119 comments

[ 3.0 ms ] story [ 157 ms ] thread
“VPN companies are all scummy and make false promises in their advertising”

“Anyway, here is an advertisement for our VPN company”

That's not what the article is actually saying, and they make some good points in the article about how other VPNs have conflicts of interest. But you're right that this post basically amounts to content marketing rather than a real discussion of the complicated issues at play.
I’m may be dumb wrt this but i really don’t get the VPN business. Why so much advertising for VPNs in particular?

Looking at why someone would want to use a VPN:

- Protection from governments or big businesses: you probably do actual research, not listen to some ad by your favorite gamer

- Protection from scummy ad tracking: Most people still do some research here albeit less carefully. But again, if you’re worried about ad tracking, wouldn’t you worry about a VPN aggressively advertising themselves?

- Access region-locked content: Any VPN works here. This could explain some of the advertising. But still, most VPNs talk a lot about security, and only a small section on region switching. I would imagine if this was the main target audience VPN advertisements would be different.

Are people so gullible that they see an ad for NordVPN, think “oh shit I need to protect my security”, and then buy NordVPN, without questioning at all if it’s worth the money, if there’s an alternative, or why NordVPN advertises on XxGamerClipz? So much that NordVPN makes money off of its ads? And if so, why don’t other companies do this that could better target dumb people?

>Protection from scummy ad tracking: Most people still do some research here albeit less carefully. But again, if you’re worried about ad tracking, wouldn’t you worry about a VPN aggressively advertising themselves?

Importantly, most advertising and tracking does not care what your IP address is, and so a VPN does nothing here unless you can separate your cookies / hardware profile / etc.

i think a vast majority of it is people who want to stream content, pirate torrents, etc, without getting a strike letter from their ISP
> i think a vast majority of it is people who want to stream content, pirate torrents, etc, without getting a strike letter from their ISP

This use case is definitely very underrated, people usually associate VPNs with higher latency but if your ISP has bad peering to certain locations, which many of them do, a good VPN can do wonders.

I've got another: I don't get a real IPv4 adress from my provider it's all carrier nat on IPv4. On IPv6 I get a direct connection though. The carrier nat is often slow and and I cant forward IPv4 ports. Using mullvad via IPv6 and IPv6 NAT on my router I can route around the carrier and get much better IPv4 Bandwidth and Peering at the cost of a a worse latency (though it goes from 7 to 25ms for the average game) so it's hardly an Issue. That and I can pirate as much as I want with it in germany.
>Are people so gullible

Yes? I think theyre usually riding off the trust of the content creators they advertise with.

>And if so, why don’t other companies do this that could better target dumb people?

NordVPN arent the only ones.

I watch many, many youtubers... there are probably only two or three that i trust with their reviews, and none of ther reviews are sponsored.
> Access region-locked content: Any VPN works here. This could explain some of the advertising.

Actually, most of the time your VPN is just going to be blocked entirely by the service: they have a limited pool of IP addresses being shared by users, so the patterns of access of users randomly popping up on their addresses makes even automated bans pretty easy.

https://news.ycombinator.com/item?id=28143238

To really get this right requires crazy tricks like taking all of the traffic destined for a service and routing it to per-user stable addresses that you cycle much more slowly. NordVPN seems to do this with Disney+, for example. There was a great analysis of this done (but to get it you will need to use an archive site as the author mysteriously deleted it).

https://news.ycombinator.com/item?id=21664692

The result is that users trying to do this tend to have to keep using different VPN services until they find a server on one that actually works today, and probably in the process keep accumulating subscriptions to "too many" VPN services for "too long". A lot of random review sites are then just claiming to tell you which service is best able to access such content at any time (but honestly, it is a losing battle: there is no obvious way to win this in the long term).

