can use all of your local network goodies.
Not really an answer to any of the questions you asked, but I'll provide my perspective.
I don't use a VPN to hide my identity from the websites I'm connecting to. I use a VPN to hide the websites I'm connecting to from my ISP.
Residential ISPs in the UK are supposed to log a bunch of internet stuff (not clear exactly what), which is then made available warrant-free to over 40 government departments, including for purposes obviously unrelated to "national security" (not that that would make it OK), e.g. HMRC and the Food Standards Agency
I've been using DO for my VPN needs and it's been a very good experience.
You can start a 5$ Ubuntu droplet, which is more than enough to host OpenVPN, and then configure your VPN manually. Check here :
I just tried that but on my VPS the 'tun' device was not enabled and the automagic script died. Seems that is not easy to fix on a VPS depending on your provider. Thanks for the tip though.
Not the OP and I don't use DO specifically, but I've found using a VPS provider to be a more or less painless VPN experience. Providers like DO, OVH, and Vultr have scripts for easy one-click OpenVPN setup, or you can roll your own if you don't trust their scripts (though if that's the case maybe you don't trust the VPS provider at all...)
That said, always verify that the tunnel is operating correctly before assuming it is and taking off. I've found on more than one instance that the OpenVPN client was misconfigured and seemed to connect, yet my IP was still being reported as my ISP's.
I think that's an OpenVPN restriction, not a Vultr specific restriction. You have to pay for a commercial license if you want multiple connections with OpenVPN.
It's a bit trickier (and more time consuming) to set up than I initially imagined but not at all undoable. A lot of tutorials are bit out of date or conflicting so it wasn't quite as easy as just following a recipe.
I didn't use DO but an even cheaper host and set up VPN at router using DD-WRT.
Occasionally I have to turn it off at router as certain sites/ services recognize the datacenter IP but not all that often.
Main reason I set it up is I use a small local ISP and know the owners and no need to have them watching net traffic.
The settings on both ends have to match perfectly. Don't forget to set DNS for openVPN also.
Add to that many shopping sites (Best Buy for instance), deal sites, ticket buying sites, hotel/airline sites, heck, even my state's offender tracking system blocks the handful of VPS services I've tried.
Think about it this way: What if your VPN operates in another country? It becomes an international issue if Bob wants your VPN to tell them who you are.
On the other hand, if your VPN operates in another country, some websites within your country may block you due to content licensing issues.
My favorite formula, in constructing nested VPN chains:
1) First VPN, that only my ISP and second VPN see: I choose one that's popular where I live, and commonly used for torrenting, and I have a torrent client up 24/7.
2) Second VPN, that only the first and third VPNs know about: I choose one that does business from a jurisdiction that isn't very friendly with my government and its friends.
3) Third VPN ...
4) Final exit VPN, that only the previous VPN and websites see: I choose one that doesn't attract too much attention. For Mirimir, that's IVPN, because I'm already so associated with it.
I mostly use VirtualBox, or VMware in Windows. pfSense VMs make great VPN gateways. VPN and pf setup are pretty easy with their webGUI. Debian VMs also make great VPN gateways, but setup is harder, and their disk footprint is greater.
I've thought about doing it all in one OS, with iptables or pf to control routing. It'd be lots lighter, but more fragile.
Another option, if you want more security against exploits, is Qubes. But the hardware requirements are far more restrictive, and the learning curve is steeper.
Chief on my mind would be the issue of trust. Your traffic is coming out of the VPN node unencrypted. They could snoop you, MITM you, basically anything. So, who do you trust more? Your ISP or a mysterious VPN service probably in Russia that you learned about yesterday?
I figure my ISP is quite likely to sell my data and do other unfriendly things. But I figure they are quite unlikely to attack my traffic and do other illegal things.
Is Bob a cop? Does he have probable cause that you were involved in criminal activity. I don't think you can just handwave "call my ISP with a warrant".
Sure, adversaries could pressure VPN providers for logs, account information, help tracing traffic, etc. So you pick VPN services that have been in business for several years, are well known and recommended in relevant communities, and have no history of giving up their customers. There's a recent relevant thread on Wilders: https://www.wilderssecurity.com/threads/purevpn-keeping-logs...
Even so, it's prudent to assume that your VPN provider logs, works with your adversaries, etc. Just like the Tor project assumes that any particular relay may be malicious. So Tor clients create three-relay circuits, to distribute the risk. And one can do the same with VPN services. I'm currently working through a nested VPN chain, using servers from multiple providers. I use pfSense VMs as VPN gateways, and workstation VMs. It's also easy to add Whonix to the mix, so I can use Tor through nested VPN chains.
You're assuming that private parties have the ability to get warrants or subpoenas to get information from your ISP. They do not.
If "Bob" wants to know who you are when you visit his website, he doesn't have any options to get that information. If "Bob" thinks you are violating his copyright rights, he can file a DMCA complaint against you. If "Bob" doesn't want people from Iceland to access his site, he can try to filter based on IP range.
VPNs do three things: 1. obscure your identity 2. obscure your location 3. prevent local inspection of your network traffic.
How effective that "obscurity" is depends on who wants to know and why.
It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP
If the VPN is malicious or self-hosted.
If the servers and the company headquarters are located in a country not part of the "14 Eyes", and most importantly, host a lot of other traffic that is not you, there is obfuscation, legal barriers, and plausible deniability that you did not do what "they" are claiming you did.
VPNs aren't a defense against subpoenas or warrants, they're a defense against ISPs scraping your connections and selling them to advertisers.
No advertiser is going to come after your VPN provider asking for logs, and even if they did your VPN provider is going to tell them to get fucked anyway. Again, unless the advertiser in question happens to be the federal government and they have a subpoena or a warrant, no VPN provider is going to give you logs to help you associate a user, I have no idea why you would even think that.
If you don't want traffic from users on the VPN you are free to block them (Netflix does this) but nobody is going to give logs over to a random webmaster to help deanonymize users.
If you want to remove the VPN provider from the question entirely (many of them are on the shady side), you can use Algo to automatically deploy a Digital Ocean droplet or Linode instance to relay your connections for you. However this doesn't fundamentally change anything - if someone comes after you with a warrant or a subpoena, then Digital Ocean/Linode is going to give you up.
This is not exactly a difficult concept to understand so if you have asked this question repeatedly and still aren't satisfied with the answer, perhaps you should look inward.
>VPNs aren't a defense against subpoenas or warrants
They absolutely are for a huge number of people. Why do you think so many VPN's advertise the fact that they don't keep logs? I imagine far (_far_) more people use VPN services as a way to evade copyright holders than as a mechanism to avoid marketers (most people don't give two craps about the latter issue.)
BTW, was the snarky bit at the end really necessary?
>b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.
>It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?
I'm not sure how you made this jump. If the provider doesn't have logs, Bob can't find you. The end.
Such a VPN that did keep logs would lose their entire business model if it broke that they kept logs - even if they kept logs (and why should they? That might always leak and kill their business) why should they help a third-party to them?
> If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions.
