Ask HN: What VPN service are you currently using?

318 points by _7bva ↗ HN
And would you recommend it? I've decided to get one and so far my only two requirements seem to be:

1. It should work with OpenVPN

2. It should support SOCKS5 (Proxy)

PIA, Nord, Mullvad, ZorroVPN, ProtonVPN look promising. On the other hand, SigaVPN is based on a not-for-profit model so I was not sure about it. What is your personal preference?

343 comments

[ 3.2 ms ] story [ 237 ms ] thread
NordVPN, its very good.
I use Algo[1] on a variety of VPS providers. It supports IPSec, but I only use Wireguard through it. Supporting OpenVPN is an explicit anti-goal for Algo[2].

I generally strongly recommend against using VPN providers on false advertisement grounds -- VPNs fundamentally cannot provide strong anonymity properties, but that doesn't stop many providers from listing anonymity as a selling point. In terms of the property VPNs can provide (privacy), you're better off maintaining as much control as possible over the service: you don't want to be tied to someone else's weak cipher or insecure protocol choices.

FD: I work for the company that made Algo, but have nothing to do with its development.

[1]: https://github.com/trailofbits/algo

[2]: https://github.com/trailofbits/algo/blob/master/docs/faq.md#...

Can you please elaborate a bit more why OpenVPN is risky per se?

I'd love to know more about this.

The FAQ I linked has the full details, but in short:

* OpenVPN's user experience isn't as good as IPSec's or (more recently) Wireguard's.

* OpenVPN uses TLS and specifically OpenSSL, meaning that it inherits substantial design and implementation flaws.

* OpenVPN's security track record is poor, both on the client and server sides.

I really appreciate it. I'm gonna read about Algo and give it a try for sure.
Another option via this route is Streisand.

https://github.com/StreisandEffect/streisand

Yes! I don't use it personally, but have heard positive things about Striesand.
I've used Streisand for a couple of years now with good result (running on a couple of Digital Ocean $5/mo instances). It takes a bit of setting up on new devices initially, but once done, is super smooth and easy to use.
Algo is also significantly cheaper than most offerings. A Digital Ocean instance is $5 a month.
If you do much video or file transfer, you'll easily go over the 1TB you get with your $5 Digital Ocean droplet.
Man, I love Wireguard; fast, stable and it doesnt destroy battery life. I only wish nixos didn't mess with configs, but I will fully admit that it is a very niche problem.
What do you mean? I only just started using Wireguard with NixOS, but I haven't run into any problems as of yet.
I just ran into a case where I needed a VPN for a short lived task. Ally bank blocks creation of time deposit accounts while in a foreign country, despite me already having an account with them.

Takes less than 10 minutes to setup a VPN with algo on DO and I just shut it down after my task was done. Cost me $0.02. The support for Wireguard + OSX Wireguard App is perfect and super easy.

Please tell your coworkers, thank you!

For simple usages like this, you can also create an SSH socks proxy with one SSH command, and then configure your browser to use a local port as a socks proxy.

Does not require any software installed on the server, and the whole setup should be quicker then configuring VPN server and client.

Also, an HTTP proxy is a couple steps more to setup, but will allow you to use command line tools on the client, not just the browser. The majority of command line tools support http_proxy and https_proxy environment variables.

An easy and pretty secure way to setup an HTTP proxy is: 1. Install tinyproxy. 2. Configure it to listen only on localhost and start it. 3. SSH port forward localhost:8888 from your server. For example to the same port on your client. 4. Configure your clients to use localhost:8888 as a proxy.

Of course there are alternatives like this and thank you for sharing, but in my eyes, this actually requires significantly more work and mental thought. Spinning up a droplet on DO and opening the config file in wireguard is literally executing one command and doesn't require touching my browser configuration. Takes a couple more clicks to just delete the droplet. Done.
Will do! I'm glad to hear that it worked well for you.
> you don't want to be tied to someone else's weak cipher or insecure protocol choices.

That's not part of the threat model for 99.999999% of VPN users though.

Tracing back the usage of the VPN to them is their main worry and what they have to fight against.

> That's not part of the threat model for 99.999999% of VPN users though.

You're right, and that's why it's not my primary objection. At the end of the day, the majority of VPN providers are still advertising themselves as anonymity services. This is patently false and dangerous to consumers.

What problem are you trying to solve?
ExpressVPN has been a really great experience in terms of price and ease of use. Been a customer for a few years now.
I like it as well, but Netflix blocks it much more than a year ago...it's a shame, because I travel a lot, and changing country means that I can't finish a series that I was watching in another country
Netflix blocks majority of VPN but in contrast Spectrum/Brighthouse is in long-term fight with Sling Tv and they block them unless you use VPN. So you win some you lose some.

