21 comments

[ 3.0 ms ] story [ 52.3 ms ] thread
I strongly suggest that you use something like Network Namespaces through Vopono[0] or Gluetun[1] if you use a commercial VPN for "privacy" or "security" aka torrenting and shitposting. Relying on these clients is always a gamble and if your software (Browser, Torrentclient, etc.) cannot know you public IP only the internal IP of the VPN you are also safe against some exploits and misconfigurations a desktop client won't protect you against.

[0] https://github.com/jamesmcm/vopono [1] https://github.com/qdm12/gluetun

I donwt know any single VPN provider apart from Mullvad with proper v6 implementation.
Even Mullvad give out ULA addresses. You can hardly call that a proper implementation :(
Pretty sure i've had ipv6 on Proton. How do I check if it's "proper"?
What about NordVPN and ExpressVPN are those somewhat trustworthy?
Both are proprietary and require personal information to register and pay so obviously no.
Hi, I'm the author of the blog post and just wanted to say thanks for the discussion.

I agree that relying solely on desktop VPN clients (especially closed-source ones) is risky... The network namespaces approach is new to me, but it looks like a solid way to isolate traffic and avoid these kinds of leaks entirely. Thanks for the suggestions.

(comment deleted)
I'm surprised at how negative HN as a whole is on VPNs. The argument seems to go that VPNs don't really give you much privacy. I disagree. I don't think they give absolutely privacy but there are benefits.

As soon as you use a service in another country, it greatly complicates anyone trying to pierce that veil. A US shield can be pierced by John Doe warrants, FISA warratns, pen registers and so on. Some of these options are open to average citizens who may want to dox you or simply report your activity to government agencies, which is more relevant now than it has been in many years.

We've seen several websites pop up to dox people who don't show sufficient deference to Charlie Kirk's murder. We have an administration who now seeks to deport people, deny entry to visa holders and deny visas to people who criticize Israel.

For so many people in the US, citizens and otherwise, an extra level of privacy has become essentially mandatory.

The US ISP market is dominated by regional monopolies where you have no other option. ISPs monitor your traffic, not only to sell your data to data brokers but to decide if you're doing anything "inappropraite" like using a file-sharing service. How long before that extends to the content of your speech?

I'm glad people are doing things like xposing IPv6 leaks (as in this post) and other weaknesses. Some here will taken this as further evidence that VPNs are of little or no value. I don't. I want to know who the good providers are.

I encountered this with different VPN provider. Probably many more have this issue.
If you can't see your VPN's source code, you can almost safely assume that they're broken in some way.
Even if you could, there's no way to guarantee it's the same code that's actually pushing your packets around.

Even vp.net which says they use SGX to verify the code that is running on a box... yea you are verifying a box, somewhere, not necessarily the one forwarding your packets. And those packets can still be monitored/modified outside the system at some other part of the network anyways.

And even if you could verify all that, eBPF swoops in and lets you modify code at runtime with no evidence trails.

I have no idea why it seems to be so hard for VPN providers to get IPv6 right. The technology has been here for ages. Also, unlike physical ISPs, VPN providers have no other way to differentiate from each other but getting this sort of things right, so one could except them to be motivated, but no.
They separate each other by spending money on YouTube ads and sponsorships and jacking up prices to offer 50%, no 70% no NINETY PERCENT DISCOUNT if you subscribe for 17 years using my promo code MisterSandman!
VPN providers do not have reputations for making secure or reliable software.

Here's a good privacy proxy (VPN) setup: Set up a second wifi router, enable the "Internet kill switch", and connect it with Wireguard to a reputable VPN service. I recommend GL.iNet routers and Mullvad.

With this setup, one can move individual devices between the privacy wifi and identity-broadcasting wifi.