>Actually, most of the time your VPN is just going to be blocked entirely by the service

Doesn't seem to be the case 'most of the time' for non-free VPNs or at least mine. You can definitely access YouTube videos available abroad or BBC iPlayer or whatever. I'm on VPN a 3rd of the time and it's only very occasionally I have issues. Sure, maybe it's worse with some services but not 'most of the time'.

Yep, but Amazon for instance blocks first party content when accessing it via a VPN. Some delivery services block my VPN outright.
I am doing an implied integral here over over all random VPN services and servers, as the person I am replying to said that "any" VPN would work. If you have found one that seems to consistently work for the BBC--and based on their efforts against Disney+, I bet NordVPN would work?--you are now a single data point: if you search for BBC blocked VPN on Google, however, you will see that it is an extremely common issue that the BBC blacklists VPNs from accessing their service.

(FWIW, I could accept an argument that I am not "weighting" my certainly-informal statement well on actual usage figures: if NordVPN and ExpressVPN are even the only two VPNs that work well against the BBC, maybe they are alone a considerable percentage of the market. I am pushing back on the idea that "any" VPN would work, and so I am looking more at the idea of choosing a random brand, equally weighted.)

Actually, you are right. I just tried again and now only 1 of my ips works for BBC so they are clearly getting more aggressive (or my provider hasn't been changing them as often recently).
FoxyProxy guarantees BBC iplayer access and gives you other servers when it stops working.
I wonder if this will continue with Apple (and my guess is other similarly sized tech companies) offering VPN. In other words, shutting out Apple's VPN might mean losing 5-10% of your market? Probably not but it will certainly be a new situation for so many non-tech people to have easy access to a VPN and Apple likely pushing it as "good for your privacy"
Apple's VPN explicitly maps users to an IP with a [relatively] close IP address[0] (as in, for IP geolocation purposes), and does minimal actual proxying:

> In iOS 15 and macOS 12, Private Relay will apply to all web browsing in Safari, all DNS name resolution queries, and a small subset of traffic from apps.

> Specifically, this will include all insecure HTTP traffic, such as TCP port 80.

So I can see most services not needing to block iCloud Private Relay.

0: https://mask-api.icloud.com/egress-ip-ranges.csv

At some point, we're going to have more and more users behind NAT and IP address looks even worse as a device for banning someone. Them making impossible journeys and changing country every five minutes, however, provides more useful information.
> Actually, most of the time your VPN is just going to be blocked entirely by the service

Actually, my experience is Netflix blocks some of the time; Wikipedia blocks (edits) all of the time (which really pisses me off - I'm logged in!); and nothing else that I use blocks me.

(comment deleted)
I use it mainly because my ISP does traffic shaping, videos and images load painfully slow on a full duplex half gigabit fiber connection. We do have a law that makes traffic shaping illegal, but it's not enforced, so the only way around it is to use a VPN.
Funny enough my DnD group has found that we get fewer Zoom drops when we all turn on our VPNs. It is odd that in the age of video conferencing that video conferencing would be unstable due to... presumably the ISP.
VPNs, much like gas stations, are selling an almost indistinguishable product. Essentially every VPN is fast enough, and secure enough in its selection of software.

The only differences are:

* Undetectable things (they say they don't keep logs, but do they really not keep logs?)

* Price - which they don't want to compete on if they can avoid it

* Reputation - which advertising can buy you a simulacrum of

Some VPN companies have decided the way they're going to stand out in the sea of very similar looking options is by being the company whose name you recognise.

I've tried a few VPNs and they are pretty distinguishable. Some offer more countries, some higher speeds, some rotate IPs more often etc.
"Secure enough" depends on your threat model. Many VPNs were poorly configured in the past and were leaking information. Only a few (like IVPN) were doing a proper job and had that verified by a third-party audit.

The next big question is jurisdiction. I would never trust a VPN that is based in the US, UK or a similar country where government access is virtually a given.

Torrent speeds differ by orders of magnitude for several VPNs I have tried. Won't tell which ones, sorry)
It's for protection from ISPs.
> It's for protection from ISPs.

