I use a self-hosted OpenVPN install on a Digital Ocean droplet to simply encrypt traffic (UDP/443) from my ISP. One plus is that I have a clean US IP address that isn't blocked by most services. This is just for security and geolocation, not anonymity.
For anonymity I use Private Internet Access as they have a fast network, lots of locations, and no logs. They're also very affordable.
I also use IPredator sometimes since they're the same folks that run Njalla and I simply like to support them.
Any VPN is better than no VPN. But I use Private Internet Access. The interface has gotten really slick in the last year - very nice to use. You can pay using random anonymous gift cards (essentially cash). And they are the only VPN that has been tested in the court of law (they were ordered to turn over all the records they had on a customer, and they did - nothing).
I'm using Mullvad. On the plus side, their servers are the most reliable I have seen, and they provide IPv6 addresses (behind NAT, which is reasonable for privacy). On the minus side, since November 2017 they intercept DNS queries and answer them themselves (hence you can not use DNS service of your choice), unless you connect to a specific undocumented OpenVPN port (1400 or 1401) available on a small but diverse subset of their servers.
I believe I can quote the response to my support request:
«We added iptables rules to hijack all DNS requests on port 53 going via the VPN tunnel, this is to protect users having set a DNS server unknowingly (or by malware). We are aware that not all users want this behaviour, and we intend to add an extra port that OpenVPN listens on, where DNS hijacking will not happen.»
Some VPN providers (including Mullvad) have a client-side feature called DNS leak protection that configures the system to use the provider's DNS server. I don't know how Mullvad decided that this was not enough, and they are justified to intercept DNS. (Note that for the server-side intervention to work, the client side must be configured not to use ISP DNS, hence the client-side DNS leak protection is a prerequisite.)
If it's for anonimity I've been told PIA is a good option.
If it's to bypass georestriction and protect your traffic from being snooped by your ISP or any clients that could attempt to sniff your traffic, hosting your own on a VPS is a good option. OpenVPN, OCserv or Outline (based on shadowsocks) are some options.
Be wary of folks recommending individual services... the VPN market has been hot in the last few years, and most recommendations should be treated with a fair bit of skepticism.
That was a great site. I liked the option for a colorblind readable chart, I have a few colleagues that have to use plugins and other weird gadgets differentiate red and green. Also bonus point for the CC license.
I have wireguard setup on a DO instance of <wherever region I need>. It is very fast and easy to setup for technically inclined : https://www.wireguard.com/
Cannot agree with this enough. When I first started looking for a VPN, the only source of information I found were these disingenuous websites that based their reviews off how much vpns were paying them, with every off-site link being a referral. thatoneprivacysite is by a landslide most unbiased source of information I found on VPNs.
> Although PIA is U.S. based, they keep no logs and then they have their famous "FBI" case which they did not provide anything to them.
You know the NSA just puts a gag order and connects directly to the targets infrastructure. Doesn't matter that PIA doesn't keep logs, NSA's prism is logging everything.
Yup I know about gag orders, etc... I completely agree with the statement that if you care about privacy better go with something else not in U.S. or anywhere in the 14 eyes countries if you are really paranoid.
I can also rep Mullvad, they also allow people to pay in Bitcoin or even mail them money (with your account number attached) and they'll add time to your account.
I've been using them for a few years now and never had any issues.
If you're a US citizen, perhaps not. NSA has open season for anything that isn't in the U.S. They can bring their full offensive capability to bear on foreign targets and largely do whatever the hell they want.
Domestic? Not as much. It becomes more of a legal/NSL game then. Granted, I'm sure GCHQ can (and does) compromise U.S. VPN providers.
Obviously it's far more complex than that, but if you're a U.S. citizen using a US-based service, there are some protections afforded.
On the other hand, I tend to believe Russ Tice when he says NSA conducts full-take domestic collection, so the aforementioned protections are largely data minimization practices, and thus they already have all your data.
Of course, Obama significantly weakened those protections prior to leaving office, as well as increasing the scope of NSA's sharing to include a disturbing amount of federal law enforcement agencies.
NordVPN -- it's one of the best IMO for security/company location. I also made my decision via the spreadsheets and analysis from the already-mentioned https://thatoneprivacysite.net/vpn-section/
It's $79 for two years, but they also have per-month subscriptions.
