Ask HN: What VPN service are you currently using?
And would you recommend it? I've decided to get one and so far my only two requirements seem to be:
1. It should work with OpenVPN
2. It should support SOCKS5 (Proxy)
PIA, Nord, Mullvad, ZorroVPN, ProtonVPN look promising. On the other hand, SigaVPN is based on a not-for-profit model so I was not sure about it. What is your personal preference?
343 comments
[ 3.2 ms ] story [ 237 ms ] threadI generally strongly recommend against using VPN providers on false advertisement grounds -- VPNs fundamentally cannot provide strong anonymity properties, but that doesn't stop many providers from listing anonymity as a selling point. In terms of the property VPNs can provide (privacy), you're better off maintaining as much control as possible over the service: you don't want to be tied to someone else's weak cipher or insecure protocol choices.
FD: I work for the company that made Algo, but have nothing to do with its development.
[1]: https://github.com/trailofbits/algo
[2]: https://github.com/trailofbits/algo/blob/master/docs/faq.md#...
I'd love to know more about this.
* OpenVPN's user experience isn't as good as IPSec's or (more recently) Wireguard's.
* OpenVPN uses TLS and specifically OpenSSL, meaning that it inherits substantial design and implementation flaws.
* OpenVPN's security track record is poor, both on the client and server sides.
https://github.com/StreisandEffect/streisand
Edited to add link: https://github.com/StreisandEffect/streisand
Takes less than 10 minutes to setup a VPN with algo on DO and I just shut it down after my task was done. Cost me $0.02. The support for Wireguard + OSX Wireguard App is perfect and super easy.
Please tell your coworkers, thank you!
Does not require any software installed on the server, and the whole setup should be quicker then configuring VPN server and client.
Also, an HTTP proxy is a couple steps more to setup, but will allow you to use command line tools on the client, not just the browser. The majority of command line tools support http_proxy and https_proxy environment variables.
An easy and pretty secure way to setup an HTTP proxy is: 1. Install tinyproxy. 2. Configure it to listen only on localhost and start it. 3. SSH port forward localhost:8888 from your server. For example to the same port on your client. 4. Configure your clients to use localhost:8888 as a proxy.
That's not part of the threat model for 99.999999% of VPN users though.
Tracing back the usage of the VPN to them is their main worry and what they have to fight against.
You're right, and that's why it's not my primary objection. At the end of the day, the majority of VPN providers are still advertising themselves as anonymity services. This is patently false and dangerous to consumers.
ExpressVPN has been great to me and I continue to fail finding bad news about them. They dont offer any discounts tho and Im on $99/year plan but I was tempted to get NordVPN for half thatprice. I gave up on setting up their stone-age designed router software and came back to Express. Express has amazing software for N7000 router series and it allows me to exclude iPad that I use to watch Netflix while rest of network continues to be secure. So with their router software and $99/year you have unlimited amount of devices covered. Speed is amazing too and number of servers avail is very hight. Honestly I feel its worth double the proce I would pay for Nord, as I put it in my company costs anyways ;)
I could not recommend them high enough.
the speeds are not great, but it just maybe because i’m in china, i couldnt watch hbo go or stream netflix at the time, i use it generally for programming.
I tried a server of a certain free VPN via OpenVPN and since it did not support tunneling traffic through their own servers for IPv6 requests, my friend told me to disable IPv6 on my adapter's settings. Now ipleak.net doesn't detect my location. Was it a smart thing to do?
Or at least, it is if your ISP provides IPv6 service. If it does, and the VPN both routes IPv6 and doesn't push its own IPv6 address, IPv6-capable websites will see a global IPv6 address that's owned by your ISP.
https://test-ipv6.com/ is a good test site.
I also like AirVPN, Mullvad and PIA a lot. I don't know anyone there personally, but they're all strong privacy advocates.
I'm concerned about relationships between Tesonet and NordVPN and ProtonVPN. So I wouldn't use them.
Can you elaborate on the problem with the relationship between Tesonet, NordVPN and ProtonVPN. Also does your problem with ProtonVPN extend to protonmail? Should I be considering switching to a new email?
The PIA CEO basically claimed that Tesonet operated ProtonVPN for the ProtonMail team. And then additional articles appeared, detailing the connections. And adding NordVPN to the mix.
But many of their HN posts were deleted. And much of the other online coverage disappeared, presumably because of pressure from NordVPN and/or ProtonVPN. But I found caches for three of them.[0,1,2]
Maybe it's all bullshit. But it leaves me suspicious. And I gotta say that ProtonVPN's responses seemed evasive.
0) VPNscam.com: NordVPN, ProtonVPN, ProtonMail, Owned by Tesonet CEO Darius Bereika https://keybase.pub/mirimir/NordVPN%2C%20ProtonVPN%2C%20Prot...
1) best10vpn.com: Proof that NordVPN is Owned by Data Mining Company Tesonet https://keybase.pub/mirimir/Proof%20that%20NordVPN%20is%20Ow...
2) airvpn.com: Why You Can’t Trust NordVPN https://keybase.pub/mirimir/Why%20You%20Can%E2%80%99t%20Trus...
Edit: Also FYI
Lawsuit names NordVPN, Tesonet in proxy data extraction scheme https://news.ycombinator.com/item?id=17873164
HolaVPN (luminati) is suing NordVPN (Tesonet) for stealing p2p proxy patents https://drive.google.com/open?id=1_AlNxNN-fiIVW64-605c_OJO0C...
But on the other hand, I gather that Mozilla has picked ProtonVPN for its integrated VPN testing. And they seem competent and privacy-friendly.
Also, whatever they did with ProtonVPN, there's no reason to believe that there's anything wrong with ProtonMail. That's arguably their core competency. And they arguably brought in Tesonet because VPNs were not part of their core competency.
But they do seem more privacy-friendly than most.
[0] I use migadu.com but fastmail.com seems to be very popular with the HN crowd.
NordVPN is always advertising their massive server network, but I was always getting booted off and having connection problems. I rarely have these problems with IVPN.
Also, if you pay your AWS bills using an Amazon Prime credit card, you get 5% back. (just checked on my cc)
They have a large commercial business that would get seriously Kaperskied if it turned out they were knowingly doing anything wrong, and I've decided that that's the kind of incentive I want in a VPN provider.
The US government made it clear they thought Kaspersky software was a security risk, as they were a little too close to the Kremlin. True or otherwise, it'd be an almighty brave Western CIO who bought Kaspersky software moving forward.
The only way to configure this however is using the Apple Configurator tool and create a custom profile.
I run this for my OpenBSD IKEv2 servers which gives me automatic on-demand VPN on cellular and all non-known Wi-Fi networks (== not home).
[1] https://news.ycombinator.com/item?id=19242119
'Activate on demand' is just a checkbox in WireGuard app settings on iOS, so apparently it's only the built-in VPN types that need Apple Configurator. Since IPSEC/IKEv2 are overengineered and L2TP is outdated, you're better off using wg anyway.
I highly recommend running your own VPN endpoint on at least a VPS/cloud instance somewhere. Such address blocks are used by tons of other users at immense traffic levels, and as such your traffic is much less likely to be intercepted by the provider itself.