Every TCP connection is uniquely represented by (src ip, src port, dst ip, dst port). Bob can provide all four of these, and a timestamp, to the VPN provider. The VPN provider can then resolve that to a specific user if they are logging connections.
in which case, if you can't trust 1 VPN, can't you jerry-rig a better VPN by daisy chaining several together, so that each VPN will have to be asked to sort through traffic?
There are lots of problems you see in practice which are not discussed often....
* Inability to send mail though a mail program
* Daily disconnections of VPN service
* Captchas and other verification/friction when using services (eg youtube, amazon etc)
* Some services may believe you are in a different country incorrectly, meaning you have to force them to use the right location, or be happy with it being wrong
* Some services will not work at all (for example purchasing through apple)
* Paid streaming services – like netflix, hbo go and amazon streaming will likely not work at all
* You may not be able to port tunnel traffic inside the VPN
And of course you have to trust the provider. For example PureVPN claims 'no logs' but it seems that isn't the case...
There is a lot of friction in using a VPN. Which makes the idea, often proposed by technical people that if you are worried about privacy - 'just get a VPN' either naive or disingenuous. That said even with the friction it is worth the cost and hassle IMHO.
In practice you have to have a way to flip on and off VPN on some machines/devices.
If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users
I believe there is the alternate option of setting up your own VPN .
Instead of using AWS, you could set it up on an additional router or on your PC/pi wherein you'd lose the advantage of anonymity amongst other users but your information is still encrypted to be acceptably safe.
I don't look to it as a foolproof solution, but I do see it as a way to make things a little bit harder for someone that's trying to track me.
The arguments here often sound similar to "experts" that complain about 2 factor auth: Sure, it's not perfect and there are better solutions in some cases, but it's still better than nothing for a lot of people.
(a) There's not much you can do with VPN that you can't do with SSH (actually I can't think of anything). And SSH is much more configurable.
(b) To avoid tracking of your browsing it is not a smart idea to pipe all your browsing through the servers of one VPN provider. A smart way would be to split up browsing streams, not to combine them.
I'm very sceptical about Mozilla writing such an ad page and trying to sell it as a reasonable technical blog post.
Every end user that can't use ssh can't use VPN either. It's only a lucky coincidence if it works for a few for a limited period of time. It's just that many VPN Clients come with a very limited set of configuration and debugging output which makes the average grandma more confident because she doesn't know all the shit that happens underneath.
Everybody who is able to repair a bike though is also able to use SSH.
Either of these options, depending on your preferences (protip: use Algo, unless you're in a place that blocks IPSEC VPNs...It's cheap enough to have both available). This at least covers the basics of what they're talking about being snooped in the post. Then you don't have to worry about trusting the VPN provider (but you do have to worry about trusting your cloud provider).
If your threat model is different, you might want to be in a pool of users, but you can use the same service and solve this problem socially...
> I don't know why anyone advocates using a VPN provider when it's so trivial to set up your own VPN now.
That won't give you any privacy as anyone who wants to de-anonymize its traffic can correlate the fact that you connect to it with your IP (asking the VPS provider for logs) and that you bought it (asking the VPS provider for your banking info).
But that's not really the threat model described when people are talking about their ISP snooping on what they do. A private VPN solves exactly that problem.
Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service). Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).
> But that's not really the threat model described when people are talking about their ISP snooping on what they do. A private VPN solves exactly that problem.
It only solves it against a particular ISP.
> Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service).
I completely agree, that's why I always maintain that only privacy by design solutions should be relied on (Tor and i2p for example).
> Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).
But they know the IP, so that's still identifiable information.
> You can combine Tor and a VPN though, though you'll want to rotate through VPNs to avoid timing attacks.
I don't think that adds any privacy, setting up your own non-exit relay and connecting to it may significantly increase your privacy depending on your threat model (since then you can be sure that no single point in your Tor circuits controls both the entry node and exit node, and hence can't correlate your traffic. You're still vulnerable to a global passive adversary (GPA) of course).
> I don't know why anyone advocates using a VPN provider when it's so trivial to set up your own VPN now.
..links to github repos...
You are blessed with technical skills and experience so this is trivial to you (and many people on HN), but there are tons of people out there for whom this is not a trivial task.
For anyone who uses OSX and DigitalOcean, easily deploy your own personal VPN server with DNS adblocking running on DigitalOcean: https://github.com/dan-v/dosxvpn.
There are a small handful of sites that treat me like a spammer and make me go through extra hoops to sign in, but I have not found what you said to be the case.
A lot of folks are doing their automated testing with AWS systems and blocking those IPs would likely cause a lot of people some headaches.
The DNS blackhole that Algo by-default puts ad providers in causes me more problems than that, in all honesty, because occasionally I have to log into service like Hubspot that are blocked.
I typically don't trust VPN providers, so I set up my own on AWS with this CloudFormation script. [0] It is almost effortless, takes 10 minutes and I can spin it up or spin it down without paying for a subscription, only AWS metered costs.
EDIT: another poster mentioned Algo [1]. This method requires a high degree of savvy and entails a higher level of difficulty, but looks much more configurable.
Which, the first or the second option? The first one entails a one-time 10 minute setup and you can leave the AWS instance running if you don't mind incurring a small ongoing EC2 fee.
How often do you find that your AWS IP is blocked, or that you need to bypass a captcha? I would think that AWS would be a major source of scrapers and other traffic that a site might not want and might choose to block. I know that Cloudflare offers to block "suspicious" traffic, which would seem likely to include traffic coming from an AWS server rather than an ISP.
I've set up my own VPN using Streisand [https://github.com/StreisandEffect/streisand] & Google Compute Engine (Micro Instance). When you create an account on Google's Cloud, you get $300 (or used to at least). This instance type is big enough to handle the few devices I connect to it, fairly speedily too.
Without a doubt! I'm not too concerned because I'm using it within the USA to access my email, HN, and various other common websites while on public wifi.
I wish that we had arrived at a different term for third-party VPN proxy services. I use VPN connectivity to my home network whenever I am on the road so that my traffic is encrypted over-the-air (Wifi) regardless of its protocol or destination. When I read, "Do you need a VPN?" I think "I love having a personal VPN to my home network that I use from everywhere. You might love it too!" I am evangelical about creating and using a personal virtual private network—that is, a "VPN" in the more traditional sense of the term.
And then I realize the question is actually about third-party VPN proxy services, which seem to be a substantially different use-case.
It's just a shame that the term "VPN" has become so ambiguous.
Would you mind sharing your tips for setting this up? I've been considering doing something similar for a little while now but am unsure how to get started.
1. Add a VPN host to your home network, either as another role on your router/firewall or as role on a host inside your network. For example, if you're running pfSense as your firewall, you can add an IPSec/L2TP or OpenVPN role to the pfSense host. Many hardware router/firewall devices have VPN host capabilities. You can start simple by defining users at the VPN host. Later you can use your home network's LDAP directory for users, but I personally didn't bother doing that.
2. Set up your laptop(s) and phone(s) to connect to that VPN. Disable "split tunneling" on the devices. If split tunneling is enabled, only traffic that is intended for your private network would be sent to the VPN. Disabling it requires that all traffic—even traffic destined for the public Internet—needs to be routed through the VPN host.