Insofar as there are shitty ISPs that sell your data, yes. Most ISPs don't though. Also: I trust a VPN based in Gibraltar more than an ISP which is known to sell your data.

In North America at least, your ISP will happily comply with copyright notices and threats of lawsuits and pass them along.
Gibraltar is a British territory under the jurisdiction and sovereignty of the United Kingdom, not much different from the US.
There is one other use case that is rare, but the one I needed.

Sue to shitty peering, and some bad connection between me and a service, I was seeing horrific latency and packet loss.

A VPN let me route my packets through Chicago, which had a better connection to the service in question.

I just do not understand it either. When I want some protection I use tor. I would never trust a paid vpn service.
To play the devil's advocate, does a volunteer have more incentive to keep your data private, or a company whose very business and reputation relies on keeping it private? Is a network that can readily and easily be infiltrated by malicious parties "for free" more trustworthy, or a private network locked down to trusted machines by security engineers, audited by third parties?

Because there is enormous incentive to deanonymize Tor. In 2020, nearly 25% of the network was controlled by a malicious attacker. [1] You had, then, a 1.5% chance of complete and total deanonymization by a single party - a near-certain chance of deanonymization if you heavily used Tor. And this is without any traffic correlation antics.

Turning off the devil's advocate, most "trustworthy" VPNs are almost certainly intelligence gathering operations, claiming "no logs" in court but in reality being a tool for parallel construction. It's too valuable a position for the 3LAs of the world to not have some ownership and stake in major VPNs. Crypto AG-style.

IMHO there is no hope for modern anonymity. Interesting connections will be logged for future deanonymization with quantum computers. In the meantime, mixnets like Nym [2] might emerge to be our saving grace.

[1]: https://www.intego.com/mac-security-blog/why-tor-is-bad-for-...

[2]: https://nymtech.net/

>And if so, why don’t other companies do this that could better target dumb people?

I see ExpressVPN ads all the time and they're almost always advertised as "protecting yourself from hackers or your ISP".

> Are people so gullible that they see an ad for NordVPN, think “oh shit I need to protect my security”, and then buy NordVPN

Well not the people serious about VPNs. The ones I consistently see popup in online discussions about what VPNs to use are Mullvad, ProtonVPN (Because of their Switzerland location), & iVPN (because they're based in a non fourteen-eyes jurisdiction, namely Gibraltar).

Of course jurisdiction doesn't matter since the point-of-presence of the particular VPN country is usually housed in some cheap colocation datacenter that could have questionable ethics and could be feeding logs to adversaries, without the VPN provider even knowing.

Then there's the whole 'we never keep logs' claim which can't be proven. So, caveat emptor folks!

    Then there's the whole 'we never keep logs' claim which can't be proven. So, caveat emptor folks! 
It can be trusted with a fair degree of certainty depending on the company. For instance, we know that PIA at the very least was willing to testify under oath that they had no records to provide the US government. Could they be keeping secret logs or have changed practices since? Sure, but at some point the claim seems credible.

Now those flavor-of-the-month budget VPNs that cannot possibly be profitable unless you're the product? Different story.

i thought pia got bought recently by a much less trust worthy vpn?
Huh, looks like it was. That would make me apprehensive about continuing to trust them.
They were bought by Kape Technologies, an Israeli surveillance firm whose founders have ties to Unit 8200. PIA literally couldn't up a bigger red flag if they tried.
The issue is that yesterday they may not have kept logs, and today they might, and there's no feasible way to know for sure. Even warrant canaries can't be relief on if the type of warrant requires no notification whatsoever.
FoxyProxy also testified under oath to the US Secret Service that they have no logs:

https://blog.getfoxyproxy.org/2017/11/04/secret-service-subp...

The company has been owned by the same individuals since 2006.

Parallel construction also isn't out of the question for these VPN providers that have testified under oath. If I were the NSA I'd buy some "no logs" VPN providers that don't provide logs in court, but do have them to make catching criminals much easier.