I currently use IPVanish. I'm pleased with the uptime and service. Every now and then I get disconnected and everything reverts to using my normal connection, which isn't very secure.
To answer "Which VPN?" you first need to answer "Why VPN?" because there are a lot of different reasons for using a VPN.
If it's just privacy from snooping, you'll be fine with setting up your own VPS with OpenVPN. It's simple enough that any technical person can do it in a few minutes (or hours).
68 comments
[ 2.9 ms ] story [ 128 ms ] threadFor anonymity I use Private Internet Access as they have a fast network, lots of locations, and no logs. They're also very affordable.
I also use IPredator sometimes since they're the same folks that run Njalla and I simply like to support them.
1: https://sfconservancy.org/news/2016/mar/02/PIA-LCA-matched/
2: https://pia-foss.github.io/
«We added iptables rules to hijack all DNS requests on port 53 going via the VPN tunnel, this is to protect users having set a DNS server unknowingly (or by malware). We are aware that not all users want this behaviour, and we intend to add an extra port that OpenVPN listens on, where DNS hijacking will not happen.»
Some VPN providers (including Mullvad) have a client-side feature called DNS leak protection that configures the system to use the provider's DNS server. I don't know how Mullvad decided that this was not enough, and they are justified to intercept DNS. (Note that for the server-side intervention to work, the client side must be configured not to use ISP DNS, hence the client-side DNS leak protection is a prerequisite.)
1: https://github.com/StreisandEffect/streisand
2: https://github.com/trailofbits/algo
If it's for anonimity I've been told PIA is a good option.
If it's to bypass georestriction and protect your traffic from being snooped by your ISP or any clients that could attempt to sniff your traffic, hosting your own on a VPS is a good option. OpenVPN, OCserv or Outline (based on shadowsocks) are some options.
Links
-----
https://openvpn.net/index.php/download/community-downloads.h...
https://ocserv.gitlab.io/www/features.html
https://openvpn.net/index.php/download/community-downloads.h...
https://getoutline.org/
https://www.shadowsocks.org/en/index.html
Be wary of folks recommending individual services... the VPN market has been hot in the last few years, and most recommendations should be treated with a fair bit of skepticism.
But any vpn should be treated with skepticism as many have noted here.
https://thewirecutter.com/reviews/best-vpn-service/
https://vpnreport.org
IVPN, Mullvad are not in U.S. jurisdiction if you are concerned about that. Most people are not and just want a VPN to hide shit from ISP, etc...
Although PIA is U.S. based, they keep no logs and then they have their famous "FBI" case which they did not provide anything to them.
I myself personally use IVPN, but I have used Mullvad as well.
https://thatoneprivacysite.net/vpn-section/
This is the best resource for vpn reviews, ignore everything else.
Also https://www.privacytools.io/ is great overall and they do have a vpn section
https://www.reddit.com/r/VPN/ has a bunch of more info as well.
You know the NSA just puts a gag order and connects directly to the targets infrastructure. Doesn't matter that PIA doesn't keep logs, NSA's prism is logging everything.
Domestic? Not as much. It becomes more of a legal/NSL game then. Granted, I'm sure GCHQ can (and does) compromise U.S. VPN providers.
Obviously it's far more complex than that, but if you're a U.S. citizen using a US-based service, there are some protections afforded.
On the other hand, I tend to believe Russ Tice when he says NSA conducts full-take domestic collection, so the aforementioned protections are largely data minimization practices, and thus they already have all your data.
Of course, Obama significantly weakened those protections prior to leaving office, as well as increasing the scope of NSA's sharing to include a disturbing amount of federal law enforcement agencies.
It's $79 for two years, but they also have per-month subscriptions.
https://torrentfreak.com/vpn-services-keep-anonymous-2018/
https://thatoneprivacysite.net/vpn-comparison-chart/
http://vpnspeedtest.org/
If it's just privacy from snooping, you'll be fine with setting up your own VPS with OpenVPN. It's simple enough that any technical person can do it in a few minutes (or hours).
Or $60 on DigitalOcean or Linode a year at $5/month.
If you want to setup your own server, then Streisand.
I used both and they work well. Using ExpressVPN right now in China.