3. Connect to the VPN whenever you are outside of your home.
4. You can optionally assign a static private IP to each device so that when you're connected, all devices use known IP addresses that you can name using a local DNS server. This would allow you to, for example, reach your laptop by the name "laptop.yourdomain.org" (or whatever). I give all of my devices hostnames so that I don't need to remember their IP addresses.
5. The result is you have a personal "virtual private network" that facilitates private LAN-like communication between all of your devices. For example, I use this to access my personal file server from anywhere.
6. You can get even more sophisticated by setting up site-to-site VPN connectivity between your home network and a machine or network you run at a data-center. This allows you to, for example, reach not just your home file server but also manage your personal public-facing Internet services running at your data-center hosted machine or VM—from any of your devices.
> 4. You can optionally assign a static private IP to each device so that when you're connected, all devices use known IP addresses that you can name using a local DNS server.
This is where I’ve always got hung up. I’ve for a long time wanted a static URI for a machine at home (e.g. SSH, IRC bouncer, music files, etc.)
I assumed I’d have to use some kind of local host tunneling solution (like pagekite.io), which are either expensive or difficult to trust/rely-on, or register as a business to get a static IP.
I was speaking of assigning private static IPs to everything on your virtual private network, and then using a private DNS server. This allows you to reach your devices/hosts by name rather than their IP.
However, the entire scenario relies on you having at least one static IP address for your firewall/VPN endpoint. You need to be able to reach that from anywhere on the public Internet.
I think the easiest way is to get a router capable of running DDWRT or similar that has an OpenVPN server built in to it, flash your router, generate some keys, and hook in with all the OpenVPN clients on Windows, Linux, Android, iPhone, and MacOS. It's really not that bad. I use it all the time when I'm out of my house. I can browse knowing that no one between me and my home can know anything about what I'm doing. Of course, my ISP at home can see everything all the time.
I can even access my home automation system. Shoot, I have one installed at my mom's house and can monitor her furnace when she's on travel in the winter. Everyone would enjoy a personal VPN.
One low maintenance way of doing this would be to setup a SSH server at home (and configure your home NAT/Router to forward traffic to that machine)
Once you have SSH access to home there are a number of ways to tunnel your traffic (on desktop platforms, not sure about mobile). Sshuttle works pretty nice. You can also optionally just tunnel traffic for certain apps or browser profiles by using ssh -D (SOCKS5 proxy)
Insanely easy to get running: plugged it in to my home router, and now I do all my remote browsing from my home network. I HIGHLY recommend it. I know it doesn't help with privacy, since you're using your home network, but I'm currently more concerned with WiFi hacks, pineapples, and the like.
I started using BlackVPN about a month ago because the highly personalized ads all around the web got extremely unnerving. Having accounts with FB/AMZN type services means they'll never go away completely, but it's better than nothing.
I'm curious if anyone has any commentary on other providers worth looking into. BVPN is based in Hong Kong which has a strong history of pro-privacy AFAIK, and they claim to not even have the technical ability to keep logs of relevant info. Either way, I think I'd rather have some random Hong Kong company have my semi-anonymized info rather than my ISP.
498 comments
[ 3.5 ms ] story [ 144 ms ] threadsurprised this article does not mention tor? or has tor been abandoned as a tool for privacy?
[0] https://www.eff.org/pages/tor-and-https
Encouraging people to use a VPN is much more likely to be effective
I know many people who use Tor daily for regular browsing - myself included. Yes, it's slower than not using Tor but that's expected from the 3-hop design.
CiPHPerCoder provided a great link[0] in this discussion [1] that details a short list of a few reasons why VPN's are likely not what "regular people" who are concerned for privacy should be using.
that all being said, tools like tor have become much easier to use with setups like tails [2] which may have its own security issues but I'll agree that regular users may not be capable of using Qubes with Whonix.....yet
I think advocating for a VPN is actually harmful to the "regular user" not only in the fact it will not accomplish what they want, it will deepen their ignorance on how the internet works because they will think "its encrypted" "so I am secure."
I do have some concerns that tor is a tool that needs to be improved upon greatly to truly accomplish its goals but I am not aware of any projects that are doing so. Re metadata, fingerprinting, developers inserting backdoors etc.
[0] https://gist.github.com/joepie91/5a9909939e6ce7d09e29 [1] https://news.ycombinator.com/item?id=15585974 [2] https://tails.boum.org/
[edit:added concerns about tor]
I always try to tell people about Tor's limitations, which are considerable. (I wrote the content for the EFF graphic that was linked above, and one goal was to show people things that aren't hidden by Tor — for example you can see an NSA agent in the graphic performing some kind of correlation attack between source and destination by monitoring the network at multiple points. Of course, the source of data for this doesn't have to be fiber optic taps, so other entities that can get source and destination data can correlate them too.)
Tor is doing work on all of the things that you mention: metadata, fingerprinting, and developers inserting backdoors. One could wish for more work and that it had happened longer ago, but all of those are active areas of concern and research for the Tor project.
Thank you! I constantly share that link with people, I (and many others) appreciate your work!
I regret not going into software development, I wish those are projects I could contribute to, alas my closest work towards development is tinkering with linux etc .conf files to get home projects to work, which is not development at all.
https://community.letsencrypt.org/
I can testify that the ability to help people tinker with Linux configuration files is something that continues to be in great demand. :-)
Most of the time what people think they need a VPN for, a VPN won't actually help them much. They have a narrow use-case in privacy contexts, in which case you're better off using Tor.
My general position is this: I don't trust my phone provider. At all. Just a week or so ago there was an HN post demonstrating how an ad provider can get your full name, cellphone plan details etc just by calling an API from a page rendered on your phone. But I also don't really have a choice - AT&T or Verizon or T-Mobile, they're all different flavors of the same crap.
Do I trust my VPN provider unequivocally? No. But I trust them a hell of a lot more than my phone provider, and they can't sell my personal info against my browsing history because they don't have it.
A VPN isn't the answer to everything, but nor is it useless.
> Are VPNs truly private?
> Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?
Which is basically also saying you can't trust a commercial VPN provider. I suppose it does differ in that it says it's still an option, though.
What have they done to earn your trust?
The only positive point of trust a VPN provider has is that no-one has exposed them selling browsing data. Definitely not great, but also better than my phone company by default.
Your VPN provider is just some random company. You went up to them. They're randomly selected (insofar as your choices are random) from the space of all VPN providers, and most providers aren't malicious.
Your ISP is, at least in the US, almost always a monopoly. They're self-selected: they went up to you.
So incompetence is a reason to not trust a provider as well.
* My VPN provider explicitly states that they do not collect user information or store logs of user activity. Unlike my ISP that has a No Privacy Policy.
* My VPN provider has not done anything to lose that trust.
Source? And why would it be good enough when it has been shown time and time again that it's ineffective (example: DNT header)?
My ISP choices are limited to two companies that are both terrible. A VPN is a nice way of limiting what they can do to you.
I think we can both agree that wasting your money on wishful thinking ("maybe provider doesn't log") instead of using free open-source privacy-by-design solutions is a bad idea.
The privacy-by-design solutions have their problems at well (ex: speed). It would be better to use them over VPN IF AND ONLY IF their features would be strictly equal.
As they are not, one simply calculates the expected value of both, taking into account the probability of the VPN actually logging the traffic (which should be low for VPNs with good reputation).
