Great news! I’ve always liked PIA, but the closed source nature of it did require a certain degree of trust. No offense to anyone, but “trust” and “vpn” should be an uneasy combo. This way I’m not in forced to trust my demonstrably untrustworthy ISP, or a VPN. Thanks PIA.
Yeah true. Also by open sourcing the chrome extension maybe someone can port this to Firefox. I think it should be relatively easy after the recent move by Firefox to webextensions.
PIA works with OpenVPN, their Windows app was (maybe still is) just a pretty interface on top of OpenVPN, but the trust has nothing to do with the client imo, it lies more in trusting them when they say thry don't do any logging or eagerly cooperate with adversaries. They xlaim they don't log, but how do I prove that?
It still requires a certain degree of trust, this changes very little actually. The server side code is still proprietary, and even when it is not (according to their plans) you still have to trust that what they are actually running is an unmodified version of what they have released.
In addition to all of that, you are still funneling traffic through them AND they are still under US jurisdiction, regardless of the license they choose to use for their software.
I'm not one of those "VPN services are useless" fanatics, but "“trust” and “vpn” should be an uneasy combo" it's not an uneasy combo, it's pretty much your only option.
The amount of trust required for their front-end applications is minimal to the point of non-existence.
The real trust you have to afford them lies with the company and what they do or don't do with your data.
I have been a happy user of PIA for quite a while, and highly recommend their service. I've used their proprietary app for a while, and have just trusted their service based on their public image. I'm glad it's going open source, i'll be contributing.
$35 + some technical/tutorial-following knowledge to setup an IKEv2/OpenVPN server on a Raspberry Pi is better than $100/year for a VPN provider if your threat model is just "Open WiFi is sketchy" or "XYZ network blocks YouTube"
Also as someone who has a couple of Raspberry Pis in his house, memory card corruption is real and it’s annoying as hell. If I wanted an OpenVPN gateway I would not want to run it on Raspbian. Maybe on a distro that runs purely in memory after boot.
But like the other person said, if you value your time it is almost certainly not worth spending time on setting this up yourself, even if memory card corruption was not an issue.
I am also super hesitant to rely on a raspberry pi for anything that should really work, networking related, considering that the ethernet interface is actually a USB 2.0 device hung off a very cheap USB bus. It's not like having an Intel or Broadcom PCI-Express interface NIC on the motherboard of an x86-64 platform PC. It also has only one NIC. All of the methods to get >1 NIC on a raspberry pi use additional USB devices and are ugly hacks IMHO.
If you are experiencing corruption issues you are likely using a USB power supply that is not sufficent, for the rpi3 you need at least a 2.5 amp supply to ensure reliability.
Please make sure to report that to PIA support, they do have some solutions available. Worst case, it gives them evidence that it's time to rotate IPs.
I've actually found the opposite to be true. Sites seem to focus more on preventing scraping and block VPS IP's more often than commercial VPN. For example, Craigslist on Digital Oceans IP's is hilariously throttled to ~256 bytes per second. Crunchbase always tosses up a CAPTCHA. This was mostly the same for Linode.
Hey PIA, mind if I throw my little server in your datacenter? No you can't access it though. I promise it'll be properly secured! Hey! Why are you walking away?
This is actually less insane than it sounds. Most VPN providers rent space at traditional datacenter providers like Equanix. Search for "dedicated server hosting" and "colocation providers" for the exact same list of vendors that the VPN companies consider.
Very true! Unfortunately, your RPi is going to have only one user in responsible for traffic. Commercial VPN providers act as a multiplexer to hide who is responsible for what traffic. Ideally you'd have at least a Type III anonymous remailer mixing your traffic, but then you're dealing with much higher latency. As with everything, there is a compromise between the effort required to break a security system, the ease of detecting such a break, and the burden of using the system.
I'm not sure what point you're making about colo and transit costs. Are you saying that operating your own has higher costs? Or that a commercial VPN provider has higher costs? I'd be very interested in a price analysis that beats PIA while offering a remotely similar security profile. Keeping an RPi at your house provides defense against totally different threats.
Given that it's named Private Internet Access, I would think many of their customers are also concerned about privacy.
If a Raspberry Pi self-hosted VPN gets you what you need, great, but it doesn't do the same things as a large VPN service where your traffic is mixed in with all the other users exiting from the same server.
