Brilliant list. I always wondered how many commercial VPN providers use code from these. I suspect setting up the VPN is easy enough, but coding the billing backend might be trickier.
Yes, it works quite well - For an example setup, this is my setup script [0] to bootstrap a digital ocean droplet + launch an openvpn container using this image [1]
Using openvpn with deluge in UnRaid as a container - runs flawlessly, and not leaking (re: data out of the VPN) as verified by firewall logs for 3 months now.
If I was the NSA, I'd certainly be looking to launch a VPN company or two - maybe even subsidising their offerings, to get them to the top of the performance and value for money charts.
After all, getting users to voluntarily direct their traffic through your network would be much easier than installing snooping hardware at every ISP, backdooring hardware in transit or snooping on undersea cables.
The obvious answer to this is - if you're paying for a VPN in hopes of avoiding the NSA then you're using the wrong technology.
But since the NSA apparently shares its findings with other agencies, then the same applies if you're using a VPN in hopes of avoiding any sort of government monitoring.
So a VPN is only useful to (possibly) help protect yourself from corporate spying.
Yeah there's a few VPNs that look shady because of their pricing. One that springs to mind is LeafVPN[1]. For $5.00 you get to send all your traffic to Mallory. And it even has `LEA` as the first three letters, so you're safe! This is not an endorsement of this service BTW.
any of this services are safe to use http://vpntrends.com/best-vpn-services/ ? Not that i do anything illegal but don't want to send my information directly to the government.
Meh, just get vendors to mess up the implementation of their VPN protocol stack. This one was likely far from intentional but demonstrates quite clearly what can happen when implementations go south:
Genuine question: why's OpenVPN so popular over L2TP/IPsec? Configuration on the server side is maybe a little more complicated, but configuration on the client side is super simple, as all major OS, mobile or otherwise, have support built-in.
I've read arguments that firewalls tend to block IPsec packets, but there's also UDP encapsulation. And IME, I've never had connectivity issues, from multiple random coffee shop / airport WiFi, in multiple countries. I suspect it's because Cisco's VPN product used to (still?) uses IPsec, just with proprietary authentication schemes, and a lot of businesses use it, so most firewalls are configured to let it through.
L2TP/IPsec is obsolete, itself does NOT provide encryption or confidentiality to traffic passes through it. L2TP/IPsec encapsulates data twice at layer 2, it has pros and cons. See this (may be out-dated) -> https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs...
IKEv{1,2} + IPsec (ESP) (tunnel mode) is recommended. strongSwan is probably the best free, open source IPsec solution out there (much better than libreswan...), good documentation, use cases and examples etc, actively developed and maintained by a group of passionate developers that knows the stuff well.
My employer (pre-IPO startup) has been using strongSwan for 2+ years as site-to-site solution from AWS VPC to on-premises data centres (or other cloud virtual network), proved to be rock solid as long as it's properly configured (pretty much all outages were caused by AWS...) ;-)
The only drawback is that strongSwan currently does NOT have a mature HA solution but it's shaping up (5.4.0 introduced IKEv2 redirect). Hopefully a proper HA solution (not sure if it is something similar to VRRP - curious to know more - PLEASE comment) will be built on top and later productized ;-)
In addition: I myself have been using strongSwan since its 5.0.x for remote access, to protect privacy, fight censorship (yes, originally from China mainland where the infamous GFW is in place...). The native strongSwan client for Android is a killer feature, RSA authentication with X509 certificates works flawlessly with 1 click ;-)
BTW: OpenVPN is SSL VPN, relatively easy to install and configure, that's why it's more popular (remote access). IPsec works at IP layer (layer 3), generally speaking it requires deeper networking knowledge and more experience to get things right. OpenVPN is harder to block as it can disguise as HTTPS (TLS) or other traffic while IPsec requires UDP ports 500 (IKE) and 4500 (NAT-T) to work which is easier to block.
at the expense of latency and performance, openvpn can run in purely TCP mode which is more likely to survive shitty wifi connections and aggressive/stupid captive portal wifi and firewalls/NATs like you might find in an airport. I have an openvpn server running its public interface on port 443 in tcp mode which is frequently accessible when ipsec stuff is blocked.
> [...] openvpn can run in purely TCP mode which is more likely to survive shitty wifi connections and aggressive/stupid captive portal wifi and firewalls/NATs like you might find in an airport [...]
That's contrary to my own experience, hence my original post. Obviously I've not been to every airport, but I've been to a handful of different ones over the last decade, and I've never had problems with IPsec. And IME airport / coffee shop / hotel WiFi are usually not the ones most locked down, but corporate guest WiFi. The last one I used blocked everything except TCP port 80, 443...and UDP port 500, 1723, and 4500.