For some use cases, even a VPN that logs traffic would be a good idea. For instance in many countries if you download a torrent they will log your IP and try to identify you. IF you have a VPN, they won't even bother asking the provider the IP because it is just not worth it for something like that. If you were exchanging child porn on the other hand they will ask for it and take time to find you.
Not everybody needs the same guarantee of privacy or has the same risk if the privacy was to fail.
Your statement is the same as saying one should never invest in shares because the return is not known in advance, so you should just buy government bonds which are safe.
The worst case scenario is not just that they're as bad as AT&T. The worst case scenario is that they're as bad as AT&T and still provide a false sense of security.
Even if you're diligent, other users with your (ISP, VPN) provider pairing might not be, and they could be harmed as a result.
The comments security nerds make here on HN aren't one-on-one individualized consulting (n.b. that's paid work in my field), they're general advice for the public to refer to.
You are of course correct. :)
https://arstechnica.com/tech-policy/2017/03/doj-drops-case-a...
They run massive PR campaigns with carefully structured press releases designed to convince the kind of people they want to detain that TOR is private and safe for any kind of activity.
Because of this people tend to get swole when you suggest that TOR is not any good for protecting your privacy because lots and lots of people have been arrested, tried and convicted after trying to use it to hide elicit activities.
The US government has made millions of dollars of investment into TOR:
https://www.theguardian.com/technology/2014/jul/29/us-govern...
Pretty much every time the US government is investing in something you can be certain that their intention is not to help you out.
Please, find me a counter-example - because I haven't seen one.
Admittedly, one thing that has happened is that the authorities are able to target compromises in the Tor Browser specifically, rather than in a wider range of clients that non-Tor VPN users might use. But they're probably more vulnerable than the Tor Browser is anyway.
And that they'll follow the instructions that come with the TOR browser and assume that it's safe.
So when I say that TOR isn't safe, I mean that it isn't safe as it's presented.
Saying that TOR isn't safe if you know what you're doing is like selling someone a car with no seatbelts and then telling them well if you knew what you were doing you'd install seat belts yourself and then the car would be safe.
Sure. But it is no more dangerous to use Tor on its own than it is to use a VPN privacy service on its own. So your claim that the US Government is enticing people into using Tor to entrap them is nothing more than an unsubstantiated conspiracy theory. It would be easier for governments if criminals didn't use Tor.
It's too late for you.
Consider the attacker: a service you've visited that has your "outermost visible" IP, and wants to know who you are. From their perspective, it doesn't matter if your ISP is willing to give information freely, because they don't know who your ISP is until they've already gotten the information from your VPN provider. Each layer prevents the layer below it from being attacked, until it is removed.
Yes, a state actor could just ask "every ISP at once" to look at their logs of OpenVPN-protocol traffic and identify the packets that match the ones that arrived at the service. But state actors aren't the usual attacker profile, and require entirely different strategies (e.g. getting human "proxies" to use Internet cafes for you.)
> You are on a known-hostile network
is true for every network in the USA. You can be sure they ae all being snooped on by 1. the ISP collecting traffic data for profit and 2: the gov. because they get it all anyways.
Here are some reasons I've used, and continue to use, VPN:
* When I am on a network that uses an idiotic blacklist to block certain types of content. The network might even be run by my employer and I might be accessing content that is necessary for my work, but there might be no way to appeal the idiotic blacklist.
* When I am on a network that INJECTS content into HTTP responses (a certain paid airline WIFI used to do this).
* When I am on a network that might allow other users on the network to snoop on / mess with my traffic.
* When I want to access services that I have paid to access but are only available to IP addresses in a specific geographic region, and I happen to be in another geographic region.
Etc.
The internet is not designed for privacy, and privacy does not benefit the majority of commercial stakeholders of the internet. This is probably why most privacy solutions feel like shoving a square peg through a round hole. My personal feeling is that we should combat commercial bulk surveillance through legislative means.
https://news.ycombinator.com/item?id=10998661
No, at least now facebook may not know your exact location (especially if you use their onion service: https://www.facebookcorewwwi.onion/ ) and they can't track your activity outside of facebook. Of course, it doesn't solve - nor can any other anonymity system - the fact that you transmitted personally identifiable information with facebook.
> That isn't great privacy wise as it's still privacy by policy. The best way to torrent is to use i2p which - unlike Tor - encourages that activity. (Short tuto: the default Java i2p bundle already comes with I2PSnark, a torrent client. To download a torrent, search through known i2p trackers such as the Postman Tracker: http://tracker2.postman.i2p )
What? i2p is a self-contained network and not really meant for clearnet browsing.
My point was that I2P can help them since it's (a) torrent friendly, (b) has a bundled Torrent client (I2PSnark), (c) there are many eepsite torrent trackers such as: http://tracker2.postman.i2p
I'm trying to figure out why they made this. They can't really run ads without ending up like the founder of TPB.
Regardless, it doesn't seem unreasonable to expect people to know what a magnet link is. When all you need to do is download transmission and click on a magnet link, people are fine with that.
Definitely.
> What are the benefits?
Because of its 3-hop design, a non global passive adversary (GPA) would need to control both your entry node and the exit node to de-anonymize one of your Tor circuits. In addition, Tor circuits generally last for 10min only. Also using the Tor Browser you get stream isolation meaning that you get different Tor circuits for different websites.
You can also setup your own non-exit node and connect to it to ensure that no single point in your Tor circuit controls both the entry node and the exit node.
That's not a benefit, that's a feature. A benefit involves a use-case. What does a person gain from not having their traffic de-anonymized? The described user is someone who doesn't have any particular activities they need to keep secret or risk jailtime. So, for them, what's an example of something that could happen differently in their real life if they used Tor vs. if they didn't?
(This wasn't a rhetorical question; there are such use-cases. I'm just commenting to prod you into zooming out a bit from "privacy is its own end" to thinking more about what regular people care about and how privacy helps them get it.)
Chrome sends a whole lot of data to Google (and possibly to their data-sharing partners) such as, at the least, what sites you visit and how long you are on each. When combined with Analytics, cookies, profiling and whatever G services you use, and the fact that Chrome is a program (not a site) connecting that all, you have pretty much lost any legitimate hope to privacy before you begin. Use HTTPS everywhere is a no-brainer, as at least the middle steps won't see the data. IMO, using a commercial VPN is just not that difficult and the speed is close to native, so its a lot easier than TOR.
Or just be a nice happy good citizen in the normal world. What you do in other worlds should then not be mixed with the normal word.
https://www.tunnelbear.com/b/privacy-partners/
Downside is that it basically only works per device. It doesn't run on any routers that I know, to get full coverage over your network traffic.
Exercise caution. Do your research.
Was it somehow unclear? Pretty clear to me at least.
For instance:
> Are VPNs truly private? Unfortunately, no. The VPN provider can still log your browsing data. You are essentially putting your trust in your VPN provider. Will your provider hand over info when pressed? Will they log your browser data and sell it at a later date?
[0] https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headline...
I wish people would stop throwing this question at every headline that happens to have a question mark at the end of it. The headline here isn't clickbait, it's an attempt to answer a question that is pertinent to many.