Sorry I should’ve been more clear. I meant that people who go the route of setting up their own vpn server are more concerned with security. I think we’re on the same page, and I agree with you about the importance of privacy to PIA users.
The point is to create a transparent SSH or IPsec tunnel from your home network. The raspberry pi is one endpoint of that tunnel, the VPS is the other endpoint.
Ah, I see. Seems like that would still be easy to isolate a house’s VPN traffic from the typical connections coming out a server, but it takes some guesswork, protects your home IP address, and keeps your ISP from seeing what you’re doing.
Many people are not simply paying for an encrypted connection, they're mainly paying for a) an IP that cannot be easily attributed back to them, and b) a large garbage can for DMCA complaints.
The Raspberry Pi provides neither of those, and requires occasional maintenance.
in my experience a lot of people are paying for the experience of a vpn provider that, without putting it in writing on their sign up page, basically sends DMCA abuse emails to /dev/null , and if US-based, will require a court order or subpoena to divulge subscriber details. For fully automated DMCA abuse threat emails, the cost of the manual labor (on the part of the threat-sender) is too high to individually attempt court orders or subpoenas of VPN ISPs for a particular customer, except in very exceptional circumstances.
Can you elaborate on this setup? A portable VPN server, is that correct? You have a Pi that has openvpn installed and you connect to the Pi? Do you have issues with captive portals
example the coffee shop or hotels?
there are a pretty large number of commercial openvpn service providers, that if you pay for 1 or 2 years of service, the cost will range from $2.80/month to $5.50/month. I would be surprised to pay $10/month. I have my own OpenVPN endpoint for testing which exists on a $5/month VPS, but it has a 2TB/month transfer quota, while many commercial openvpn service providers have no transfer quota per month.
Ideally you want to have both, if you move a lot of vpn traffic (cough cough, 4k HEVC torrented things), you can have your own openvpn setup on a KVM VPS you fully control with root, and also a commercial $3/mo openvpn service where you won't run into a 1 or 2TB/mo limitation.
here's the pricing for a fairly normal commercial openvpn service provider:
This is like the comment on the Dropbox thread when it launched. "Why would I pay for this when I can [insert 5-step process here that is not at all easy for the vast majority of population]?"
> For a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem.
Am I the only one that does both? I use OpenVPN to connect from my remote devices to my home router. My home router then uses an OpenVPN tunnel to PIA for all Internet bound traffic.
For those saying that anyone setting this up at home doesn't value their time, my router has built-in support for OpenVPN in both server and client mode. The VPN connectivity and tunnel to PIA took me about 15 minutes to configure a couple of years ago and besides having to update the PIA password has required no real maintenance.
For many, I'm sure they feel their time and/or convenience is worth more than the price difference. It doesn't take a ton of time, but it's enough of a time/effort that I don't think it's wrong to assume that many just want to sign up for a service and have it work instead of building their own.
This suggestion assumes time has a cost of zero. Not to mention, some solid VPN services (Mullvad) can be had much less than $100/year.
Of course anyone who doesn't wish to run a proprietary client can simply use their OpenVPN gateway; they have always offered that option in addition to their own client.
What do you expect from your VPN provider? PIA is a U.S.-based company. Don't trust them when you are seriously endangered. They are most likely collaborating with U.S. intelligence. If you don't think so, nobody believed the same for Facebook and Twitter, until Snowden...
I tried it myself, and the service was fine except for a complete lack of IPv6 support (the client disables IPv6 to stop leakage, but no actual usage), which is kind of crazy in today's day and age.
GCHQ (UK), BND (Germany), France's equivalent (I forget the name), and others I am probably unaware of have been caught doing pretty widespread surveillance.
So, technically not the EU, but multiple EU countries.
GCHQ (UK), BND (Germany), BRGE/Directorate for Internal Security/Directorate for External Security (France) have been spying similarly and engaging in information sharing with the US.
The UK, France, and several other EU countries have passed internal surveillance laws that are as bad or worse than the US.
I've been a PIA customer for years, but part of me has always suspected that PIA was setup and is run by some covert arm of NSA or the sort. But, since their service does what I need, no worries.
I've occasionally had a similar thought. I'm primarily worried about non-state actors though (botnets as well as those aggressive and anti-human AIs known as corporations and trade associations), and I assume that if it is run by the NSA they won't blow their cover just because the MAFIAA is irritated over something I'm doing.