I used to run OpenVPN to my home network, since that's the general recommendation, and Cisco VPN to the school, and later work, networks, and I've had more connectivity issues with OpenVPN. Switching to one of ports 53, 80, or 443 generally works, but Cisco VPN always "just works"...connectivity wise anyway. The client software broke like every other minor OS update. I even switched to PPTP for a while, because it'd also always worked, plus support was built into the OS. And that's what drew my attention to L2TP/IPsec.
Finally, when Tunnelblick stopped working after one of the OS X major upgrade, I looked into setting up L2TP/IPsec, and have been using it since.
Maybe IPsec is more often blocked in Europe / Asia / Africa?
> I use AirVPN because to me it matters the client is open source.
Don't most VPN providers offer OpenVPN as an option? Private Internet Access does. I always assumed that the client offered is to have an easy setup method for users who don't know how to configure a normal VPN client safely.
It's been a while but the last time I used PIA I noticed that their configurations were woefully insecure (BF-CBC Ciphers, no tls-auth, pre-shared keys instead of certificates). This was maybe a couple of years ago.
Yes, they recently updated their OpenVPN configuration and now have a 'strong' OpenVPN config option.
>All our servers are now running OpenVPN on UDP port 1197 with our 4096bit RSA server certificate, 4096bit Diffie-Helman key exchange, AES-256-CBC, SHA256 and TLS v1.0-1.2 support.
I've seen lots of VPN comparisons that rate VPN providers on what they do and do not log. But who really verifies this? What's to stop VPN provider X from claiming "We don't log anything", while simultaneously streaming a real-time log to any government agency that asks for it?
Definitely a valid point. A recent court case involving VPN provider Private Internet Access seemed to back up their 'no logs' policy.
>“A subpoena was sent to London Trust Media and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States,” the FBI’s complaint reads.[1]
Unfortunately, waiting for a court case involving your VPN provider isn't a great way to determine what they log.
I also run my VPN on a cheap VPS. Dedicated VPN companies can easily come under attack/scrutiny, or could have temptations of selling user data if subscribers fall, but I doubt anyone is monitoring individual, ephemeral DO droplets/AWS instances.
If you're the only user of your VPN, doesn't that make it pretty easy to trace your usage back to you? I would have thought that using a VPN Provider would assist privacy by making it hard to figure out which client initiated the any request coming out of the VPN node...
A local adversary (in your network) can know that you're establishing a connection to a certain IP in another country, but they cannot know what that particular machine is accessing in turn. [This is my threat model, I use this in public WiFi].
And a remote adversary (who sees your VPS IP) cannot know who is, in turn, connected to that VPS, unless they can extract that information from the VPS provider via court order or hacking. [This is of more concern if you plan to do illegal things or are a dissident].
As always, you must model your threat scenario and proceed accordingly.
That's a fair analysis. I guess I was imagining something like a government. For example, the UK one would now be able to see that you're establishing a connection to your VPS IP. However, I don't know if they would then be able to see the connections from there to various hosts back in the UK.
Why would it? As long as you're in within your traffic limits, I suppose DO is happy to sell you the service you paid for. You're also likely not adding much SSD IOPS by running a VPN, but you have paid for a bit of storage, so you're a lucrative customer :)
Anecdotally, people routinely run small-scale VPN off DO or even AWS free tier hosts.
NordVPN allows access to Netflix (American) if you want, even connecting to say a Canadian server gives you access automatically. Hasn't been blocked In the year I've used it, works great, fast and always get 1080P streams.
Torrents on the other hand, I've been having connection issues to other peers. Not sure what's up there.
That's pointless. Netflix bans each and every VPN IP address they can get their hands on — they are quite thorough. You might as well get a cheaper VPN subscription with a VPN provider who condones torrenting and access the shows you are missing that way.
http://vpnspeedtest.org/ tests over 20 VPN services to find the maximum speed of each VPN from 8 locations around the world.
ThatOnePrivacyGuy should use their open source speed test tool instead as the tests are verifiable (unlike his tests from a single location which nobody can reproduce).
vpnspeedtest.org probably only tests download speed but doesn't state it clearly. I use one of the listed vpn-providers and the upload speed of it is heavily throttled in a saw-tooth manner from 0,2 Mbit to 1.2Mbit, nowhere near the 50Mbit that vpnspeedtest.org lists for my hometown & PureVPN. After my ISP worked on their network, I got a new ip-address and PureVPN initially limited upload to 2Mbit, but the next day it was back to the saw-tooth behavior.