ExpressVPN has been great to me and I continue to fail finding bad news about them. They dont offer any discounts tho and Im on $99/year plan but I was tempted to get NordVPN for half thatprice. I gave up on setting up their stone-age designed router software and came back to Express. Express has amazing software for N7000 router series and it allows me to exclude iPad that I use to watch Netflix while rest of network continues to be secure. So with their router software and $99/year you have unlimited amount of devices covered. Speed is amazing too and number of servers avail is very hight. Honestly I feel its worth double the proce I would pay for Nord, as I put it in my company costs anyways ;)

I could not recommend them high enough.

I'm using ExpressVPN Miami servers to video chat to Europe from Colombia, and the quality of the video feed is day and night.
I too use ExpressVPN - `expressvpn list` gives you a list of all VPN servers in all countries, not all of them are blocked. Support has been helpful (< 5 minutes reply time in an Australian Saturday night) in ferreting out one that works, even though back then the support person stated that they focus on keeping US servers unblocked.
also use expressvpn, close to 4 years now, it’s typically quite stable and i live shanghai, the updates are quite frequent, i suppose it’s to circumvent or make the service more available and the locations are plentiful. the cost is pretty high, 99 usd a year, but if you refer enough users, there’s a 20 usd discount.

the speeds are not great, but it just maybe because i’m in china, i couldnt watch hbo go or stream netflix at the time, i use it generally for programming.

Long time ExpressVPN user here too, switched from BoxVPN which was slow and unreliable. ExpressVPN on the other hand has been well worth the cost. As mentioned by others, their software is A+ and stays out of the way for the most part. I don't use it to stream netflix while traveling, so that's never been a problem for me. I'm on a gigabit network at home and have found that the throughput speed is pretty good...beyond satisfactory for sure. I don't plan on switching.
Have you tried Shadowsocks?
Had not heard of it, but I will certainly take a look. Appreciate it
Private Internet Access
using nord. but for apps like intercom its not able to hide the users IP
Here's another question I had for a few weeks:

I tried a server of a certain free VPN via OpenVPN and since it did not support tunneling traffic through their own servers for IPv6 requests, my friend told me to disable IPv6 on my adapter's settings. Now ipleak.net doesn't detect my location. Was it a smart thing to do?

Unless you're using a VPN service that provides its own IPv6 address, as well as an IPv4 address, it's crucial that you disable IPv6 and/or use a firewall to block IPv6 traffic.

Or at least, it is if your ISP provides IPv6 service. If it does, and the VPN both routes IPv6 and doesn't push its own IPv6 address, IPv6-capable websites will see a global IPv6 address that's owned by your ISP.

My favorite is IVPN. It's true that I've written stuff for them. But that's in part because I've known the CEO, Nick Pestel, for several years. And to the extent that I trust anyone, I trust him. But also, they're one of the older VPN services, and one of the first to accept Bitcoin. And their apps are well designed.

I also like AirVPN, Mullvad and PIA a lot. I don't know anyone there personally, but they're all strong privacy advocates.

I'm concerned about relationships between Tesonet and NordVPN and ProtonVPN. So I wouldn't use them.

Thanks for introducing me to IVPN. Seems like a good VPN, uses WireGuard.

Can you elaborate on the problem with the relationship between Tesonet, NordVPN and ProtonVPN. Also does your problem with ProtonVPN extend to protonmail? Should I be considering switching to a new email?

There's an old HN thread about it. Basically, the ProtonMail and PIA CEOs got in a catfight, and traded accusations. I don't recall what PIA was accused of. Maybe connections with China? But I've seen nothing more about that.

The PIA CEO basically claimed that Tesonet operated ProtonVPN for the ProtonMail team. And then additional articles appeared, detailing the connections. And adding NordVPN to the mix.

But many of their HN posts were deleted. And much of the other online coverage disappeared, presumably because of pressure from NordVPN and/or ProtonVPN. But I found caches for three of them.[0,1,2]

Maybe it's all bullshit. But it leaves me suspicious. And I gotta say that ProtonVPN's responses seemed evasive.

0) VPNscam.com: NordVPN, ProtonVPN, ProtonMail, Owned by Tesonet CEO Darius Bereika https://keybase.pub/mirimir/NordVPN%2C%20ProtonVPN%2C%20Prot...

1) best10vpn.com: Proof that NordVPN is Owned by Data Mining Company Tesonet https://keybase.pub/mirimir/Proof%20that%20NordVPN%20is%20Ow...

2) airvpn.com: Why You Can’t Trust NordVPN https://keybase.pub/mirimir/Why%20You%20Can%E2%80%99t%20Trus...

Edit: Also FYI

Lawsuit names NordVPN, Tesonet in proxy data extraction scheme https://news.ycombinator.com/item?id=17873164

HolaVPN (luminati) is suing NordVPN (Tesonet) for stealing p2p proxy patents https://drive.google.com/open?id=1_AlNxNN-fiIVW64-605c_OJO0C...