I've been happy with PIA. Except for the increased blocking of commercial VPN's (address spaces, I assume) by services on the Web. Not PIA's fault. Just people looking to solve their problems at the expense of my own security.
I waded into PIA's client enough, months back, to observe that it was using OpenVPN. Along with its reputation, I decided I had enough trust for my use -- avoiding connection monitoring/cracking on public WiFi and keeping Comcast and Verizon from data mining me.
I do sort of wait, with all these services, with breath half-held for some other shoe to drop. Given the rubber hose and lead pipe legal and extra-legal methods available to various and manifold "three letter agencies".
I hope the open-sourcing of the client leads not only to increased trust, but also to some functional improvements. Such as being able to leave PIA switched on on my phone while tethering to it. Without having to root the phone and get into routing scenarios that apparently Android is not designed to support. So, I guess that's an Android problem. But maybe there's some way to address it at the client level.
Anyway. PIA keeps taking substantive steps (e.g. prior financial support for open source projects, now open-sourcing the client, etc.) that put it in a good light.
P.S. I don't mean blocking by Netflix and the like. I mean, archive.is, Google (prove you're not a bot...), commercial services I use, etc., etc.).
> Except for the increased blocking of commercial VPN's (address spaces, I assume) by services on the Web.
Tragedy of the commons.
At my workplace - an e-commerce platform - we're flagging or blocking customers who use commercial VPNs.
The reason for this is simple: almost none of our legitimate customers use VPNs, but the vast majority of fraudsters do. Fraud is a massive issue for any e-commerce business and no other anti-fraud measure is as effective as this one.
I've said this elsewhere, but I'm trying to help, not spam!
Please make sure to report evidence of blocking to PIA support, they do have some solutions available. Worst case, it gives them evidence that it's time to rotate IPs.
Even for stuff like netflix/hulu? Asking out of curiosity - I leave PIA off for the most part because of the IP blocking, and only turn it on when I feel that I need it.
This is better than nothing, but the fact that it's only _client side applications_ means that this is doesn't add much security for PIA users. The largest threat of PIA has never centred about their client app, but in their server-side business practices. Count me as one of the people concerned about PIA's trustworthiness.
I would be very interested to know what you think a VPN provider could do to assure users that the servers are safe.
I've yet to see an example verifiable safe server configuration, but some people have claimed that SGX might do. I'm pretty sure that wouldn't work with stock OpenVPN or StrongSWAN today.
Are there any other practices they could adopt that would ease your worries?
In 2018 there is no reason to use anything other than algo vpn. I don't understand why anyone reading this comment would trust PIA or any other 3rd party.
DCMA abuse emails being put into /dev/null, most VPS providers do not do that. Also a promise to insist on subpoenas or other expensive methods before they would comply with requests.
Also why do you trust your VPS provider over a VPN provider? They can inspect your VMs memory and do whatever else they want to the machine. Same with whoever owns the real estate that you co-locate your own physical servers.
> why do you trust your VPS provider over a VPN provider?
They simply don't have the resources to log every single memory read/write and every network connection of all their hosts. Thus you would have to already be a known target for them to want to do that. Whereas a VPN provider has a limited scope of what they can log and thus needs a fraction of the resources to log everything.
I know nothing about their trustworthiness - they do have a good reputation.
In general, though, if a three letter agency wanted to spy on interesting web traffic, the traffic of people who "have something to hide", then targeting VPN servers would be more fruitful than the general Internet.
They have a good reputation, because they sponsor a whole bunch of open-source projects, which people like to see. I'm not aware of a good reputation for things that actually indicate how they run their service.
Things that have irked me so far about their service:
- That their applications were not open-source so far. Why even sponsor open-source, when clearly you don't care for it too much yourself.
- Google Analytics on their webpage. Literally a service supposed to protect your IP address and the first thing they do when you dare to even look at their service, is tell the biggest data broker on the planet about it. (This is a problem with most VPN providers.)
- The company behind it, London Trust Media Inc., operates from the USA, putting it into one of the least privacy-friendly and least predictable jurisdictions on the planet.
- Their privacy policy isn't bad, aside from the aforementioned Google Analytics and that they use your e-mail address for promotional mails, but it's not good either. If you're so great on privacy anyways, then use your privacy policy to legally bind yourself to your standards and provide your customers with a service that has at least any kind of insurance of what it promises.