It was mere chance that I noticed it at all. I normally don't (consciously) pay much attention to usernames. "GOOGLE CEO" could reply to me and I probably wouldn't notice it so the disclaimers are a nice addition, IMO.
This is terrible. Whoever "That One Privacy Guy" is, should really consider not being a dick and stop pushing VPNs as a privacy tool.
And yes, you're a dick if you even kind-of imply that VPNs might be good for privacy without immediately providing a strong disclaimer: if it matters, they aren't.
The vast majority of the recommendations here have absolutely no connection with reality.
This entire website is bullshit, here's a few quick quotes.
>a. More on Trust
>As a lawyer represents your legal interests, a VPN service (among others) represents your privacy interests.
>c. Jurisdiction
>In the last few years, certain revelations have been made manifest regarding the mass surveillance programs of various countries around the globe. These countries are known as the five, nine, and fourteen eyes. These countries not only spy on their own citizens where they can get away with it, but they spy on each others, and swap notes to bypass governmental restrictions on power. If a service, or the people who run a service is based in one of these countries, it’s not unreasonable to expect that they may be susceptible to unlawful searches and compromises made in the name of national security
Suggesting that NSA & Co. don't spy outside of FVEY (or fourteen eyes if that's what you prefer) countries is utterly ridiculous at it's face and just makes it look like the author hasn't studied this stuff at all.
Instead of blogging about mass surveillance and unlawful searches, maybe focus on the more realistic issues like search and wiretap warrants which are ridiculously easy to get in some countries?
I guess you replied to the wrong post, I made a rather explicit recommendation.
>you're a dick if you even kind-of imply that VPNs might be good for privacy without immediately providing a strong disclaimer: if it matters, they aren't.
This website reads like it's written by an amateur from some torrenting subreddit, there's not much constructive feedback to be given here besides "do some actual research and do it all again"
It really depends on your values and threat model. With a few thousand dollars and few weeks it wouldn't be that hard to flood the Tor network with enough of your own nodes to capture the routes of an appreciable fraction of traffic. It would be extraordinary to me if the NSA hadn't already done this.
Sure, but for day to day browsing, Tor is shit. This is more to prevent dragnet bullshit like the UK RIPA which requires ISPs to keep a list of sites visited.
Sure, but for privacy, VPNs are shit. You can't recommend VPNs for privacy.
If this was branded differently, I'm sure it could be a great resource.
>This is more to prevent dragnet bullshit like the UK RIPA which requires ISPs to keep a list of sites visited.
The site doesn't really read like that, it has several suggestions that don't seem to apply to those seeking only for minimal levels of privacy to maybe hide from the local government.
As a quick example:
>Avoid VPNs that use CloudFlare, Incapsula, and other such services.
Doesn't seem like a major concern for someone only worried about UK RIPA.
> Sure, but for privacy, VPNs are shit. You can't recommend VPNs for privacy.
Why not? Doesn't it depend on your purpose and threat level? If you have state level actors chasing you than VPNs will only be part of your opsec toolchest — preferring TOR where possible and being very strict about where you access the internet (certainly not at home). But if you are just downloading the latest episode of Sherlock from your local hive of wretched scum and villainy, a VPN will surely help.
VPNs are only part of the solution of course (not using any social media, not connecting to any of your normal accounts, limiting VPN use to whatever it is you want to keep private), but you seem adamant that even this is not a valid use of VPNs, or am I misreading your posts?
>But if you are just downloading the latest episode of Sherlock from your local hive of wretched scum and villainy, a VPN will surely help.
Then you should recommend VPNs for that specific purpose, never for generic "privacy".
>VPNs are only part of the solution of course (not using any social media, not connecting to any of your normal accounts, limiting VPN use to whatever it is you want to keep private), but you seem adamant that even this is not a valid use of VPNs, or am I misreading your posts?
This is reasonable, I use VPNs for similar purposes too. But recommending VPNs for "privacy" needs to come with a big disclaimer. "If it's something that actually matters, they won't help you."
If you do something illegal using a VPN in very many cases your local police department will be able to use mutual legal assistance treaties to search and/or wiretap your VPN providers.
https://github.com/jlund/streisand (6000+ stars)
https://github.com/sovereign/sovereign (6000+ stars)
https://github.com/Nyr/openvpn-install (3000+ stars)
https://github.com/ttlequals0/autovpn (1400+ stars)
https://github.com/trailofbits/algo (1100+ stars)
https://github.com/robbintt/popup-openvpn (700+ stars)