It doesn't hurt that the "no logs under oath" assertion will no doubt engender trust with the very people you want to log.

> VPN providers that don't provide logs in court, but do have them

That doesn’t make sense. If the provider has the logs, they’ll be presented in court if the company is given a subpoena and the owners are American. No one is going to risk contempt and jail time for their customers.

The apperence of not having logs is useful for both the law enforcement and the VPN owner, so why whould they subpoena the logs? The VPN could leak some details to the law and in exchange the law mostly leaves them alone. And the law would get cases where they know that spending their time will pay of: Saying "yeah, the computer repair shop found CP on the guys computer", thinking "because we told them where to look".
(comment deleted)
> iVPN (because they're based in a non fourteen-eyes jurisdiction, namely Gibraltar).

Gibraltar is an British territory under the jurisdiction and sovereignty of the United Kingdom, it's part of the fourteen-eyes.

i'm mostly happy with ProtonVPN for average stuff. clearly tho, when it's serious time you gotta pwn your own box
It's a bit weird that you omit the main reason for VPNs—avoiding dumb copyright strikes from your ISP when torrenting. To be fair this is a US-only reason. Maybe you live in Bulgaria or Finland.
It's a thing in other European countries too.
Finland certainly has it's fair share of stories, including them taking your equipment and holding it for lengthy times. We even have our own legal firms specialising in fun letters...
VPNs are cheap to run snake oil that you can sell to people who don’t really understand security. Snake oil in general is a great business.
I live in Germany but don't speak (or read) German. Almost all internet sites completely ignore my browser's "preferred language" preference and serve me content in German because I have a German IP address.

So I use a VPN to pretend I'm in the UK, and get English language.

I actually have to turn this off to watch streaming services, because they detect it too easily. The streaming services then cheerfully serve me English UI (because my account preference is for English) but German language content. I understand why, but this is such bullshit.

If you want people to stop using VPN's, then stop assuming that their IP address has anything to do with their physical location, culture, language, bank account region, home address, telephone prefix or anything else.

I lived a bit in Sweden, and got the opposite frustration: everything was in English. Even people would see I'm not swedish and speak to me in English. How was I supposed to learn swedish without ever hearing any swedish? (I did have lessons, but it takes much more time to learn with lessons only)
I'm having the same problem learning German in Berlin - everyone speaks English here and the slightest mispronunciation or "vie bitte?" and they switch to English. Which is appreciated - I'm a foreigner in their country and they're being incredibly hospitable to speak my language - but it makes practising German very difficult.

Also, a Swedish distant relative of mine told me (decades ago) "We Swedes prefer to talk to foreigners in their own language, and keep Swedish as a private language for ourselves". I've never heard that said by anyone else, but it has always stuck with me as a cool idea, and the antithesis of the English ;)

> stop assuming that their IP address has anything to do with their physical location, culture, language, bank account region, home address, telephone prefix or anything else.

The unfortunate truth is that analytics have show that more users have their browsers configured than an IP that doesn't "match" a language that they understand. Very unfortunately but is basically the common case for browser defaults on the internet.

But this is circular reasoning. If every web dev ignores the browser setting and uses IP to determine language then the browser setting is irrelevant and no-one bothers setting it. So the browser setting is inaccurate for the majority of users and the web devs can cheerfully ignore it.

I have started a one-man campaign of creating support tickets for all sites that ignore my browser setting. Join me!

It seems like a throwback to the naive old internet.

Being that it is 2021, it seems absurd to actually believe that some cheap service provider is providing any kind of meaningful privacy. I get the notion of being able to watch BBC or avoid baseball blackouts, but competent content providers block VPNs all of the time… consolidating will only help that effort.

