Ask HN: What is it like to run a VPN as a business?
Hello,
I'm going to set up my own VPN on some cloud hosting provider, and I'm toying with the idea of turning it into a small business.
Is there anything I need to know beforehand? Is it really that easy, or are there legal issues I need to handle?
Cheers
EDIT:
I should note that I know this is an extremely saturated market - I'm not aiming to build a hyper successful business, but moreso to manage a small public VPN as an ideological side-project. Anything above breaking even I'd consider a bonus.
96 comments
[ 3.3 ms ] story [ 135 ms ] threadAlso, running the VPN in a docker container is rather nice. There are a bunch of existing containers for that[1].
Oh, and if you're interested, Aruba Cloud [2] offers a 1 Core, 1GB ram VM in CZ and IT for 1 Euro/month. It comes with more than enough bandwidth for personal use.
[0]: https://github.com/hwdsl2/docker-ipsec-vpn-server
[1]: https://hub.docker.com/search/?isAutomated=0&isOfficial=0&pa...
[2]: https://www.arubacloud.com/
Therefore, we could only choose one of the following: security or anonymity, but not both, unless you becomes your own VPN provider and serves some customers for anonymity.
An alternative is Tor, but a compromised exit node still leaks HTTP site.
So, if someone could solve this problem, it would be a big selling point. I am not sure if it is possible to share an IP between different VPN nodes without an untrusted gateway in front.
So I've set up my VPN and also pay for another third-party VPN service, having best (or worst) of both worlds.
My gateway host is private, and I've decided that if it gets detected, I'll add an obfs4 layer on top of it. (Luckily, that hadn't happened - and I'm moving to another country in about a week. But that's a different story.)
All my first VPN does, is merely routing the traffic to an upstream VPN provider. This way I get a private entry point but also enjoy some degree of anonymity as my "final" IP addresses are shared with lots of other users. (Well, I share my gateway VPN with a few close friends. Maybe that's borderline cheating on the upstream VPN, but I don't see a way to pay them for my network-sharing guests anyway.)
Oh, and I don't need to reconnect to switch regions. I just made myself a tiny web service that changes the routing table used by my TAP connection, so whenever something doesn't work from one region I just need to click on a flag icon.
This is why I love* Tunnelbear's[0] GhostBear feature and it uses obfsproxy[1]. Very few VPN providers provide censorship circumvention like that
[0] https://www.tunnelbear.com/
[1] https://community.openvpn.net/openvpn/wiki/TrafficObfuscatio...
[*] No affiliation with Tunnelbear, just thought I would point out this feature
Not collecting any data would be the obvious choice.
My battle plan for assessing whether or not I would pursued this would be the following:
1. Who is my target market?
2. How big is that market?
3. How will you reach that market?
4. How can you test whether or not you can reach that market before getting fully invested?
5. Test out several ways to reach your market. Try changing the niche and marketing plan until you can find some positive signals.
6. Analyze the data and make an educated guess whether this is worth your time or if you would enjoy doing something else more.
As far as legal issues, I don’t have any good advice but talk to a lawyer. Look at some terms of use of existing VPNs. Find out where you are liable and try to mitigate your risks the best you can.
If you ever want to brainstorm some ideas hit me up at my email on my profile.
https://www.lowendtalk.com/discussion/138668/vps-for-us-netf...
Apparently there are a lot of people who would like to watch "US Netflix" but cannot do so from their location.
Living in NZ means you’ve got quite underprovisioned international pipe. 100mbps fibre realistically means 3mbps...
If a VPN could route you via their dedicated pipe...
- Do not sell the service in the country you run it.
- Really, do not run it in the US.
The technical side is pretty cheap compared to the legal manpower you need to protect your end users.
People use vpn for illegal stuff, and the least worst is Netflix then p2p. P2p if you are a facilitator could land you in jail.
My theory was - why bot setup virtual VPN provider that all such companies could buy. After all it’s simple and rea grunt of work is marketing and legal.
Legally, these companies are setup somewhere in Caymans et al.
Being such a shady business by definition, I have extremely hard time trusting such services. It’s like the most obvious honeypot / trojan horse ever.
That way, a hypothetical bad actor only needs to compromise one entity (you) in order to gain access those people who rely on you.
Aggregating vulnerability makes you a target, and puts your customers at risk - Especially when you're relying on third-party virtualisation providers for your infrastructure.
Control access to the machine/s.
This is more expensive, and not foolproof. But other hosting providers have so much access to track or log things, even if you don't want them to.
Support is okay, not the fastest. Downtime is rare but not unheard of, they've been targeted with big DDoS attacks. Server options expanding but not in tons of countries. Most trustworthy and reputable service because it has a CEO you can actually put a name and a face to, and the history of Protonmail.
I definitely don't trust NordVPN in particular, they advertise their "military grade encryption", and I have no clue who runs it.
[1] https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...
What other VPN would you trust? Mullvad, absolutely no clue who runs it. Private Internet Access had claims about logs proven in federal court at some point in the past, but I really still don't trust it.
Running your own VPN is one of the best options but you almost completely lose the relatively reasonable degree of anonymity that VPN providers serve to you. Depends on your objectives.
ProtonVPN's explanation was extremely hardly believable[1].
> Mullvad, absolutely no clue who runs it.
It's clearly stated on Mullvad's homepage[2]:
> The legal entity operating Mullvad is Amagicom AB. [...] Amagicom is 100% owned by founders Fredrik Strömberg and Daniel Berntsson who are actively involved in the company. The rest of the team includes Robin Lövgren, Simon Andersson, Linus, Richard Mitra, Sanny Mitra, David Marby, Odd, Andrej Mihajlov, Janito Ferreira Filho, Elad Yarom and Jan Jonsson.