Or if Amazon provides one I'd use that for sure.
Both would help with ISP selling data to advertisers level snooping and open WiFi network insecurity issues though.
They are still useful for lumping your traffic in with others for copyright infringement. Torrent clients offer the files for sharing while downloading.
They are still useful for some simple geo evasion as well.
They aren't a solution for every security issue at all. Tor is generally better to run from open wifi from a tails USB rather than from a VPN.
Also, many VPNs actually log things they can provide to the FBI even though they lie and say they don't. They can get a NSL and end up having to without being able to tell you that they did. Sometimes a NSL canary is used, but not always.
Can you expand on that? I’m also on Verizon and feel like having a panic attack.
Also, the permacookie nonsense, and they are certainly data mining the crap out of everything you do.
Thanks!
Please feel free to correct me.
https://www.wired.com/2014/10/verizons-perma-cookie/
It's Swiss based so I assume there would be a decent amount of round trip latency, but for sheer privacy it seems like a solid company that goes the extra mile by locating itself for legal purposes.
https://protonvpn.com/
I have a paid account with Netflix/Hulu/HBO and I'd like to watch it when I'm travelling or when I'm working remotely from third world countries. That would be my sole use case. Can they stream without huge latency?
If I go to Bob's website on my computer without any VPN, and Bob wants to find me, all he would need to do is get my IP, call my ISP with a warrant, and then get my information.
If I go to Bob's website while logged in with a VPN, and Bob wants to find me, he first sees that he's getting tons of hits from this IP because thousands of users are sharing this same VPN. So then he uses some kind of fingerprint to figure out my unique user sessions. Then he calls the VPN company, and asks them to associate the IP and specific browser sessions with me. In that case a) the VPN really does store logs even though they advertise they don't, so they're able to associate me with my activity, or b) they really don't store logs and have no idea which one of its thousands of users logged into his website with that IP.
It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?
So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?
If you roll your own VPN on AWS or the like, don't you lose the benefit of sharing the VPN with thousands of users? Wouldn't it be easier for Bob to call AWS with a warrant and get your account info than mess with some offshore VPN provider?
This is usually due to the ec2/do instances being the cheapest or second cheapest with bad CPUs and overcrowding.
If you don't want Bob to identify you then yeah you need more than just VPN such as ad blockers, disabling cookies, and more.
The downside in a nutshell: "Researchers recently tested 300 free VPN apps on Google Play and found that nearly 40 percent installed malware or malvertising on users’ machines."
"Bob" very likely doesn't know you even exist and doesn't care. The downside of VPNs is that many VPN hosting companies are even less trustworthy than "Bob" and do care who you are. An unscrupulous VPN provider can MitM your connections, harvest anything you give the VPN's app privilege to see (probably a lot), etc.
Step one of security is to understand the threat you want to defend against and make sure your defense against that is (a) adequate, (b) appropriate, and (c) not compromising you in other ways.
Recently the Federal Government sent out a malware to certain persona of interest. That malware played a higher pitch sound than can be heard by the human ear. They were able to track that person and identify them because they heard the sound on the computer's microphone. TOR or VPN can stop this.
That should be "... can not be heard ..." right?
Also, do you have a link with more details.
would both work, but your interpretation isn't correct.
Some of the brightest minds of this generation are working on ad tech.
Sadly.
Are they able to do this? Yes, for sure.
Are they willing to this? For terrorists or maffia bosses, no doubt. For smaller fish? Maybe they can't be bothered. Or maybe they can.
https://www.bleepingcomputer.com/news/security/ultrasound-tr...
It appears to have happened already
https://en.wikipedia.org/wiki/SilverPush
My tinfoil hat is spinning!
https://arstechnica.com/tech-policy/2015/11/beware-of-ads-th...
I can no longer hear it. Still I can hear 1khz, so that's what's important.
You're saying that the persons of interest in this case were identified and targeted only based on an IP address and not based on some other aspect of their online activity?
For example: It's way easier for a client to install a mobileconfig to ios that supports on demand VPN than it is to have them download and configure openvpn. Fairly set and forget.
Re OpenVPN vs IKEv2/IPSec, this IVPN FAQ seems accurate.[0] But then, I helped edit it, so I'm biased. Still, if anyone can point to inaccuracies, I'll recommend fixing them :) The major weakness is pre-shared IKE keys.
On the other hand, I get from IVPN that the IPSEC implementation in iOS is very secure.
0) https://www.ivpn.net/knowledgebase/160/Is-using-L2TPorIPSec-...
how can you prove what the provider is using? people can lie
a) Install OpenVPN yourself (open source)
b) Download an OpenVPN profile from the VPN company
c) Configure OpenVPN with the profile
Specifically, you don't have to install any binary software from the company itself.
I recently signed up for such a service, in order to get my Nintendo Switch online for multiplayer gaming. My home internet connections sub-let from the landlord and could be considered semi-hostile -- not able to connect to peers on the Switch due to triple NAT, and I suspect some QoS throttling as well. The VPN solves my routing problems, but if anyone has a suggestion for another option here I'm all ears.
Also, don't choose a VPN based on some online review. Most of those are basically paid advertising. Either "pay if you want a good review" or "pay more for highter rank", or stuff by independent affiliates, who get paid for referrals.
Better, choose VPNs that have been recommended by consensus in relevant communities. Torrent users. Wilders. Me ;) And by the way, I do consult for IVPN, but my opinions are otherwise unbiased.
And they have great clients for Windows, OS X and iOS. I've found a few others that are just as leak-free.[0] However, the data there are old, and just about all VPN services have improved their clients. What's most relevant about the site is the testing protocol. There's more about that in an IVPN guide.[1]
I also recommend AirVPN, Mullvad and PIA. But not necessarily for their clients. I mean, IVPN doesn't have a custom Linux client. So in many cases, you need firewall rules. And you need to make sure that you're not using an ISP-assigned DNS server with the VPN.
0) https://vpntesting.info/
1) https://www.ivpn.net/privacy-guides/how-to-perform-a-vpn-lea...
https://www.mullvad.net/blog/2017/9/27/wireguard-future/
I used PIA for a couple of years without issue, but then it went into some kind of decline for me, always driving network traffic to zero after a few hours. After changing hardware and reinstalling the OS with no effect, I finally tried AirVPN and things went back to normal. AirVPN is a bit more expensive, but their client is light years ahead of the PIA client.
The only step beyond this that I have seen is a recommendation to use OpenBSD as a firewall in a virtual machine.
But. It's basically what I described. For public VPN network, just use the default (all output, only established input). For private LAN, deny all output and input, and allow output to selected IP addresses (VPN and DNS servers).
Perhaps something like this can be scripted; if it becomes polished enough it could be recommended as a part of every VPN setup.
That's why you generally ignore online reviews.
Say for instance there are two vpn services. Both have a 100,000 users. One makes $1,000 a year off of advertising, and the other makes $1,000,000 a year($9/month). Now both are approached by a nefarious gentleman who offers them $20,000 a year to harvest their user's information. But every year there is a 25% chance people find out and your service is shut down.