The simple answer is that VPN services are really pretty easy to stand up. There is an enormous menu of VPN services out there, and many of them are basically some slapped-together Ansible playbooks and machines in sketchy datacenters. Running a VPN service is actually advantageous in this regard, because you can place a lot of your infrastructure in the cheapest DC markets and it almost comes off as a feature (look at all those global PoPs!). And now more and more VPN services allow resellers, so you don't even need the Ansible playbooks... you can just sign up to resell.

It's basically the 2010s version of web hosting in that regard, an industry that absolutely proliferated with tiny companies that were ultimately just reselling larger providers or running their own infrastructure very shoddily. It was seen as easy money, and that was true to an extent until they proliferated so much that it was hard to grab many customers... which lead to some very heavy-handed advertising pushes.

Consider, for example, the large number of Usenet providers that have affiliated VPN services now... they're priced so cheap it's hard to imagine them making much money off of them, but consider that they're just reselling from a larger Usenet provider that already has a lot of owned capacity and bandwidth. Since Usenet is so storage heavy they may just run the VPN endpoints right on their NNTP servers. It's basically free for them to offer!

They sell fear (with some justification), and then they sell an underperforming product that supposedly addresses that concern.

It would seem that people do [think “oh shit I need to protect my security”, and then buy NordVPN, without questioning ...] or else they would have stopped all that advertising.

There's some truth to the fear they are promoting in some situations. I doubt most consumers are in those situations (ignoring people living under oppressive regimes, as presumably they aren't watching the typical consumer tech videos on Youtube). But like a lot of types of insurance, the consumers are convinced that they need the solution to the problem which they don't really have.

I use a VPN purely for torrents. Have a VM with a torrent downloading server. Only way that VM can route beyond the local net is they a static VPN address and the VPN interface. No VPN connection means no internet leakage.
> why don’t other companies do this that could better target dumb people?

This is the interesting question. I think mostly it's the (correct) fear most businesspeople have of being caught taking advantage of rubes. They fear the social stigma, the impact to their business reputation, and potential litigation. It's the ones willing to take on all this additional risk that go on to rake in cash selling snake oil and magnetic holistic government-grade encryption bracelets.

I first installed a VPN after receiving a menacing letter from my ISP for torrenting. Then I moved to a country that doesn't care about torrents, but where I could be jailed for liking a wrong facebook post. Still, I don't want G$$gle & Co. to know everything about me. I travel a lot and do fear the wi-fi MITM. So I use a VPN.
I always figured the main reason people used VPNs was to be able to pirate movies and music without getting those letters from their ISP and that all the other reasons were just plausible deniability points.
VPN companies make a lot of money selling your browsing activity to governments, fintech, and adtech.
Do you have evidence of this?
They do not keep logs on your browsing history but they do route it immediately to various parties paying for the live feeds. /sarcasm sort of

I think those vpns are monetizing your traffic everyway they can and are often circumspect about it.

The best way to find out would be to try and buy such data.
What would that look like?

Do you have evidence some don’t?

Free or close to free VPNs? Maybe.

Paid VPNs like Nord, Proton, Express. Seriously doubt it. Their estimated subscribed count * subscription cost is worth a lot more than selling data, specially considering it would kill their business the minute it came out.

You could remove the first two words of this headline ("Consolidation of") and end up with a headline that is as true, if not more true.
Windscribe themselves got pwned not long ago: https://arstechnica.com/gadgets/2021/07/vpn-servers-seized-b... Ownership is just one part of the equation.
Yegor: I like the way you run windscribe and fully believe in your honesty and integrity (in fact, windscribe and mullvad are the among the few private vpn providers I've ever recommended). My point wasn't that. It was rather that the primary threat remains security of the setups themselves more so than the ownership. May be you don't agree, but that's my view.
Meh looks like a cheap shot at the recent acquisition news.
As part of a software package I get 1Password, AdGuard, the AdGuard VPN and Malware Bytes, all for the same price as paying for 1Password yearly, so I got the bundle deal.

I often wonder how good AdGuard really is, anyone know about this? I’m aware they use some kind of proprietary connection scream, but the actual VPN tunnel appears over IPSec, I think it’s the negotiation that is for some reason non standard.