Well that blows. I just set up a proton mail account and was going to migrate from gmail.
There might really be nothing to it, as the Proton* people claim. Or at least, just a somewhat iffy roll-out of their VPN, using Tesonet staff.

But on the other hand, I gather that Mozilla has picked ProtonVPN for its integrated VPN testing. And they seem competent and privacy-friendly.

Also, whatever they did with ProtonVPN, there's no reason to believe that there's anything wrong with ProtonMail. That's arguably their core competency. And they arguably brought in Tesonet because VPNs were not part of their core competency.

I'm not sure why Mozilla is still held on such high esteem despite multiple gaffs.
It's largely desperation, perhaps.

But they do seem more privacy-friendly than most.

If you are migrating away from a centralized email provider you should move to a personal domain. That way you won't be trapped by any service in the future. There are numerous companies[0] that you can point your domain to and they will handle everything else. This costs a bit of money but it means that you will be the customer rather than the product.

[0] I use migadu.com but fastmail.com seems to be very popular with the HN crowd.

I recently switched to IVPN from Nord (a month or so ago), and I'm very glad I did. Great interface, and it never goes down.

NordVPN is always advertising their massive server network, but I was always getting booted off and having connection problems. I rarely have these problems with IVPN.

Just FYI, but "massive server network" often means a bunch of VPS in a few data centers. With devious cross-AS announcements to make servers geolocate as desired. It's easy to discover the truth, by using numerous ping and traceroute probes, and doing triangulation.
I have built a private VPN server on top of wireguard and IPSec, still very early days soft launch this week: https://www.tunnelhero.com early adopters and beta testers welcome, msg me for a discount code!
I use a VPS with OpenVPN. I control both sides so I could switch clients or service providers pretty easy. Current cost is about $20usd/mo
I have been using PIA for a few years and am very satisfied.
(comment deleted)
(comment deleted)
I create one on AWS with CloudFormation as needed. It's not the cheapest option overall but for intermittent use, it's far cheaper than paying a monthly subscription.

Also, if you pay your AWS bills using an Amazon Prime credit card, you get 5% back. (just checked on my cc)

Parent informed me of an option I hadn't even considered.
I use NordVPN for my home server's docker containers, on my phone and on my Mac. Never had any issues and it's v. cheap when purchasing for 3 years.
I'm using Freedome, which requires special software (best I can tell). I'm using it because it's made by F-Secure, and I know the F-Secure people from a long time ago.

They have a large commercial business that would get seriously Kaperskied if it turned out they were knowingly doing anything wrong, and I've decided that that's the kind of incentive I want in a VPN provider.

F-Secure Oyj is a Finnish company. Due to cultural and societal standards, Finns take their work and product very seriously. If anyone or anything was shady and put peoples’ privacy at risk, the company would be shutdown immediately. It would be on the Finnish news for decades. ;)
It's actually just OpenVPN in the background. I've successfully used it with Linux, Windows and Android without the official apps.
How did you get it set up with Linux? Last time I tried I found some obscure guide which didn't exactly help me.
Is there a way to setup an “always on” VPN on my device, such that it disallows any traffic to egress unless connected to the VPN?
macOS and iOS call this "Connect on Demand." I'm not sure about other systems, but it should be possible.
On macOS/iOS you can configure the built-in VPN clients to use "on-demand" mode, which wont allow traffic before the VPN connection is established.

The only way to configure this however is using the Apple Configurator tool and create a custom profile.

I run this for my OpenBSD IKEv2 servers which gives me automatic on-demand VPN on cellular and all non-known Wi-Fi networks (== not home).

Algo (another commenter mentioned it[1]) allows you to set this up to be the default for the VPN, very nice feature. I use it on my phone since I often connect to random wifi APs. More and more of the web is moving to HTTPS but a disturbing amount of unencrypted traffic abounds.

[1] https://news.ycombinator.com/item?id=19242119

Yep, Algo uses the same approach. It's generating device configuration profiles with the necessary settings. I'm generating mine in the same way but slightly different to allow toggling Ethernet and to support the OpenIKED ciphers etc.
> The only way to configure this however is using the Apple Configurator tool and create a custom profile.

'Activate on demand' is just a checkbox in WireGuard app settings on iOS, so apparently it's only the built-in VPN types that need Apple Configurator. Since IPSEC/IKEv2 are overengineered and L2TP is outdated, you're better off using wg anyway.

Nord has a feature they call kill-switch that does this.
A dedicated server at the Warsaw Hackerspace, which is its own LIR/ISP (AS204880) and has a BGP session to the local IX and an upstream mix.

I highly recommend running your own VPN endpoint on at least a VPS/cloud instance somewhere. Such address blocks are used by tons of other users at immense traffic levels, and as such your traffic is much less likely to be intercepted by the provider itself.

I doubt the scale of the data being intercepted is much concern for the hyperscale providers. AWS already has a customer-facing service that monitors for connections to its own "watchlist", I'd be surprised if all traffic isn't monitored in the same way.