That they provide OpenVPN access does not change the discrepancy in their choice of sponsoring and their own doing.
And well, you should care for the US jurisdiction, whether you're from Europe or anywhere else on the globe. It means that the various three-letter agencies there probably have access to your internet traffic.
What I mean is that the regulations in the US are not relevant for my kind of activity (which is not criminal, which could warrant international operations via Interpol).
Privacy-wise, you are right. I have all my data in Google so the key parts are already there.
> over the next six months we will be releasing the source code for all our client-side applications
They weren't already?!
Come back when you've AGPL'd your server-side software. Then I'll believe you're committed to open source; and I'll trust you, because you'll be legally obliged to be honest about what's running on your servers.
>Come back when you've AGPL'd your server-side software. Then I'll believe you're committed to open source; and I'll trust you, because you'll be legally obliged to be honest about what's running on your servers.
It's not how it works. The copyright holder isn't obliged to follow AGPL (or any other FOSS license) terms.
No, they won't - or at least, no more so than they are now. Licenses grant rights to people who didn't have them previously. They do not restrict rights.
I've been using their service with OpenVPN for years and I've always been very impressed. Them going open source, and ultimately being auditable, makes them that much more recommendable.
109 comments
[ 5.8 ms ] story [ 433 ms ] threadIn addition to all of that, you are still funneling traffic through them AND they are still under US jurisdiction, regardless of the license they choose to use for their software.
The amount of trust required for their front-end applications is minimal to the point of non-existence.
The real trust you have to afford them lies with the company and what they do or don't do with your data.
2) PIA takes less than a minute to setup on every device. Download the app, login, and you pretty much never have to worry about it again.
Your alternative is more expensive, more resource-hungry, and more of a pain in the ass.
But like the other person said, if you value your time it is almost certainly not worth spending time on setting this up yourself, even if memory card corruption was not an issue.
The Swiss and Norwegian servers are blocked on almost no sites.
PIA state they don’t keep logs on their servers, they can’t provide those guarantees on the network as they don’t run the networks they operate on.
Plus colo and transit costs more than paying for a slice of resource someone else is already hosting, so there goes that price model.
Hey PIA, mind if I throw my little server in your datacenter? No you can't access it though. I promise it'll be properly secured! Hey! Why are you walking away?
I'm not sure what point you're making about colo and transit costs. Are you saying that operating your own has higher costs? Or that a commercial VPN provider has higher costs? I'd be very interested in a price analysis that beats PIA while offering a remotely similar security profile. Keeping an RPi at your house provides defense against totally different threats.
Do you have a source on this?
If a Raspberry Pi self-hosted VPN gets you what you need, great, but it doesn't do the same things as a large VPN service where your traffic is mixed in with all the other users exiting from the same server.
The Raspberry Pi provides neither of those, and requires occasional maintenance.
He listed the reasons where this is useful. And it definitely is useful for those reasons. Your list is unrelated.
Ideally you want to have both, if you move a lot of vpn traffic (cough cough, 4k HEVC torrented things), you can have your own openvpn setup on a KVM VPS you fully control with root, and also a commercial $3/mo openvpn service where you won't run into a 1 or 2TB/mo limitation.
here's the pricing for a fairly normal commercial openvpn service provider:
https://www.purevpn.com/order
> For a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem.
https://news.ycombinator.com/item?id=8863
For those saying that anyone setting this up at home doesn't value their time, my router has built-in support for OpenVPN in both server and client mode. The VPN connectivity and tunnel to PIA took me about 15 minutes to configure a couple of years ago and besides having to update the PIA password has required no real maintenance.
This suggestion assumes time has a cost of zero. Not to mention, some solid VPN services (Mullvad) can be had much less than $100/year.
That said, it could be a fun project regardless.
I'm assuming an error in the sentence above and it should say NOT before offer. Seems like a little proof-reading would have been worthwhile.
Isn't that kind of weird for a privacy-focused company?
So, technically not the EU, but multiple EU countries.
The UK, France, and several other EU countries have passed internal surveillance laws that are as bad or worse than the US.
None of these countries have strong privacy protections except against corporations.
PIA has lots of gateways [1]. Some of them are outside the United States.
[1] https://www.privateinternetaccess.com/pages/how-it-works/
I'm talking about their website.