Anyone know anything about this? I am only testing it out cause I get it in this package deal

AdGuard's VPN isn't IPSec? IIRC, to evade censorship, they tunnel through HTTP (or something that looks like HTTP): https://archive.is/HxZG5
Ah I may be confused as the client registers on my device as IPsec (in this case my iPhone)
VPN is just another "man in middle". If you need anonymity, use TOR.
Yeah, many men in the middle is better than just one! /s
This but unironically
To put it in different terms, if one person robs a bank then its realatively easy to catch and prosecute that person. If 100,000 people rob a bank at the same time (for $10 each I guess) then its pretty difficult to catch anyone involved and almost impossible to catch everyone involved.
Can someone explain how VPNs work / why they are cheap to run?

If I download 1TB through my VPN, dont they have bandwidth costs for 1 TB as well?

Yes, but bulk bandwidth is very cheap (contrary to what the average consumer ISP would have you believe).
Depends on the country. If you’re downloading 1TB through an Australia VPN, for example, or Taiwan…. The VPN company is going to throttle you or ask you to pay more. There are many other countries that fit that list.
It's unusual for commercial customers to pay for bandwidth on a per-byte-transferred basis. Instead, it's usually on a peak or percentile bandwidth basis. It's not cheap, but once you shell out for say a gbps of transit you can put a very large number of customers on that. The cost of the bandwidth ends up not being that large of a consideration.
Thanks I see. I pay $10 per month for VPN and then 60$ per month for internet so I guess their magnitude of costs is well over 1/6 lower than what I pay for internet
This post finally inspired me to try out mullvad, and I wish I did sooner. It's actually really easy, and the way they set things up and writing about how they work is a breath of fresh air.
These so-called VPNs are only good to bypass Nexflix’s regional filters, and shouldn’t even be called VPNs. Nobody should assume these services can be used to improve security or privacy.
Apart from legal protection, I’ve found that if you are behind a crappy ISP router, bundling a bunch of Torrent connections in one VPN connection can prevent the router from becoming unstable.
Can anyone see the difference between the Windscribe's "Firewall" and, say, ExpressVPN's "Killswitch"?
It's effectively the same thing. A properly implemented "kill switch" uses the OS firewall to block everything from using your hardware NIC, except the VPN tunnel itself. The "kill switch" name comes from improperly implemented "feature" that kills processes when your tunnel drops for any reason. This is a trash implementation.
But the several times I've gone looking for a very privacy-focused (but not horrible performing) vpn, I've usually only found 1 or 2 good options. Most of the consolidation list were never the good options.

So a better question is, "Is consolidation of products you shouldn't buy trouble for you?" Probably not.

While not a VPN, it's the sales of Lastpass and Keybase that really bothered me. Those were losses for the consumer.

Small aside: a VPN which sponsors a few dozen youtube tech videos is probably not one you want.

AWS is my favorite VPN in the few cases I have had to use one. Rent the cheapest instance in the region you want, then SSH tunnel your connection. Very simple and quick. Services never blacklist AWS IPs, in fact in many cases they have extra rules to be more permissive because their infrastructure runs on AWS.
A lot of sites freak out, either explicitly or subtly, when getting a connection from a known AWS pool. In a good case, you may get some explicit notification that they don't like your IP and suspect you are a bot. In a bad case, the site would appear subtly broken (i.e. login won't work, or some functionality would refuse to load) and nothing would suggest it's the problem until you try a non-AWS address.

Services that expect to be contacted by robots (which is mostly what runs on AWS) won't blacklist it, but sites that expect to talk to humans very much do so.

VPN as a protocol is dying.

Wireguard protocol is the new and faster trend.