[1] https://news.ycombinator.com/item?id=17775554
[2] https://mullvad.net/en/
At the end of the day, I can't name many (if any) VPN providers that operate their own data center, which is extremely important since they all (including ProtonVPN) lease from the same companies. ProtonVPN does provide Secure Core though (routing traffic through certain countries to attempt to mitigate exit node threats), too.
I wasn't aware about Mullvad, thank you for pointing that out. I still have little clue who those people are, while Andy Yen has given a TED talk, so he has some public presence. I'm personally more inclined to trust them.
Running your own VPN doesn't really anonymize you though. And like you said, depends what you want from the VPN really.
I don't trust anyone who uses "military grade encryption", period, even though it is just a marketing ploy.
ProtonVPN has their own data center of some sort in Switzerland. All VPNs are leasing the same servers from Leaseweb and friends (even ProtonVPN). They say it's in an underground retired army bunker, which sounds good for physical security assuming that's really the case. You never know for sure, but it's better than the alternatives.
VPN companies are notoriously shady, and I only trust ProtonVPN. I believe their service in _some_ respects is a cut above the rest, and I am willing to deal with multi-day customer service responses, DDoS attacks, and the like because of that.
I dunno, I don't really see what's so very wrong about this, as long as it's communicated clearly.
Exactly. It's not.
VPNs are often used for piracy, SPAM, and other nefarious purposes while residential proxies are primarily used to obtain access to data through web scraping. Large companies like Google are able to scrape the same sites without getting blocked already, and proxies help to level the playing field between innovative startups and established players. I can certainly understand the critique, but I strongly believe that the existence of residential proxies results in a lot more good than evil.
[1] - https://intoli.com
But since you brought it up, we both know residential proxies are especially attractive to bad actors and circumventors.
It's like how we're both capable of pitching Tor as the emancipator of the sanctioned journalist trying to publish the truth in the face of mortal danger. Yet 99% of Tor traffic to my websites is malicious despite our feel-good hypotheticals.
Of course, residential proxies are even better than Tor because a network can't just block the residential IP address space. ;)
> It's like how we're both capable of pitching Tor as the emancipator of the sanctioned journalist trying to publish the truth in the face of mortal danger. Yet 99% of Tor traffic to my websites is malicious despite our feel-good hypotheticals.
Of course. That's the reality of freedom on the radical edges — bad actors need it more than pro-social actors. Many of us choose to support radical freedom(s) anyway because the capacity for anyone to act* freely is judged to outweigh the negative effects from bad actors.
*browse, post, etc.
Seems quite knowing to me. That same FAQ page, which is very detailed, even provides an explanation of what permissions are used.
> In return for free usage of Hola Free VPN Proxy, Hola Fake GPS location and Hola Video Accelerator, you may be a peer on the Luminati network. By doing so you agree to have read and accepted the terms of service of the Luminati SDK SLA. You may opt out by becoming a premium user.
Inspires more confidence if they're kept temporarily but heavily protected.
The authorities will come after you first. Most large providers are located in some small country like Panama so they can't be sued or jailed.
The first questions they're going to ask is how can I trust you're not spying what I do. If you can convince your friends, then you can convince anybody.
Next is how do I use it / how does it work, that brings to make it as simple as possible. Minimal setup, no configuration, it just works.
Finally it's why should I use it. This can be "easy" because you can just look around the competition, see their messaging, find out which one you like better and copy it. Focus on benefits vs technical features and details. When consumers see something they don't understand, they leave.
I've never built a vpn, but I made a password manager (question 3 is relatively easy/understood), and now I'm making a security key (all these questions are proving to be pretty hard). Shameless plug, we're live on Kickstarter: https://solokeys.com/kickstarter
Operating this kind of VPN comes with its own set of unique technical challenges, such as avoiding DNS poisoning and offering the best protocols to use. Spinning up a homebrew solution on DO just doesn't cut it as an end user, so we rely on companies like these to provide targeted solutions.
A VPN provider that can focus on avoiding common blocking techniques would be very valuable to a lot of people.
A choice you need to make really early on when you're offering a VPN is how much data you want to log. Eventually someone will do something on your service that pisses someone else off. That could be torrenting, spam, defrauding the elderly, etc. Ideally you, but more than likely your provider will receive an angry letter. Whether or not you've logged will choose what you can do next. If you're not logging, and unable to stop complaints from coming in your provider might turn you off completely, so you'll want to pick a provider known to pass letters on without caring.
I blogged about our choice (we log) here: https://wonderproxy.com/blog/our-vpn-what-we-log-and-why/
1) Convincing providers to let you have VPN traffic on their networks. 2) Dealing with tons of DMCA complaints 3) Dealing with GDPR compliance in the EU 4) Maintaining compatibility for dozens of different user configurations and having apps in the mobile app stores 5) Dealing with credit card and payment fraud. 6) Dealing with law enforcement once you reach a certain scale (no, incorporating in whatever random island will not help you) 7) Maintaining constant uptime of your servers. When a user faces even a minute of downtime, their internet connection is now effectively broken and you are to blame. 8) Dealing with lots and lots of customer support issues and an endless mix of customer configurations which will have you ripping out your hair trying to resolve. 9) Constantly make sure your systems are secured from the latest exploits so you can guarantee privacy and safety of your users. 10) Maintaining a brand and a niche with mature marketing channels that keeps new users coming and paying for your service.
At the end of the day, its a very difficult company to run and its even harder to maintain profitability with so much competition.