Who takes the deal? Maybe the free guy, but very few people would risk a 1M/year revenue stream to make a little extra cash, but someone might risks a much smaller revenue stream for a comparatively bigger payoff.
https://www.privateinternetaccess.com/forum/discussion/26284...
Is this semantics? I am uncertain. I do think that it's in PIA's best commercial interests not to keep logs. It's the core of their business model. The moment a PIA customer's identity is revealed through them is the moment they lose all business.
[+] I'm not trying advocate crime here or advising how to avoid it. Just trying to bring to light a vulnerability.
People who are interested in not being identified probably shouldn't. But there are good security reasons to potentially do so.
This is why we can't have nice things...
Freenode and Snoonet, two major IRC networks, are now owned by them.
[1] - https://krita.org/en/item/krita-foundation-update
Disclaimer: Happy PIA customer.
[0] https://news.ycombinator.com/item?id=14911509
[1] https://news.ycombinator.com/item?id=14911915
My only beef is I thought PIA would be a kickass gig to work at. Alas, never heard back from my resume. They post in the monthly thread.
Still interested, if any of you PIA people are watching :D
To be honest, my only problem with them is their customer service. And their phone app. My connection is half speed on my phone. :( They also have some strange problems with the linux app (which I wish they would open source). Otherwise I'm really happy with them.
As for the Linux side, their app just needed some better instructions on their site, and then works fine. So I'm not really upset on that, just had to argue with tech support for awhile to get transferred to somebody that knew what I was talking about.
If control of PIA — for whatever reason, and be it that Andrew Lee dies and his heirs sell it, or that he can't finance it anymore, or that a three-letter agency forces him to — ends up in the wrong hands, then also all of Freenode and Snoonet end up under control of that entity.
It's not that I don't trust PIA, but that I fear that PIA itself may end up in the wrong hands.
And I'm not on a crusade against PIA — I won't complain about their donations without requirement to advertise in return to projects such as KDE, with a transparent funding process.
But I am on a crusade against centralizing any services, be it killing XMPP federation (thanks, Google), be it pushing a "secure" Messenger that is bound to a single social graph and server infrastructure controlled by one group in the US (thanks, Moxie), or be it a single compsny gaining significant control over several major IRC networks, clients, libraries, and over Matrix at the same time.
No matter the intentions, how good they may be.
Another issue is, all their IPs are well known. When browsing while connected to them, you can run into a lot of issues: captchas, blocked sites, etc.
The other day I was accidentally connected and made a purchase. What a giant headache. My purchase was flagged and blocked and it took a lot of my time to call the company and get it cleared up.
I will mention that while it doesn't magically fix slow speed issues, they have the ability to report a slow server through the app (on Windows, I can't attest to any others). You just right click the icon in the notification tray and click "Send Slow Speed Complaint." They do add more servers in areas that are overloaded.
Until it's important-enough for them to track down the card, figure out when it was bought, go over the security footage of who was buying at the time, extract footage of you buying it. They can then extract your face and match against a DB. Or perhaps see what car you enter into, and extract its license-plate.
Heck, even if they don't have that, they can ask the cell-phone companies to see which phone-numbers were connecting to the nearest tower during that period. That already narrows down the list to say, 1000 people?
We're almost there. All the technology is already in place, and the only thing stopping it from happening is consolidation.
I find the speed has almost been completely acceptable. I have had only a handful of times where it seemed sluggish and bogged down.
I know there is a some question of whether they can truly be trusted? Do they truly not keep logs? And they are US based which are all things to consider. I weighed those factors against the customer reviews, price, and simplicity of their service, and I think my choice has served me well. Their rates are dirt cheap for what seems to be a reliable service.
When I checked in mid 2016, their custom Windows client leaked while the VPN was reconnecting after uplink interruption. But then, only six of the 29 VPNs that I tested didn't leak: AirVPN, FrootVPN, IVPN, Mullvad, Perfect Privacy and SlickVPN. Strangely, FrootVPN didn't leak using open-source OpenVPN, suggesting that they're doing something unusual at the networking level. PIA's OS X client didn't leak, however.
They do tend to oversell their servers, however. So you'll often get less throughput than with AirVPN, IVPN or Mullvad.
(Basically, all AV companies listed on stock market sell your data.)
I wrote a post last summer for IVPN's blog. Bottom line, AhnLab and Emsisoft seemed to be the only commercial ones that don't share data.
AhnLab: “AhnLab will not collect any personal information other than [data collected during software use] and will not disclose such data to any third party.”
Emsisoft: “Any information we collect from you is only used by us to serve you better. Your information is never given to a third party.”
Rarely addressed: VPN CLIENT ISOLATION.
The majority of us sit behind a NAT'd address range provided by our physical router, thus isolating our machines via a hardware router / firewall from our ISP. When you connect via a VPN, you are not automatically isolated from other client-peers on that VPN and must implicitly trust the VPN provider has properly configured client isolation. You can do testing, like firing up Wireshark and listening for broadcast traffic or simply by trying to nmap other hosts on the network, however, whatever you find could change with a configuration setting at any time.
One way to further "secure" this would be to run the VPN client on a hardware router like pfSense (instead of directly on your laptop) and block all incoming connections on the vpn client tunnel interface?
A disadvantage of this method would be that the WIFI signal from your Laptop to the router is no longer secured by the Vpn...
"Processing in hardware", meaning application specific hardware acceleration, is a not a plus in security related things: it's not safer, and it doesn't exist in most boxes, and it's often impossible to field upgrade when bugs are found. It's done to speed things up/lower cost at large scale, but that's irrelevant for consumer/small office gear.
I agree and am a big fan of host firewalls and host intrusion prevention systems, however, they must of course cover the VPN tunnel in their scope. In many cases they do not.
What should you use if you're smart enough to come to HN for reading? SSH of course.
When it leaves that computer it's no longer encrypted.
It's not hard to look at unencrypted traffic leaving the computer you've SSH'd into and associate the traffic with the computer you've SSH'd in through.
That’s entirely not true. If you’d said “some”, you’d be right, but “most” is categorically incorrect.
And browsing the internet over a VPN is different... how, exactly?
Want to connect 2 lan's together and have full protocol binding and internal DNS support without mucking with 65535*N-nodes port forwardings?
yeah.
not to mention 'vpn' isn't a product..
so your entire notion of 'making money out of it' makes no sense.
as for commercial: OpenVPN is great, free, and fairly simple to use.
TCP/TCP is another point.. and a good one, yes.
These articles explain the concept, but it takes nothing but SSH & Linux (albeit it can work on macOS too with additional software):
https://wiki.archlinux.org/index.php/VPN_over_SSH
https://debian-administration.org/article/539/Setting_up_a_L...
http://sgros.blogspot.com/2011/11/ssh-tap-tunnels-using-rout...
I've seen it done before where it was fully transparent to both networks. This required the tunnel to be setup on the default gateway for both networks. Again, as mentioned before and you agreed too, this is not a solution I would ever want to see in production for a company I was at.
> which imho obviates OP's claim of SSH 'simplicity'/'ubiquity'
Which I agree, it isn't simple, but I was replying to someone saying it wasn't possible, not that it is easy to do.
https://betanews.com/2017/10/09/purevpn-logs-fbi/
Whether it's through negligence or ignorance or intentional lying, it's nearly impossible to not log user activity in some way.