> VPN as a protocol is dying. VPN is not a protocol, what you're referring to is probably OpenVPN, but there are multiple alternatives. It's even possible to use pure SSH as a VPN.
Take a gander over to ZeroTier, Tailscale, and Headscale.
Mozilla (the non-profit that makes the Firefox browser) has a VPN service and not only do I trust them more than these other private companies but I like supporting them as an organization. A VPN is the best thing for a crook or spy to run, so I expect that eventually they will be all run by them, if they aren’t already. Even SSH encrypted content can be man in the middle attacked by SSH proxying, I don’t see how your VPN couldn’t have access to your bank account or anything else you’ve logged into.
Mozilla's VPN is just Mullvad.
I think the VPN fees go through the Mozilla corp. so it may be a better way of supporting Firefox than donating to the Mozilla (nonprofit) org.
This blog post by a VPN company is totally not biased and not written to promote their totally independent (for now) , transparent (for now) business.

I mean they're not wrong, but it's hard to take seriously when they've got a horse in the race.

I subscribe to not one, but two VPN providers, but it's less about anonymity and more about region blocking and the fact that certain sites behave differently if you're out of the country (which, I am on a permanent basis).

This is mostly, I presume, anti-fraud measures that seem to pop up when visiting niche Australian web apps from overseas.

I always assumed a great deal of these VPN services basically hand delivered people of interest to various governments.
This is an ad blog post by a VPN company against their competition.

But the points it makes are all very true. You shouldn’t trust VPN companies. They all seem super sketchy.

Good advice for more than just VPN: if someone has to advertise something that should sell itself, there is something wrong with it or them.
I found a few comments rather reductive.

Some true facts:

-Lots of people use commercial vpns for the wrong reasons and expect too much from them in terms of privacy, anonymity, and security.

-Commercial vpns rarely have very any[1] trustworthy qualities.

-If you are hermit-level disciplined and never rely on (export MEANIES=) sketchy ISP, governments, or airport or cafe wifi to access the internet in an appropriately private way wrt the info exchanged (I would hugely envy your ability to evaluate this with much certainty), you have no need of a commercial vpn.

But as far as I can tell:

There are many good uses for commercial vpns in both "pretty good" customized private networks as well as best-case hardened access [2].

Even without other nodes, a commercial vpn has its use if one cannot avoid using a sketchy ISP or public wifi network. Unless the consolidation of sketchy internet entities is much much worse than I have seen evidence for and the commercial vpn is at least as trustable as the unavoidable sketchy network, it still provides the advantage of being singular. Better to have to deal with one sketchy commercial vpn than more than one of $MEANIES.

Some well-informed reasons to use a commercial vpn in a quite private customized network regardless of the more basic above factor:

- Reliable access to better things like tor among providers who block them.

- Minimizing public requests to and therefore risk of discovery and vandalism of personal private infrastructure. Think of cloud services you can host on your own more securely than a commercial provider of that service. EG one on your home network with more sensitive killswitches (if nothing else) than most commercial services can provide. You would probably still do better to use a commercial vpn than visit your home IP from $MEANIES even if [3] just to make the inconvenience of vandalism less frequent.

------- (I'm less sure about this part.) If the extra hop over an untrustable entity is really an extra liability (then you should use measures like inter-packet arrival time obfuscation and frequent hardware-level rebuilds of the customized network, and) then maybe the problem is already bad enough those two entities are in cahoots anyways so they could find out if they cared.

- Probably more?

Not a professional. Look forward to learning nuance or being proven completely wrong.

Edits:

[1] any not many

[2] if no alternative to one of $MEANIES is available

[3]

Sorry, does anyone in tech actuallty use a commercial VPN?

I have friends who are non technical who often ask me "what VPN provider should I use?", and my response is usually "Why are you using one?". They often say it's to protect their privacy from... someone, they don't know who. However they never know the privacy policies of their VPN company or how to protect against things like DNS leak.

It seems most people actually use them to watch a streaming service in a different country. This is just piracy with a hat on. I don't understand why they don't just pirate the media without paying anyone a monthly fee and be done with it.