I waded into PIA's client enough, months back, to observe that it was using OpenVPN. Along with its reputation, I decided I had enough trust for my use -- avoiding connection monitoring/cracking on public WiFi and keeping Comcast and Verizon from data mining me.
I do sort of wait, with all these services, with breath half-held for some other shoe to drop. Given the rubber hose and lead pipe legal and extra-legal methods available to various and manifold "three letter agencies".
I hope the open-sourcing of the client leads not only to increased trust, but also to some functional improvements. Such as being able to leave PIA switched on on my phone while tethering to it. Without having to root the phone and get into routing scenarios that apparently Android is not designed to support. So, I guess that's an Android problem. But maybe there's some way to address it at the client level.
Anyway. PIA keeps taking substantive steps (e.g. prior financial support for open source projects, now open-sourcing the client, etc.) that put it in a good light.
P.S. I don't mean blocking by Netflix and the like. I mean, archive.is, Google (prove you're not a bot...), commercial services I use, etc., etc.).
Tragedy of the commons.
At my workplace - an e-commerce platform - we're flagging or blocking customers who use commercial VPNs.
The reason for this is simple: almost none of our legitimate customers use VPNs, but the vast majority of fraudsters do. Fraud is a massive issue for any e-commerce business and no other anti-fraud measure is as effective as this one.
Please make sure to report evidence of blocking to PIA support, they do have some solutions available. Worst case, it gives them evidence that it's time to rotate IPs.
At home, Comcast is my only option. Verizon is the sole national provider (U.S.) with service in some areas I travel to.
Isn't this inherent to the model of a paid VPN service? (Could one run a VPN through a blockchain?)
you joke, but if you trust intel/arm, you can conceivably run a provably trusted (via remote attestation) VPN on SGX/TrustZone.
You can encode any information you want on a blockchain, and it can be anonymous and specific to the user.
But it would be ///painfully/// slow.
I've yet to see an example verifiable safe server configuration, but some people have claimed that SGX might do. I'm pretty sure that wouldn't work with stock OpenVPN or StrongSWAN today.
Are there any other practices they could adopt that would ease your worries?
Also why do you trust your VPS provider over a VPN provider? They can inspect your VMs memory and do whatever else they want to the machine. Same with whoever owns the real estate that you co-locate your own physical servers.
They simply don't have the resources to log every single memory read/write and every network connection of all their hosts. Thus you would have to already be a known target for them to want to do that. Whereas a VPN provider has a limited scope of what they can log and thus needs a fraction of the resources to log everything.
There are probably logging systems already in place to detect abuse, that would be extended to detect VPN style usage on top of that.
In general, though, if a three letter agency wanted to spy on interesting web traffic, the traffic of people who "have something to hide", then targeting VPN servers would be more fruitful than the general Internet.
Things that have irked me so far about their service:
- That their applications were not open-source so far. Why even sponsor open-source, when clearly you don't care for it too much yourself.
- Google Analytics on their webpage. Literally a service supposed to protect your IP address and the first thing they do when you dare to even look at their service, is tell the biggest data broker on the planet about it. (This is a problem with most VPN providers.)
- The company behind it, London Trust Media Inc., operates from the USA, putting it into one of the least privacy-friendly and least predictable jurisdictions on the planet.
- Their privacy policy isn't bad, aside from the aforementioned Google Analytics and that they use your e-mail address for promotional mails, but it's not good either. If you're so great on privacy anyways, then use your privacy policy to legally bind yourself to your standards and provide your customers with a service that has at least any kind of insurance of what it promises.
As for the US jurisdiction, I couldn't care less, being from Europe.
And well, you should care for the US jurisdiction, whether you're from Europe or anywhere else on the globe. It means that the various three-letter agencies there probably have access to your internet traffic.
Privacy-wise, you are right. I have all my data in Google so the key parts are already there.
They weren't already?!
Come back when you've AGPL'd your server-side software. Then I'll believe you're committed to open source; and I'll trust you, because you'll be legally obliged to be honest about what's running on your servers.
It's not how it works. The copyright holder isn't obliged to follow AGPL (or any other FOSS license) terms.
PIA is reliable and trustworthy.
Also, Rick Falkvinge! (Swedish founder of the original Pirate Party)
https://www.privateinternetaccess.com/blog/author/rick/