And really, think about this: Even if you try really hard not to log, as a provider you're competing with thousands of forensic scientists who do nothing all day but figure out how to associate activity with the people who committed that activity.
And once a federal agency has identified your VPN traffic, every single thing you've done through that VPN provider is all wrapped up in one neat bundle for them to peruse.
* Connection issues are really annoying. At home it is manageable, but reconnecting to a different wifi network with a phone introduces a delay that sometimes lasts minutes before it becomes functional again
* Some websites make you enter captchas in order to use them, probably due to VPN abuse by malicious users. Others outright block traffic to any detectable VPN traffic.
* It is slower in general, but the worst case slowness seems much worse and more common. Unavoidable really, you're introducing another potential point of failure.
* Useful LAN functions (like *.local domains) become non-functional
Here's arstechnica: https://arstechnica.com/information-technology/2017/03/how-i...
Congress removed FCC regs. that would have prevented it. ISPs have been claiming both the regulation is unneeded but that they won't sell your data.
Is that true if you 1. disable the "force all DNS traffic over VPN" setting, but then 2. have a local resolver (e.g. dnsmasq) that resolves LAN domains but forwards all other traffic to a DNS server on an IP that will end up routed through the VPN?
I don't use a VPN to hide my identity from the websites I'm connecting to. I use a VPN to hide the websites I'm connecting to from my ISP.
Residential ISPs in the UK are supposed to log a bunch of internet stuff (not clear exactly what), which is then made available warrant-free to over 40 government departments, including for purposes obviously unrelated to "national security" (not that that would make it OK), e.g. HMRC and the Food Standards Agency
https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016
Additionally, I use a DigitalOcean VM and run OpenVPN myself, I don't get a service from a VPN company.
I've been looking to do the same recently, do you use Digital Ocean Droplets? If so, how have you found the experience?
https://www.digitalocean.com/community/tutorials/how-to-set-...
Or you can do it the easy way (but you won't learn as much) and run a bash script to configure everything automagically :
https://github.com/Nyr/openvpn-install
That said, always verify that the tunnel is operating correctly before assuming it is and taking off. I've found on more than one instance that the OpenVPN client was misconfigured and seemed to connect, yet my IP was still being reported as my ISP's.
I didn't use DO but an even cheaper host and set up VPN at router using DD-WRT.
Occasionally I have to turn it off at router as certain sites/ services recognize the datacenter IP but not all that often.
Main reason I set it up is I use a small local ISP and know the owners and no need to have them watching net traffic.
The settings on both ends have to match perfectly. Don't forget to set DNS for openVPN also.
I have a device through which I netflix on which I do not do other personal browsing.
Quite a shame though, but nothing netflix can do about that. :-(
1. They're blocking lots of torrent websites, using a VPN circumvents this
2. They're sending out letters to people saying "you're torrenting, stop". VPN stops this
3. Some ISPs throttle traffic to certain services and streaming sites, VPNs circumvent this
On the other hand, if your VPN operates in another country, some websites within your country may block you due to content licensing issues.
1) First VPN, that only my ISP and second VPN see: I choose one that's popular where I live, and commonly used for torrenting, and I have a torrent client up 24/7.
2) Second VPN, that only the first and third VPNs know about: I choose one that does business from a jurisdiction that isn't very friendly with my government and its friends.
3) Third VPN ...
4) Final exit VPN, that only the previous VPN and websites see: I choose one that doesn't attract too much attention. For Mirimir, that's IVPN, because I'm already so associated with it.
I've thought about doing it all in one OS, with iptables or pf to control routing. It'd be lots lighter, but more fragile.
I figure my ISP is quite likely to sell my data and do other unfriendly things. But I figure they are quite unlikely to attack my traffic and do other illegal things.
Even so, it's prudent to assume that your VPN provider logs, works with your adversaries, etc. Just like the Tor project assumes that any particular relay may be malicious. So Tor clients create three-relay circuits, to distribute the risk. And one can do the same with VPN services. I'm currently working through a nested VPN chain, using servers from multiple providers. I use pfSense VMs as VPN gateways, and workstation VMs. It's also easy to add Whonix to the mix, so I can use Tor through nested VPN chains.
If "Bob" wants to know who you are when you visit his website, he doesn't have any options to get that information. If "Bob" thinks you are violating his copyright rights, he can file a DMCA complaint against you. If "Bob" doesn't want people from Iceland to access his site, he can try to filter based on IP range.
VPNs do three things: 1. obscure your identity 2. obscure your location 3. prevent local inspection of your network traffic.
How effective that "obscurity" is depends on who wants to know and why.
If the VPN is malicious or self-hosted.
If the servers and the company headquarters are located in a country not part of the "14 Eyes", and most importantly, host a lot of other traffic that is not you, there is obfuscation, legal barriers, and plausible deniability that you did not do what "they" are claiming you did.
No advertiser is going to come after your VPN provider asking for logs, and even if they did your VPN provider is going to tell them to get fucked anyway. Again, unless the advertiser in question happens to be the federal government and they have a subpoena or a warrant, no VPN provider is going to give you logs to help you associate a user, I have no idea why you would even think that.
If you don't want traffic from users on the VPN you are free to block them (Netflix does this) but nobody is going to give logs over to a random webmaster to help deanonymize users.
If you want to remove the VPN provider from the question entirely (many of them are on the shady side), you can use Algo to automatically deploy a Digital Ocean droplet or Linode instance to relay your connections for you. However this doesn't fundamentally change anything - if someone comes after you with a warrant or a subpoena, then Digital Ocean/Linode is going to give you up.
https://github.com/trailofbits/algo
This is not exactly a difficult concept to understand so if you have asked this question repeatedly and still aren't satisfied with the answer, perhaps you should look inward.
Some VPNs imply this when they claim they don't keep logs on their users.
They absolutely are for a huge number of people. Why do you think so many VPN's advertise the fact that they don't keep logs? I imagine far (_far_) more people use VPN services as a way to evade copyright holders than as a mechanism to avoid marketers (most people don't give two craps about the latter issue.)
BTW, was the snarky bit at the end really necessary?
isn't SSL supposed to do that? At most an ISP ought to only be able to sniff the domain.
Sell what exactly?, the domains you visit because with SSL that is all what they know.
>It seems in the latter case, even with a malicious VPN, it's one additional (maybe trivial step) to associate me. But it's still better than just using your own ISP. Isn't that why people use VPNs to avoid DMCA letters from their ISP?
I'm not sure how you made this jump. If the provider doesn't have logs, Bob can't find you. The end.
That's when a good VPN provider will tell you to piss off.
Plus I doubt many VPNs that actually do logging will have the fingerprint data.
2. oVPN.to is probably a good idea, as long as you are not based in China
3. Pay anonymously for the VPN. If it need to be really secure, only access VPN via TOR.
Every TCP connection is uniquely represented by (src ip, src port, dst ip, dst port). Bob can provide all four of these, and a timestamp, to the VPN provider. The VPN provider can then resolve that to a specific user if they are logging connections.
* Inability to send mail though a mail program
* Daily disconnections of VPN service
* Captchas and other verification/friction when using services (eg youtube, amazon etc)
* Some services may believe you are in a different country incorrectly, meaning you have to force them to use the right location, or be happy with it being wrong
* Some services will not work at all (for example purchasing through apple)
* Paid streaming services – like netflix, hbo go and amazon streaming will likely not work at all
* You may not be able to port tunnel traffic inside the VPN
And of course you have to trust the provider. For example PureVPN claims 'no logs' but it seems that isn't the case...
https://betanews.com/2017/10/09/purevpn-logs-fbi/#comments
There is a lot of friction in using a VPN. Which makes the idea, often proposed by technical people that if you are worried about privacy - 'just get a VPN' either naive or disingenuous. That said even with the friction it is worth the cost and hassle IMHO.
In practice you have to have a way to flip on and off VPN on some machines/devices.
There is more discussion on this here...
http://www.toytheory.com/?p=295
(edit: fix formatting)
I believe there is the alternate option of setting up your own VPN .
Instead of using AWS, you could set it up on an additional router or on your PC/pi wherein you'd lose the advantage of anonymity amongst other users but your information is still encrypted to be acceptably safe.
The arguments here often sound similar to "experts" that complain about 2 factor auth: Sure, it's not perfect and there are better solutions in some cases, but it's still better than nothing for a lot of people.
(a) There's not much you can do with VPN that you can't do with SSH (actually I can't think of anything). And SSH is much more configurable.
(b) To avoid tracking of your browsing it is not a smart idea to pipe all your browsing through the servers of one VPN provider. A smart way would be to split up browsing streams, not to combine them.
I'm very sceptical about Mozilla writing such an ad page and trying to sell it as a reasonable technical blog post.
For most end-users, there is nothing they can reasonably do with ssh.
Everybody who is able to repair a bike though is also able to use SSH.
https://github.com/trailofbits/algo https://github.com/Angristan/OpenVPN-install
Either of these options, depending on your preferences (protip: use Algo, unless you're in a place that blocks IPSEC VPNs...It's cheap enough to have both available). This at least covers the basics of what they're talking about being snooped in the post. Then you don't have to worry about trusting the VPN provider (but you do have to worry about trusting your cloud provider).
If your threat model is different, you might want to be in a pool of users, but you can use the same service and solve this problem socially...
That won't give you any privacy as anyone who wants to de-anonymize its traffic can correlate the fact that you connect to it with your IP (asking the VPS provider for logs) and that you bought it (asking the VPS provider for your banking info).
Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service). Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).
It only solves it against a particular ISP.
> Also you still have the same issue with virtually all of those paid VPN services (that you connect from your IP and that you paid for the service).
I completely agree, that's why I always maintain that only privacy by design solutions should be relied on (Tor and i2p for example).
> Oh, and Vultr takes Bitcoin, btw (not that that's privacy but it is potentially a layer of separation from your bank account).
But they know the IP, so that's still identifiable information.
Use of one doesn't exclude another.
I don't think that adds any privacy, setting up your own non-exit relay and connecting to it may significantly increase your privacy depending on your threat model (since then you can be sure that no single point in your Tor circuits controls both the entry node and exit node, and hence can't correlate your traffic. You're still vulnerable to a global passive adversary (GPA) of course).
..links to github repos...
You are blessed with technical skills and experience so this is trivial to you (and many people on HN), but there are tons of people out there for whom this is not a trivial task.
I've been putting off setting one up for a while.
A lot of folks are doing their automated testing with AWS systems and blocking those IPs would likely cause a lot of people some headaches.
The DNS blackhole that Algo by-default puts ad providers in causes me more problems than that, in all honesty, because occasionally I have to log into service like Hubspot that are blocked.
EDIT: another poster mentioned Algo [1]. This method requires a high degree of savvy and entails a higher level of difficulty, but looks much more configurable.
[0] https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-pr...
[1] https://github.com/trailofbits/algo
Inconvenient and cumbersome at best.
Every VPN has an endpoint, and whether that endpoint is acceptable depends on your use case.
And then I realize the question is actually about third-party VPN proxy services, which seem to be a substantially different use-case.
It's just a shame that the term "VPN" has become so ambiguous.
1. Add a VPN host to your home network, either as another role on your router/firewall or as role on a host inside your network. For example, if you're running pfSense as your firewall, you can add an IPSec/L2TP or OpenVPN role to the pfSense host. Many hardware router/firewall devices have VPN host capabilities. You can start simple by defining users at the VPN host. Later you can use your home network's LDAP directory for users, but I personally didn't bother doing that.
2. Set up your laptop(s) and phone(s) to connect to that VPN. Disable "split tunneling" on the devices. If split tunneling is enabled, only traffic that is intended for your private network would be sent to the VPN. Disabling it requires that all traffic—even traffic destined for the public Internet—needs to be routed through the VPN host.
3. Connect to the VPN whenever you are outside of your home.
4. You can optionally assign a static private IP to each device so that when you're connected, all devices use known IP addresses that you can name using a local DNS server. This would allow you to, for example, reach your laptop by the name "laptop.yourdomain.org" (or whatever). I give all of my devices hostnames so that I don't need to remember their IP addresses.
5. The result is you have a personal "virtual private network" that facilitates private LAN-like communication between all of your devices. For example, I use this to access my personal file server from anywhere.
6. You can get even more sophisticated by setting up site-to-site VPN connectivity between your home network and a machine or network you run at a data-center. This allows you to, for example, reach not just your home file server but also manage your personal public-facing Internet services running at your data-center hosted machine or VM—from any of your devices.
This is where I’ve always got hung up. I’ve for a long time wanted a static URI for a machine at home (e.g. SSH, IRC bouncer, music files, etc.)
I assumed I’d have to use some kind of local host tunneling solution (like pagekite.io), which are either expensive or difficult to trust/rely-on, or register as a business to get a static IP.
Any tips?
However, the entire scenario relies on you having at least one static IP address for your firewall/VPN endpoint. You need to be able to reach that from anywhere on the public Internet.
I can even access my home automation system. Shoot, I have one installed at my mom's house and can monitor her furnace when she's on travel in the winter. Everyone would enjoy a personal VPN.
https://www.dd-wrt.com/wiki/index.php/OpenVPN
Once you have SSH access to home there are a number of ways to tunnel your traffic (on desktop platforms, not sure about mobile). Sshuttle works pretty nice. You can also optionally just tunnel traffic for certain apps or browser profiles by using ssh -D (SOCKS5 proxy)
Access the internet, then smash the entire thing and throw it away and repeat.
I was just giving an extreme example for true anonymity now, something we just sort of had on the internet in the 90's.
http://www.pivpn.io/ https://pi-hole.net/
Insanely easy to get running: plugged it in to my home router, and now I do all my remote browsing from my home network. I HIGHLY recommend it. I know it doesn't help with privacy, since you're using your home network, but I'm currently more concerned with WiFi hacks, pineapples, and the like.
I'm curious if anyone has any commentary on other providers worth looking into. BVPN is based in Hong Kong which has a strong history of pro-privacy AFAIK, and they claim to not even have the technical ability to keep logs of relevant info. Either way, I think I'd rather have some random Hong Kong company have my semi-anonymized info rather than my ISP.